2 Unix SMB/CIFS implementation.
3 Set NT and POSIX ACLs and other VFS operations from Python
5 Copyrigyt (C) Andrew Bartlett 2012
6 Copyright (C) Jeremy Allison 1994-2009.
7 Copyright (C) Andreas Gruenbacher 2002.
8 Copyright (C) Simo Sorce <idra@samba.org> 2009.
9 Copyright (C) Simo Sorce 2002
10 Copyright (C) Eric Lorimer 2002
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "python/py3compat.h"
29 #include "smbd/smbd.h"
30 #include "libcli/util/pyerrors.h"
31 #include "librpc/rpc/pyrpc_util.h"
33 #include "system/filesys.h"
38 extern const struct generic_mapping file_generic_mapping;
41 #define DBGC_CLASS DBGC_ACLS
44 #define DIRECTORY_FLAGS O_RDONLY|O_DIRECTORY
46 /* POSIX allows us to open a directory with O_RDONLY. */
47 #define DIRECTORY_FLAGS O_RDONLY
51 static connection_struct *get_conn_tos(
53 const struct auth_session_info *session_info)
55 struct conn_struct_tos *c = NULL;
59 if (!posix_locking_init(false)) {
65 snum = lp_servicenumber(service);
67 PyErr_SetString(PyExc_RuntimeError, "unknown service");
72 status = create_conn_struct_tos(NULL,
77 PyErr_NTSTATUS_IS_ERR_RAISE(status);
79 /* Ignore read-only and share restrictions */
80 c->conn->read_only = false;
81 c->conn->share_access = SEC_RIGHTS_FILE_ALL;
85 static int set_sys_acl_conn(const char *fname,
86 SMB_ACL_TYPE_T acltype,
87 SMB_ACL_T theacl, connection_struct *conn)
90 struct smb_filename *smb_fname = NULL;
92 TALLOC_CTX *frame = talloc_stackframe();
94 smb_fname = synthetic_smb_fname_split(frame,
96 lp_posix_pathnames());
97 if (smb_fname == NULL) {
102 ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl);
109 static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx,
111 struct connection_struct *conn,
113 struct files_struct **_fsp)
115 struct smb_filename *smb_fname = NULL;
118 struct files_struct *fsp;
120 fsp = talloc_zero(mem_ctx, struct files_struct);
122 return NT_STATUS_NO_MEMORY;
124 fsp->fh = talloc(fsp, struct fd_handle);
125 if (fsp->fh == NULL) {
126 return NT_STATUS_NO_MEMORY;
130 smb_fname = synthetic_smb_fname_split(fsp,
132 lp_posix_pathnames());
133 if (smb_fname == NULL) {
134 return NT_STATUS_NO_MEMORY;
137 fsp->fsp_name = smb_fname;
140 * we want total control over the permissions on created files,
141 * so set our umask to 0 (this matters if flags contains O_CREAT)
143 saved_umask = umask(0);
145 fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644);
149 if (fsp->fh->fd == -1) {
152 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
154 return NT_STATUS_INVALID_PARAMETER;
157 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
159 /* If we have an fd, this stat should succeed. */
160 DEBUG(0,("Error doing fstat on open file %s (%s)\n",
161 smb_fname_str_dbg(smb_fname),
163 return map_nt_error_from_unix(errno);
166 fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_fname->st);
167 fsp->vuid = UID_FIELD_INVALID;
169 fsp->can_lock = True;
170 fsp->can_read = True;
171 fsp->can_write = True;
172 fsp->print_file = NULL;
173 fsp->modified = False;
174 fsp->sent_oplock_break = NO_BREAK_SENT;
175 fsp->is_directory = S_ISDIR(smb_fname->st.st_ex_mode);
182 static NTSTATUS set_nt_acl_conn(const char *fname,
183 uint32_t security_info_sent, const struct security_descriptor *sd,
184 connection_struct *conn)
186 TALLOC_CTX *frame = talloc_stackframe();
187 struct files_struct *fsp = NULL;
188 NTSTATUS status = NT_STATUS_OK;
190 /* first, try to open it as a file with flag O_RDWR */
191 status = init_files_struct(frame,
196 if (!NT_STATUS_IS_OK(status) && errno == EISDIR) {
197 /* if fail, try to open as dir */
198 status = init_files_struct(frame,
205 if (!NT_STATUS_IS_OK(status)) {
206 DBG_ERR("init_files_struct failed: %s\n",
215 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, sd);
216 if (!NT_STATUS_IS_OK(status)) {
217 DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", nt_errstr(status)));
226 static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx,
228 connection_struct *conn,
229 uint32_t security_info_wanted,
230 struct security_descriptor **sd)
232 TALLOC_CTX *frame = talloc_stackframe();
234 struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
238 lp_posix_pathnames() ?
