From f0954c73723618f905cc8082546e9b4cf3e39ddf Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Fri, 8 Jan 2010 13:06:47 +0300
Subject: s4: update setntacl and getntacl to select the adaquate backend
 (fs/tdb) for storing xattr

---
 source4/scripting/python/samba/misc.py   | 120 -----------------------
 source4/scripting/python/samba/ntacls.py | 158 +++++++++++++++++++++++++++++++
 2 files changed, 158 insertions(+), 120 deletions(-)
 delete mode 100644 source4/scripting/python/samba/misc.py
 create mode 100644 source4/scripting/python/samba/ntacls.py

diff --git a/source4/scripting/python/samba/misc.py b/source4/scripting/python/samba/misc.py
deleted file mode 100644
index b548fbceab..0000000000
--- a/source4/scripting/python/samba/misc.py
+++ /dev/null
@@ -1,120 +0,0 @@
-#!/usr/bin/python
-
-# Unix SMB/CIFS implementation.
-# Copyright (C) Matthieu Patou <mat@matws.net> 2009
-#
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-
-import samba.xattr
-from samba.dcerpc import security, xattr
-from samba.ndr import ndr_pack, ndr_unpack
-
-
-def getntacl(file):
-	attribute = samba.xattr.wrap_getxattr(file,xattr.XATTR_NTACL_NAME)
-	anysid=security.dom_sid(security.SID_NT_SELF)
-	ntacl = ndr_unpack(xattr.NTACL,attribute,1)
-	return ntacl.info.as_sddl(anysid)
-
-def setntacl(file,sddl):
-	ntacl=xattr.NTACL()
-	ntacl.version = 1
-	anysid=security.dom_sid(security.SID_NT_SELF)
-	sd = security.descriptor.from_sddl(sddl, anysid)
-	ntacl.info = sd
-	attribute = samba.xattr.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
-
-# Takes the access mask of a DS ACE and transform them in a File ACE mask
-def ldapmask2filemask(ldm):
-	RIGHT_DS_CREATE_CHILD     = 0x00000001
-	RIGHT_DS_DELETE_CHILD     = 0x00000002
-	RIGHT_DS_LIST_CONTENTS    = 0x00000004
-	ACTRL_DS_SELF             = 0x00000008
-	RIGHT_DS_READ_PROPERTY    = 0x00000010
-	RIGHT_DS_WRITE_PROPERTY   = 0x00000020
-	RIGHT_DS_DELETE_TREE      = 0x00000040
-	RIGHT_DS_LIST_OBJECT      = 0x00000080
-	RIGHT_DS_CONTROL_ACCESS   = 0x00000100
-	FILE_READ_DATA            = 0x0001
-	FILE_LIST_DIRECTORY       = 0x0001
-	FILE_WRITE_DATA           = 0x0002
-	FILE_ADD_FILE             = 0x0002
-	FILE_APPEND_DATA          = 0x0004
-	FILE_ADD_SUBDIRECTORY     = 0x0004
-	FILE_CREATE_PIPE_INSTANCE = 0x0004
-	FILE_READ_EA              = 0x0008
-	FILE_WRITE_EA             = 0x0010
-	FILE_EXECUTE              = 0x0020
-	FILE_TRAVERSE             = 0x0020
-	FILE_DELETE_CHILD         = 0x0040
-	FILE_READ_ATTRIBUTES      = 0x0080
-	FILE_WRITE_ATTRIBUTES     = 0x0100
-	DELETE                    = 0x00010000
-	READ_CONTROL              = 0x00020000
-	WRITE_DAC                 = 0x00040000
-	WRITE_OWNER               = 0x00080000
-	SYNCHRONIZE               = 0x00100000
-	STANDARD_RIGHTS_ALL       = 0x001F0000
-
-	filemask = ldm & STANDARD_RIGHTS_ALL
-	#filemask = 0
-
-	if( (ldm & RIGHT_DS_READ_PROPERTY) and (ldm & RIGHT_DS_LIST_CONTENTS) ):
-		filemask = filemask | (SYNCHRONIZE | FILE_LIST_DIRECTORY |\
-								FILE_READ_ATTRIBUTES | FILE_READ_EA |\
-								FILE_READ_DATA | FILE_EXECUTE)
-
