The branch, master has been updated
via a2d5326 python-ntacls: Cope with ACL revision 4
via f8e6bb4 dbwrap: use talloc_stackframe() in db_tdb_log_key()
via 1008f6f selftest: Always unlink the tempf in posixacl test
via 117d5f4 selftest: Cover the important non-Samba invalidation of the
NT ACL
via 53244c9 selftest: Cover one more NT ACL invalidation case and
improve comments
from e9b6b23 selftest: Add many more tests for our posix ACL handling
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a2d53262e835b0c74282d389b1dd6dad2395f0f1
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Oct 24 18:24:12 2012 +1100
python-ntacls: Cope with ACL revision 4
This is the new revision with the hash of the posix or system ACL.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Oct 25 15:04:39 CEST 2012 on sn-devel-104
commit f8e6bb46c005e82d5a8646e691de9282828005cc
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Oct 24 18:23:04 2012 +1100
dbwrap: use talloc_stackframe() in db_tdb_log_key()
We can not be sure that there is already a talloc_stackframe() in place
so we must create one.
Andrew Bartlett
commit 1008f6fbf49d5b797c7d968ea7ffdcb29d623644
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Oct 25 20:18:28 2012 +1100
selftest: Always unlink the tempf in posixacl test
commit 117d5f4c372c02d69106df45e12ac69d1c047f50
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Oct 25 20:17:55 2012 +1100
selftest: Cover the important non-Samba invalidation of the NT ACL
This covers the case where we have a valid hash of the posix ACL (or the NT
ACL from the
POSIX ACL) and we notice it no longer matches.
Andrew Bartlett
commit 53244c915113cef87692756e9ad545ff75074df0
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Oct 25 19:58:15 2012 +1100
selftest: Cover one more NT ACL invalidation case and improve comments
This tries to show the difference between the cases where we trap
the POSIX ACL change and where we actually detect an OS-level change.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
lib/dbwrap/dbwrap_tdb.c | 7 ++--
source4/scripting/python/samba/ntacls.py | 2 +
source4/scripting/python/samba/tests/posixacl.py | 41 +++++++++++++++++----
3 files changed, 39 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/dbwrap/dbwrap_tdb.c b/lib/dbwrap/dbwrap_tdb.c
index 80d41b4..a3a6c87 100644
--- a/lib/dbwrap/dbwrap_tdb.c
+++ b/lib/dbwrap/dbwrap_tdb.c
@@ -42,10 +42,11 @@ static void db_tdb_log_key(const char *prefix, TDB_DATA key)
{
size_t len;
char *keystr;
-
+ TALLOC_CTX *frame;
if (DEBUGLEVEL < 10) {
return;
}
+ frame = talloc_stackframe();
len = key.dsize;
if (DEBUGLEVEL == 10) {
/*
@@ -53,10 +54,10 @@ static void db_tdb_log_key(const char *prefix, TDB_DATA key)
*/
len = MIN(10, key.dsize);
}
- keystr = hex_encode_talloc(talloc_tos(), (unsigned char *)(key.dptr),
+ keystr = hex_encode_talloc(frame, (unsigned char *)(key.dptr),
len);
DEBUG(10, ("%s key %s\n", prefix, keystr));
- TALLOC_FREE(keystr);
+ TALLOC_FREE(frame);
}
static int db_tdb_record_destr(struct db_record* data)
diff --git a/source4/scripting/python/samba/ntacls.py
b/source4/scripting/python/samba/ntacls.py
index 44cbbe9..f304047 100644
--- a/source4/scripting/python/samba/ntacls.py
+++ b/source4/scripting/python/samba/ntacls.py
@@ -78,6 +78,8 @@ def getntacl(lp, file, backend=None, eadbfile=None,
direct_db_access=True):
return ntacl.info.sd
elif ntacl.version == 3:
return ntacl.info.sd
+ elif ntacl.version == 4:
+ return ntacl.info.sd
else:
return smbd.get_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL)
diff --git a/source4/scripting/python/samba/tests/posixacl.py
b/source4/scripting/python/samba/tests/posixacl.py
index 449a87c..482b48b 100644
--- a/source4/scripting/python/samba/tests/posixacl.py
+++ b/source4/scripting/python/samba/tests/posixacl.py
@@ -82,7 +82,7 @@ class PosixAclMappingTests(TestCase):
pass
os.unlink(tempf)
- def test_setntacl_smbd_chmod_getntacl(self):
+ def test_setntacl_invalidate_getntacl(self):
random.seed()
lp = LoadParm()
path = None
@@ -103,25 +103,47 @@ class PosixAclMappingTests(TestCase):
self.assertEquals(acl, facl.as_sddl(anysid))
os.unlink(tempf)
