The branch, master has been updated
via 20129d16dc3 python:ntacls: pull allow list out of loop
via ff0e0045ed5 python/ntacls.py: only allow allow and deny ACEs in
setntacl()
via 301c36d1ad6 python/provision: avoid SDDL conversion in set_dir_acl()
via 62c8dc9fa1f python/policies.py: avoid SDDL conversion for
dsacl2fsacl
via 29df0b6691d python/gpo.py: avoid SDDL conversion for dsacl2fsacl
via 3e572824dca pytest:ntacls: test dsacl2fsacl() with a few strings
from dbc48a4cda7 vfs_ceph_new: Add path based fallback for
SMB_VFS_FNTIMES
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 20129d16dc30a2ab9ad0ae04fec5cf007ebb035d
Author: Douglas Bagnall <[email protected]>
Date: Fri Mar 7 15:51:18 2025 +1300
python:ntacls: pull allow list out of loop
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14927
Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(master): Ralph Böhme <[email protected]>
Autobuild-Date(master): Wed Mar 19 15:56:38 UTC 2025 on atb-devel-224
commit ff0e0045ed5ec619e8ef1910c0b72eb118f59bd3
Author: Ralph Boehme <[email protected]>
Date: Mon Jul 31 15:24:19 2023 +0200
python/ntacls.py: only allow allow and deny ACEs in setntacl()
Commit 27dd0afb62d4f7427c966e984c7c8b01bc4d93b5 introduced a
regression.
Before that commit we included only SEC_ACE_TYPE_ACCESS_ALLOWED(0)
as 'not type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT' filtered out
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT(5), but also
SEC_ACE_TYPE_ACCESS_DENIED and SEC_ACE_TYPE_ACCESS_DENIED_OBJECT.
After that commit we started to include
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT, which is wrong.
It was also always wrong to exclude SEC_ACE_TYPE_ACCESS_DENIED(1).
So now we make it explicit that we only include
SEC_ACE_TYPE_ACCESS_ALLOWED and SEC_ACE_TYPE_ACCESS_DENIED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14927
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Ralph Boehme <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 301c36d1ad6d81e4983001c607d501bea7551014
Author: Ralph Boehme <[email protected]>
Date: Mon Jul 31 15:56:26 2023 +0200
python/provision: avoid SDDL conversion in set_dir_acl()
This is not needed and has the potential to loose
information if the sddl code wouldn't have all features
implemented.
No intended change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14927
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Ralph Boehme <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 62c8dc9fa1f00dd178468edf23d35f6316fce800
Author: Ralph Boehme <[email protected]>
Date: Mon Jul 31 15:56:26 2023 +0200
python/policies.py: avoid SDDL conversion for dsacl2fsacl
This is not needed and has the potential to loose
information if the sddl code wouldn't have all features
implemented.
No intended change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14927
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Ralph Boehme <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 29df0b6691d67816b146549b5b18883505a55649
Author: Ralph Boehme <[email protected]>
Date: Mon Jul 31 15:56:26 2023 +0200
python/gpo.py: avoid SDDL conversion for dsacl2fsacl
This is not needed and has the potential to loose
information if the sddl code wouldn't have all features
implemented.
No intended change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14927
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Signed-off-by: Ralph Boehme <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 3e572824dcafc6544320bb1b306063035f1ecc37
Author: Douglas Bagnall <[email protected]>
Date: Fri Mar 7 15:54:08 2025 +1300
pytest:ntacls: test dsacl2fsacl() with a few strings
The fsacl should end up without object ACEs, and with some flags set
and mask changes.