-	if( (ldm & RIGHT_DS_WRITE_PROPERTY) ):
-		filemask = filemask | (SYNCHRONIZE | FILE_WRITE_DATA |\
-								FILE_APPEND_DATA | FILE_WRITE_EA |\
-								FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |\
-								FILE_ADD_SUBDIRECTORY)
-
-	if( (ldm & RIGHT_DS_CREATE_CHILD) ):
-		filemask = filemask | (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE)
-
-	if( (ldm & RIGHT_DS_DELETE_CHILD) ):
-		filemask = filemask | FILE_DELETE_CHILD
-
-	return filemask
-
-# This function takes an the SDDL representation of a DS
-# ACL and return the SDDL representation of this ACL adapted
-# for files. It's used for Policy object provision
-
-def dsacl2fsacl(dssddl):
-	anysid = security.dom_sid(security.SID_NT_SELF)
-	ref = security.descriptor.from_sddl(dssddl,anysid)
-	fdescr = security.descriptor()
-	fdescr.owner_sid = ref.owner_sid
-	fdescr.group_sid = ref.group_sid
-	fdescr.type = ref.type
-	fdescr.revision = ref.revision
-	fdescr.sacl = ref.sacl
-	aces = ref.dacl.aces
-	for i in range(0,len(aces)):
-		ace = aces[i]
-		if not ace.type &  security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
-		#	if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
-			ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
-			if str(ace.trustee) == security.SID_CREATOR_OWNER:
-				# For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
-				ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
-			ace.access_mask =  ldapmask2filemask(ace.access_mask)
-			fdescr.dacl_add(ace)
-
-	return fdescr.as_sddl(anysid)
diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py
new file mode 100644
index 0000000000..d6226807ce
--- /dev/null
+++ b/source4/scripting/python/samba/ntacls.py
@@ -0,0 +1,158 @@
+#!/usr/bin/python
+
+# Unix SMB/CIFS implementation.
+# Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
+#
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import tdb
+import samba.xattr_native, samba.xattr_tdb
+from samba.dcerpc import security, xattr
+from samba.ndr import ndr_pack, ndr_unpack
+class XattrBackendError(Exception):
+    """A generic xattr backend error."""
+
+def checkset_backend(lp,backend,eadbfile):
+	if backend != None:
+		if backend == "native":
+			lp.set("posix:eadb","")
+		elif backend == "tdb":
+			if eadbfile != None:
+				lp.set("posix:eadb",eadbfile)
+			else:
+				os.path.abspath(os.path.join(lp.get("private dir"),"eadb.tdb"))
+		else:
+			raise XattrBackendError("Unvalid xattr backend choice %s"%backend)
+
+def getntacl(lp,file,backend=None,eadbfile=None):
+	try:
+		checkset_backend(lp,backend,eadbfile)
+	except:
+		raise
+	eadbname = lp.get("posix:eadb")
+	if eadbname != None and eadbname != "" :
+		attribute = samba.xattr_tdb.wrap_getxattr(eadbname,file,xattr.XATTR_NTACL_NAME)
+		try:
+			attribute = samba.xattr_tdb.wrap_getxattr(eadbname,file,xattr.XATTR_NTACL_NAME)
+		except:
+			print "Fail to open %s"%eadbname
+			attribute = samba.xattr_native.wrap_getxattr(file,xattr.XATTR_NTACL_NAME)
+	else:
+		attribute = samba.xattr_native.wrap_getxattr(file,xattr.XATTR_NTACL_NAME)
+	ntacl = ndr_unpack(xattr.NTACL,attribute)