239 SMB_FILENAME_POSIX_PATH : 0);
241 if (smb_fname == NULL) {
243 return NT_STATUS_NO_MEMORY;
246 status = SMB_VFS_GET_NT_ACL(conn,
248 security_info_wanted,
251 if (!NT_STATUS_IS_OK(status)) {
252 DEBUG(0,("get_nt_acl_conn: get_nt_acl returned %s.\n", nt_errstr(status)));
260 static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask)
262 SMB_ACL_PERMSET_T perms = NULL;
264 if (sys_acl_get_permset(entry, &perms) != 0) {
268 if (sys_acl_clear_perms(perms) != 0) {
272 if ((perm_mask & SMB_ACL_READ) != 0 &&
273 sys_acl_add_perm(perms, SMB_ACL_READ) != 0) {
277 if ((perm_mask & SMB_ACL_WRITE) != 0 &&
278 sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) {
282 if ((perm_mask & SMB_ACL_EXECUTE) != 0 &&
283 sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) {
287 if (sys_acl_set_permset(entry, perms) != 0) {
294 static SMB_ACL_T make_simple_acl(TALLOC_CTX *mem_ctx,
298 mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE;
300 mode_t mode_user = (chmod_mode & 0700) >> 6;
301 mode_t mode_group = (chmod_mode & 070) >> 3;
302 mode_t mode_other = chmod_mode & 07;
303 SMB_ACL_ENTRY_T entry;
304 SMB_ACL_T acl = sys_acl_init(mem_ctx);
310 if (sys_acl_create_entry(&acl, &entry) != 0) {
315 if (sys_acl_set_tag_type(entry, SMB_ACL_USER_OBJ) != 0) {
320 if (set_acl_entry_perms(entry, mode_user) != 0) {
325 if (sys_acl_create_entry(&acl, &entry) != 0) {
330 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP_OBJ) != 0) {
335 if (set_acl_entry_perms(entry, mode_group) != 0) {
340 if (sys_acl_create_entry(&acl, &entry) != 0) {
345 if (sys_acl_set_tag_type(entry, SMB_ACL_OTHER) != 0) {
350 if (set_acl_entry_perms(entry, mode_other) != 0) {
356 if (sys_acl_create_entry(&acl, &entry) != 0) {
361 if (sys_acl_set_tag_type(entry, SMB_ACL_GROUP) != 0) {
366 if (sys_acl_set_qualifier(entry, &gid) != 0) {
371 if (set_acl_entry_perms(entry, mode_group) != 0) {
377 if (sys_acl_create_entry(&acl, &entry) != 0) {
382 if (sys_acl_set_tag_type(entry, SMB_ACL_MASK) != 0) {
387 if (set_acl_entry_perms(entry, mode) != 0) {
396 set a simple ACL on a file, as a test
398 static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs)
400 const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL };
401 char *fname, *service = NULL;
406 connection_struct *conn;
408 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|iz",
409 discard_const_p(char *, kwnames),
410 &fname, &mode, &gid, &service))
413 frame = talloc_stackframe();
415 acl = make_simple_acl(frame, gid, mode);
421 conn = get_conn_tos(service, NULL);
427 ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn);
432 return PyErr_SetFromErrno(PyExc_OSError);
443 static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs)
445 const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL };
446 connection_struct *conn;
449 char *fname, *service = NULL;
452 struct smb_filename *smb_fname = NULL;
454 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z",
455 discard_const_p(char *, kwnames),
456 &fname, &uid, &gid, &service))
459 frame = talloc_stackframe();
461 conn = get_conn_tos(service, NULL);
467 smb_fname = synthetic_smb_fname(talloc_tos(),
471 lp_posix_pathnames() ?