We are so far only testing with allow, deny, and object ACEs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14927
Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/gpo.py | 3 +-
python/samba/ntacls.py | 38 +++++++++++++------
python/samba/policies.py | 3 +-
python/samba/provision/__init__.py | 2 +-
python/samba/tests/ntacls.py | 75 +++++++++++++++++++++++++++++++++++++-
5 files changed, 103 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 96fce917f0f..d22404dd851 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -1503,8 +1503,7 @@ class cmd_create(GPOCommand):
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
- sddl = dsacl2fsacl(ds_sd, domain_sid)
- fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
+ fs_sd = dsacl2fsacl(ds_sd, domain_sid, as_sddl=False)
# Copy GPO directory
create_directory_hier(conn, sharepath)
diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py
index 24af056d2a4..5c4c4dc2c83 100644
--- a/python/samba/ntacls.py
+++ b/python/samba/ntacls.py
@@ -299,18 +299,32 @@ def dsacl2fsacl(dssddl, sid, as_sddl=True):
fdescr.group_sid = ref.group_sid
fdescr.type = ref.type
fdescr.revision = ref.revision
- aces = ref.dacl.aces
- for i in range(0, len(aces)):
- ace = aces[i]
- if ace.type in (security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT,
- security.SEC_ACE_TYPE_ACCESS_ALLOWED) and
str(ace.trustee) != security.SID_BUILTIN_PREW2K:
- # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
- ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT |
security.SEC_ACE_FLAG_CONTAINER_INHERIT
- if str(ace.trustee) == security.SID_CREATOR_OWNER:
- # For Creator/Owner the IO flag is set as this ACE has only a
sense for child objects
- ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
- ace.access_mask = ldapmask2filemask(ace.access_mask)
- fdescr.dacl_add(ace)
+
+ # Only apply allowed and deny ACEs, as they are the only ones
+ # we can map to filesystem aces.
+ #
+ # In future we may need to include resource based aces...
+ allowed_ace_types = [
+ security.SEC_ACE_TYPE_ACCESS_ALLOWED,
+ security.SEC_ACE_TYPE_ACCESS_DENIED,
+ ]
+
+ for ace in ref.dacl.aces:
+ if not ace.type in allowed_ace_types:
+ continue
+
+ # Don't add the allow for SID_BUILTIN_PREW2K as in
+ # gp_create_gpt_security_descriptor()
+ if str(ace.trustee) == security.SID_BUILTIN_PREW2K:
+ continue
+
+ ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT |
security.SEC_ACE_FLAG_CONTAINER_INHERIT
+ if str(ace.trustee) == security.SID_CREATOR_OWNER:
+ # For Creator/Owner the IO flag is set as this ACE has only a
sense for child objects
+ ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
+
+ ace.access_mask = ldapmask2filemask(ace.access_mask)
+ fdescr.dacl_add(ace)
if not as_sddl:
return fdescr
diff --git a/python/samba/policies.py b/python/samba/policies.py
index 45392322b3e..0a496513c21 100644
--- a/python/samba/policies.py
+++ b/python/samba/policies.py
@@ -78,8 +78,7 @@ class RegistryGroupPolicies(object):
# Create a file system security descriptor
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
- sddl = dsacl2fsacl(ds_sd, domain_sid)
- self.fs_sd = security.descriptor.from_sddl(sddl, domain_sid)
+ self.fs_sd = dsacl2fsacl(ds_sd, domain_sid, as_sddl=False)
def __load_registry_pol(self, pol_file):
try:
diff --git a/python/samba/provision/__init__.py
b/python/samba/provision/__init__.py
index f091ccf2f18..119ff3f49fa 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1648,7 +1648,7 @@ def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