- def test_setntacl_smbd_chmod_getntacl_smbd(self):
+ def test_setntacl_invalidate_getntacl_smbd(self):
random.seed()
lp = LoadParm()
path = None
path = os.environ['SELFTEST_PREFIX']
acl =
"O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- simple_acl_from_posix =
"O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
open(tempf, 'w').write("empty")
- setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467",
use_ntvfs=True)
+ setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467",
use_ntvfs=False)
# This should invalidate the ACL, as we include the posix ACL in the
hash
(backend_obj, dbname) = checkset_backend(lp, None, None)
backend_obj.wrap_setxattr(dbname,
tempf, "system.fake_access_acl", "")
- #the hash breaks, and we return an ACL based only on the mode
+ #the hash would break, and we return an ACL based only on the mode,
except we set the ACL using the 'ntvfs' mode that doesn't include a hash
facl = getntacl(lp,tempf)
anysid = security.dom_sid(security.SID_NT_SELF)
+ self.assertEquals(acl, facl.as_sddl(anysid))
+ os.unlink(tempf)
+
+ def test_setntacl_smbd_invalidate_getntacl_smbd(self):
+ random.seed()
+ lp = LoadParm()
+ path = None
+ path = os.environ['SELFTEST_PREFIX']
+ acl =
"O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ simple_acl_from_posix =
"O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
+ tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
+ open(tempf, 'w').write("empty")
+ os.chmod(tempf, 0750)
+ setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467",
use_ntvfs=False)
+
+ # This should invalidate the ACL, as we include the posix ACL in the
hash
+ (backend_obj, dbname) = checkset_backend(lp, None, None)
+ backend_obj.wrap_setxattr(dbname,
+ tempf, "system.fake_access_acl", "")
+
+ #the hash will break, and we return an ACL based only on the mode
+ facl = getntacl(lp,tempf, direct_db_access=False)
+ anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
os.unlink(tempf)
@@ -163,7 +185,7 @@ class PosixAclMappingTests(TestCase):
tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
open(tempf, 'w').write("empty")
setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467",
use_ntvfs=False)
- # This invalidates the hash of the NT acl just set
+ # This invalidates the hash of the NT acl just set because there is a
hook in the posix ACL set code
smbd.set_simple_acl(tempf, 0640)
facl = getntacl(lp,tempf, direct_db_access=False)
anysid = security.dom_sid(security.SID_NT_SELF)
@@ -181,7 +203,7 @@ class PosixAclMappingTests(TestCase):
tempf = os.path.join(path,"pytests"+str(int(100000*random.random())))
open(tempf, 'w').write("empty")
setntacl(lp,tempf,acl,"S-1-5-21-2212615479-2695158682-2101375467",
use_ntvfs=False)
- # This invalidates the hash of the NT acl just set
+ # This invalidates the hash of the NT acl just set because there is a
hook in the posix ACL set code
s3conf = s3param.get_context()
s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
(BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
@@ -256,9 +278,11 @@ class PosixAclMappingTests(TestCase):
smbd.set_simple_acl(tempf, 0750)
try:
facl = getntacl(lp,tempf)
+ self.assertTrue(False)
except TypeError:
# We don't expect the xattr to be filled in in this case
pass
+ os.unlink(tempf)
def test_setposixacl_getntacl_smbd(self):
random.seed()
@@ -272,10 +296,10 @@ class PosixAclMappingTests(TestCase):
user_SID = s4_passdb.uid_to_sid(os.stat(tempf).st_uid)
smbd.set_simple_acl(tempf, 0640)
facl = getntacl(lp, tempf, direct_db_access=False)
- domsid = passdb.get_global_sam_sid()
acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)"
% (user_SID, group_SID, user_SID, group_SID)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))
+ os.unlink(tempf)
def test_setposixacl_group_getntacl_smbd(self):
random.seed()
@@ -296,6 +320,7 @@ class PosixAclMappingTests(TestCase):
acl =
"O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)"
% (user_SID, group_SID, user_SID, group_SID)
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))
+ os.unlink(tempf)
def test_setposixacl_getposixacl(self):
random.seed()
--
Samba Shared Repository