472 SMB_FILENAME_POSIX_PATH : 0);
473 if (smb_fname == NULL) {
476 return PyErr_SetFromErrno(PyExc_OSError);
479 ret = SMB_VFS_CHOWN(conn, smb_fname, uid, gid);
483 return PyErr_SetFromErrno(PyExc_OSError);
494 static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs)
496 const char * const kwnames[] = { "fname", "service", NULL };
497 connection_struct *conn;
499 struct smb_filename *smb_fname = NULL;
500 char *fname, *service = NULL;
503 frame = talloc_stackframe();
505 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z",
506 discard_const_p(char *, kwnames),
512 conn = get_conn_tos(service, NULL);
518 smb_fname = synthetic_smb_fname_split(frame,
520 lp_posix_pathnames());
521 if (smb_fname == NULL) {
523 return PyErr_NoMemory();
526 ret = SMB_VFS_UNLINK(conn, smb_fname);
530 return PyErr_SetFromErrno(PyExc_OSError);
539 check if we have ACL support
541 static PyObject *py_smbd_have_posix_acls(PyObject *self)
543 #ifdef HAVE_POSIX_ACLS
544 return PyBool_FromLong(true);
546 return PyBool_FromLong(false);
551 set the NT ACL on a file
553 static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
555 const char * const kwnames[] = {
556 "fname", "security_info_sent", "sd",
557 "service", "session_info", NULL };
560 char *fname, *service = NULL;
561 int security_info_sent;
563 struct security_descriptor *sd;
564 PyObject *py_session = Py_None;
565 struct auth_session_info *session_info = NULL;
566 connection_struct *conn;
569 frame = talloc_stackframe();
571 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|zO",
572 discard_const_p(char *, kwnames),
573 &fname, &security_info_sent, &py_sd,
574 &service, &py_session)) {
579 if (!py_check_dcerpc_type(py_sd, "samba.dcerpc.security", "descriptor")) {
584 if (py_session != Py_None) {
585 if (!py_check_dcerpc_type(py_session,
591 session_info = pytalloc_get_type(py_session,
592 struct auth_session_info);
594 PyErr_Format(PyExc_TypeError,
595 "Expected auth_session_info for session_info argument got %s",
596 talloc_get_name(pytalloc_get_ptr(py_session)));
601 conn = get_conn_tos(service, session_info);
607 sd = pytalloc_get_type(py_sd, struct security_descriptor);
609 status = set_nt_acl_conn(fname, security_info_sent, sd, conn);
611 PyErr_NTSTATUS_IS_ERR_RAISE(status);
617 Return the NT ACL on a file
619 static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs)
621 const char * const kwnames[] = { "fname",
622 "security_info_wanted",
626 char *fname, *service = NULL;
627 int security_info_wanted;
629 struct security_descriptor *sd;
630 TALLOC_CTX *frame = talloc_stackframe();
631 PyObject *py_session = Py_None;
632 struct auth_session_info *session_info = NULL;
633 connection_struct *conn;
637 ret = PyArg_ParseTupleAndKeywords(args,
640 discard_const_p(char *, kwnames),
642 &security_info_wanted,
650 if (py_session != Py_None) {
651 if (!py_check_dcerpc_type(py_session,
657 session_info = pytalloc_get_type(py_session,
658 struct auth_session_info);
662 "Expected auth_session_info for "
663 "session_info argument got %s",
664 talloc_get_name(pytalloc_get_ptr(py_session)));
669 conn = get_conn_tos(service, session_info);
675 status = get_nt_acl_conn(frame, fname, conn, security_info_wanted, &sd);
676 PyErr_NTSTATUS_IS_ERR_RAISE(status);
678 py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);
686 set the posix (or similar) ACL on a file
688 static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
690 const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL };
691 TALLOC_CTX *frame = talloc_stackframe();