samdb, lp, use_ntvfs, p
acl = ndr_unpack(security.descriptor,
policy["nTSecurityDescriptor"][0]).as_sddl()
policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
- set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
+ set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid, as_sddl=False),
lp,
str(domainsid), use_ntvfs,
passdb=passdb)
diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py
index 6e2adda6a0d..3167221180d 100644
--- a/python/samba/tests/ntacls.py
+++ b/python/samba/tests/ntacls.py
@@ -20,7 +20,7 @@
import os
-from samba.ntacls import setntacl, getntacl, XattrBackendError
+from samba.ntacls import setntacl, getntacl, XattrBackendError, dsacl2fsacl
from samba.param import LoadParm
from samba.dcerpc import security
from samba.tests import TestCaseInTempDir, SkipTest
@@ -85,3 +85,76 @@ class NtaclsTests(TestCaseInTempDir):
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
self.assertRaises(PermissionError, setntacl, lp, self.tempf,
NTACL_SDDL,
DOMAIN_SID, self.session_info, "native")
+
+ def test_dsacl2fsacl(self):
+ for comment, dssddl, sid, as_sddl, expected in (
+ ("simple ACE should be unchanged",
+ 'O:BAD:(A;OICI;;;;WD)',
+ DOMAIN_SID, True,
+ 'O:BAD:(A;OICI;;;;WD)'),
+ ("simple ACE, unchanged, without SDDL conversion",
+ 'O:BAD:(A;OICI;;;;WD)',
+ DOMAIN_SID, False,
+ 'O:BAD:(A;OICI;;;;WD)'),
+ ("simple ACE with DS mask",
+ 'O:BAD:(A;;CR;;;WD)',
+ DOMAIN_SID, True,
+ 'O:BAD:(A;OICI;;;;WD)'),
+ ("simple ACE with no mask without SDDL conversion",
+ 'O:BAD:(A;;;;;WD)',
+ DOMAIN_SID, False,
+ 'O:BAD:(A;OICI;;;;WD)'),
+
+ ("simple deny ACE should be unchanged",
+ 'O:BAD:(D;OICI;;;;WD)',
+ DOMAIN_SID, True,
+ 'O:BAD:(D;OICI;;;;WD)'),
+ ("simple deny ACE, unchanged, without SDDL conversion",
+ 'O:BAD:(D;OICI;;;;WD)',
+ DOMAIN_SID, False,
+ 'O:BAD:(D;OICI;;;;WD)'),
+ ("simple deny ACE with DS mask",
+ 'O:BAD:(D;;CR;;;WD)',
+ DOMAIN_SID, True,
+ 'O:BAD:(D;OICI;;;;WD)'),
+ ("simple deny ACE with no mask without SDDL conversion",
+ 'O:BAD:(D;;;;;WD)',
+ DOMAIN_SID, False,
+ 'O:BAD:(D;OICI;;;;WD)'),
+ ("simple ACE with fancy mask",
+ 'O:BAD:(A;NPIOIDSA;;;;WD)',
+ DOMAIN_SID, False,
+ 'O:BAD:(A;OICINPIOIDSA;;;;WD)'),
+ ("simple ACE with different domain SID and GR mask",
+ 'O:BAD:(A;;GR;;;WD)',
+ "S-1-2-3-4-5", False,
+ 'O:BAD:(A;OICI;;;;WD)'),
+ ("compound ACL, allow only",
+ "O:LAG:BAD:P(A;OICI;FA;;;BA)"
+ "(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)"
+ "(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)",
+ DOMAIN_SID, True,
+ "O:LAG:BAD:P(A;OICI;FA;;;BA)"
+ "(A;OICI;FW;;;SO)(A;OICI;FA;;;SY)"
+ "(A;OICI;FW;;;AU)(A;OICI;0x1301ff;;;PA)"),
+ ("compound ACL with object ACES",
+
"D:(OD;;CR;00299570-246d-11d0-a768-00aa006e0529;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDD"
+
"TSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;"
+
"SY)(A;;RPCRLCLORCSDDT;;;CO)(OD;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(O"
+
"A;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5"
+ "-0000f80367c1;;CO)",
+ DOMAIN_SID, True,
+
"D:(A;OICI;FA;;;DA)(A;OICI;FA;;;AO)(A;OICI;FA;;;SY)(A;OICIIO;0x1300a9;;;CO)"),
+ ):
+ domsid = security.dom_sid(sid)
+ result = dsacl2fsacl(dssddl, domsid, as_sddl=as_sddl)
+ if as_sddl:
+ self.assertIsInstance(result, str,
+ f"expected sddl in '{comment}' test")
+ else:
+ self.assertNotIsInstance(result, str,
+ f"did not expect sddl in '{comment}'
test")
+ # convert to SDDL to compare the result
+ result = result.as_sddl(domsid)
+
+ self.assertEqual(result, expected)
--
Samba Shared Repository
