diff options
Diffstat (limited to 'source4/scripting')
| -rw-r--r-- | source4/scripting/python/samba/netcmd/__init__.py | 2 | ||||
| -rw-r--r-- | source4/scripting/python/samba/netcmd/ntacl.py | 119 | ||||
| -rw-r--r-- | source4/scripting/python/samba/ntacls.py | 10 |
3 files changed, 126 insertions, 5 deletions
diff --git a/source4/scripting/python/samba/netcmd/__init__.py b/source4/scripting/python/samba/netcmd/__init__.py index a204ab897b..d6a130c942 100644 --- a/source4/scripting/python/samba/netcmd/__init__.py +++ b/source4/scripting/python/samba/netcmd/__init__.py @@ -143,3 +143,5 @@ from samba.netcmd.enableaccount import cmd_enableaccount commands["enableaccount"] = cmd_enableaccount() from samba.netcmd.newuser import cmd_newuser commands["newuser"] = cmd_newuser() +from samba.netcmd.ntacl import cmd_acl +commands["acl"] = cmd_acl() diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py new file mode 100644 index 0000000000..a96593ef0c --- /dev/null +++ b/source4/scripting/python/samba/netcmd/ntacl.py @@ -0,0 +1,119 @@ +#!/usr/bin/python +# +# Manipulate file NT ACLs +# +# Copyright Matthieu Patou 2010 <mat@matws.net> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from samba.credentials import DONT_USE_KERBEROS +import samba.getopt as options +from samba.dcerpc import security +from samba.ntacls import setntacl, getntacl +from samba import Ldb +from samba.ndr import ndr_unpack + +from ldb import SCOPE_BASE +import ldb +import os +import sys + +from samba.auth import system_session +from samba.netcmd import ( + Command, + SuperCommand, + CommandError, + Option, + ) + +class cmd_acl_set(Command): + """Set ACLs on a file""" + synopsis = "%prog set <acl> <file> [--xattr-backend=native|tdb] [--eadb-file=file] [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "credopts": options.CredentialsOptions, + "versionopts": options.VersionOptions, + } + + takes_options = [ + Option("--quiet", help="Be quiet", action="store_true"), + Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", + choices=["native","tdb"]), + Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), + ] + + takes_args = ["acl","file"] + + def run(self, acl, file, quiet=False,xattr_backend=None,eadb_file=None, + credopts=None, sambaopts=None, versionopts=None): + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + path = os.path.join(lp.get("private dir"), lp.get("sam database") or "samdb.ldb") + creds = credopts.get_credentials(lp) + creds.set_kerberos_state(DONT_USE_KERBEROS) + try: + ldb = Ldb(path, session_info=system_session(), credentials=creds,lp=lp) + except: + print "Unable to read domain SID from configuration files" + sys.exit(1) + attrs = ["objectSid"] + print lp.get("realm") + res = ldb.search(expression="(objectClass=*)",base="DC=%s"%lp.get("realm").lower().replace(".",",DC="), scope=SCOPE_BASE, attrs=attrs) + if len(res) !=0: + domainsid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + setntacl(lp,file,acl,str(domainsid),xattr_backend,eadb_file) + else: + print "Unable to read domain SID from configuration files" + sys.exit(1) + +class cmd_acl_get(Command): + """Set ACLs on a file""" + synopsis = "%prog get <file> [--as-sddl] [--xattr-backend=native|tdb] [--eadb-file=file] [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "credopts": options.CredentialsOptions, + "versionopts": options.VersionOptions, + } + + takes_options = [ + Option("--as-sddl", help="Output ACL in the SDDL format", action="store_true"), + Option("--xattr-backend", type="choice", help="xattr backend type (native fs or tdb)", + choices=["native","tdb"]), + Option("--eadb-file", help="Name of the tdb file where attributes are stored", type="string"), + ] + + takes_args = ["file"] + + def run(self, file, as_sddl=False,xattr_backend=None,eadb_file=None, + credopts=None, sambaopts=None, versionopts=None): + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + acl = getntacl(lp,file,xattr_backend,eadb_file) + if as_sddl: + anysid=security.dom_sid(security.SID_NT_SELF) + print acl.info.as_sddl(anysid) + else: + acl.dump() + + +class cmd_acl(SuperCommand): + """NT ACLs manipulation""" + + subcommands = {} + subcommands["set"] = cmd_acl_set() + subcommands["get"] = cmd_acl_get() + diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py index d6226807ce..15f310b27d 100644 --- a/source4/scripting/python/samba/ntacls.py +++ b/source4/scripting/python/samba/ntacls.py @@ -63,8 +63,8 @@ def setntacl(lp,file,sddl,domsid,backend=None,eadbfile=None): raise ntacl=xattr.NTACL() ntacl.version = 1 - anysid=security.dom_sid(domsid) - sd = security.descriptor.from_sddl(sddl, anysid) + sid=security.dom_sid(domsid) + sd = security.descriptor.from_sddl(sddl, sid) ntacl.info = sd eadbname = lp.get("posix:eadb") if eadbname != None and eadbname != "": @@ -135,8 +135,8 @@ def ldapmask2filemask(ldm): # for files. It's used for Policy object provision def dsacl2fsacl(dssddl,domsid): - anysid = security.dom_sid(domsid) - ref = security.descriptor.from_sddl(dssddl,anysid) + sid = security.dom_sid(domsid) + ref = security.descriptor.from_sddl(dssddl,sid) fdescr = security.descriptor() fdescr.owner_sid = ref.owner_sid fdescr.group_sid = ref.group_sid @@ -155,4 +155,4 @@ def dsacl2fsacl(dssddl,domsid): ace.access_mask = ldapmask2filemask(ace.access_mask) fdescr.dacl_add(ace) - return fdescr.as_sddl(anysid) + return fdescr.as_sddl(sid) |