693 char *fname, *service = NULL;
695 struct smb_acl_t *acl;
697 connection_struct *conn;
699 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|z",
700 discard_const_p(char *, kwnames),
701 &fname, &acl_type, &py_acl, &service)) {
706 if (!py_check_dcerpc_type(py_acl, "samba.dcerpc.smb_acl", "t")) {
711 conn = get_conn_tos(service, NULL);
717 acl = pytalloc_get_type(py_acl, struct smb_acl_t);
719 ret = set_sys_acl_conn(fname, acl_type, acl, conn);
723 return PyErr_SetFromErrno(PyExc_OSError);
731 Return the posix (or similar) ACL on a file
733 static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *kwargs)
735 const char * const kwnames[] = { "fname", "acl_type", "service", NULL };
738 struct smb_acl_t *acl;
740 TALLOC_CTX *frame = talloc_stackframe();
741 connection_struct *conn;
742 char *service = NULL;
743 struct smb_filename *smb_fname = NULL;
745 if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z",
746 discard_const_p(char *, kwnames),
747 &fname, &acl_type, &service)) {
752 conn = get_conn_tos(service, NULL);
758 smb_fname = synthetic_smb_fname_split(frame,
760 lp_posix_pathnames());
761 if (smb_fname == NULL) {
765 acl = SMB_VFS_SYS_ACL_GET_FILE( conn, smb_fname, acl_type, frame);
768 return PyErr_SetFromErrno(PyExc_OSError);
771 py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl);
778 static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
780 const char * const kwnames[] = { "fname", "service", NULL };
781 char *fname, *service = NULL;
782 TALLOC_CTX *frame = talloc_stackframe();
783 struct connection_struct *conn = NULL;
784 struct smb_filename *smb_fname = NULL;
786 if (!PyArg_ParseTupleAndKeywords(args,
789 discard_const_p(char *,
797 conn = get_conn_tos(service, NULL);
803 smb_fname = synthetic_smb_fname(talloc_tos(),
807 lp_posix_pathnames() ?
808 SMB_FILENAME_POSIX_PATH : 0);
810 if (smb_fname == NULL) {
816 if (SMB_VFS_MKDIR(conn, smb_fname, 00755) == -1) {
817 DBG_ERR("mkdir error=%d (%s)\n", errno, strerror(errno));
830 static PyObject *py_smbd_create_file(PyObject *self, PyObject *args, PyObject *kwargs)
832 const char * const kwnames[] = { "fname", "service", NULL };
833 char *fname, *service = NULL;
834 TALLOC_CTX *frame = talloc_stackframe();
835 struct connection_struct *conn = NULL;
836 struct files_struct *fsp = NULL;
839 if (!PyArg_ParseTupleAndKeywords(args,
842 discard_const_p(char *,
850 conn = get_conn_tos(service, NULL);
856 status = init_files_struct(frame,
859 O_CREAT|O_EXCL|O_RDWR,
861 if (!NT_STATUS_IS_OK(status)) {
862 DBG_ERR("init_files_struct failed: %s\n",
871 static PyMethodDef py_smbd_methods[] = {
873 (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS,
876 (PyCFunction)py_smbd_set_simple_acl, METH_VARARGS|METH_KEYWORDS,
879 (PyCFunction)py_smbd_set_nt_acl, METH_VARARGS|METH_KEYWORDS,
882 (PyCFunction)py_smbd_get_nt_acl, METH_VARARGS|METH_KEYWORDS,
885 (PyCFunction)py_smbd_get_sys_acl, METH_VARARGS|METH_KEYWORDS,
888 (PyCFunction)py_smbd_set_sys_acl, METH_VARARGS|METH_KEYWORDS,
891 (PyCFunction)py_smbd_chown, METH_VARARGS|METH_KEYWORDS,
894 (PyCFunction)py_smbd_unlink, METH_VARARGS|METH_KEYWORDS,
897 (PyCFunction)py_smbd_mkdir, METH_VARARGS|METH_KEYWORDS,
900 (PyCFunction)py_smbd_create_file, METH_VARARGS|METH_KEYWORDS,
907 static struct PyModuleDef moduledef = {
908 PyModuleDef_HEAD_INIT,
910 .m_doc = "Python bindings for the smbd file server.",
912 .m_methods = py_smbd_methods,
915 MODULE_INIT_FUNC(smbd)
919 m = PyModule_Create(&moduledef);
git.samba.org / nivanova / samba-autobuild / .git / blob