+	return ntacl
+
+def setntacl(lp,file,sddl,domsid,backend=None,eadbfile=None):
+	try:
+		checkset_backend(lp,backend,eadbfile)
+	except:
+		raise
+	ntacl=xattr.NTACL()
+	ntacl.version = 1
+	anysid=security.dom_sid(domsid)
+	sd = security.descriptor.from_sddl(sddl, anysid)
+	ntacl.info = sd
+	eadbname = lp.get("posix:eadb")
+	if eadbname != None  and eadbname != "":
+		try:
+			attribute = samba.xattr_tdb.wrap_setxattr(eadbname,file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
+		except:
+			print "Fail to open %s"%eadbname
+			attribute = samba.xattr_native.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
+	else:
+		attribute = samba.xattr_native.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl))
+
+# Takes the access mask of a DS ACE and transform them in a File ACE mask
+def ldapmask2filemask(ldm):
+	RIGHT_DS_CREATE_CHILD     = 0x00000001
+	RIGHT_DS_DELETE_CHILD     = 0x00000002
+	RIGHT_DS_LIST_CONTENTS    = 0x00000004
+	ACTRL_DS_SELF             = 0x00000008
+	RIGHT_DS_READ_PROPERTY    = 0x00000010
+	RIGHT_DS_WRITE_PROPERTY   = 0x00000020
+	RIGHT_DS_DELETE_TREE      = 0x00000040
+	RIGHT_DS_LIST_OBJECT      = 0x00000080
+	RIGHT_DS_CONTROL_ACCESS   = 0x00000100
+	FILE_READ_DATA            = 0x0001
+	FILE_LIST_DIRECTORY       = 0x0001
+	FILE_WRITE_DATA           = 0x0002
+	FILE_ADD_FILE             = 0x0002
+	FILE_APPEND_DATA          = 0x0004
+	FILE_ADD_SUBDIRECTORY     = 0x0004
+	FILE_CREATE_PIPE_INSTANCE = 0x0004
+	FILE_READ_EA              = 0x0008
+	FILE_WRITE_EA             = 0x0010
+	FILE_EXECUTE              = 0x0020
+	FILE_TRAVERSE             = 0x0020
+	FILE_DELETE_CHILD         = 0x0040
+	FILE_READ_ATTRIBUTES      = 0x0080
+	FILE_WRITE_ATTRIBUTES     = 0x0100
+	DELETE                    = 0x00010000
+	READ_CONTROL              = 0x00020000
+	WRITE_DAC                 = 0x00040000
+	WRITE_OWNER               = 0x00080000
+	SYNCHRONIZE               = 0x00100000
+	STANDARD_RIGHTS_ALL       = 0x001F0000
+
+	filemask = ldm & STANDARD_RIGHTS_ALL
+	#filemask = 0
+
+	if( (ldm & RIGHT_DS_READ_PROPERTY) and (ldm & RIGHT_DS_LIST_CONTENTS) ):
+		filemask = filemask | (SYNCHRONIZE | FILE_LIST_DIRECTORY |\
+								FILE_READ_ATTRIBUTES | FILE_READ_EA |\
+								FILE_READ_DATA | FILE_EXECUTE)
+
+	if( (ldm & RIGHT_DS_WRITE_PROPERTY) ):
+		filemask = filemask | (SYNCHRONIZE | FILE_WRITE_DATA |\
+								FILE_APPEND_DATA | FILE_WRITE_EA |\
+								FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |\
+								FILE_ADD_SUBDIRECTORY)
+
+	if( (ldm & RIGHT_DS_CREATE_CHILD) ):
+		filemask = filemask | (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE)
+
+	if( (ldm & RIGHT_DS_DELETE_CHILD) ):
+		filemask = filemask | FILE_DELETE_CHILD
+
+	return filemask
+
+# This function takes an the SDDL representation of a DS
+# ACL and return the SDDL representation of this ACL adapted
+# for files. It's used for Policy object provision
+
+def dsacl2fsacl(dssddl,domsid):
+	anysid = security.dom_sid(domsid)
+	ref = security.descriptor.from_sddl(dssddl,anysid)
+	fdescr = security.descriptor()
+	fdescr.owner_sid = ref.owner_sid
+	fdescr.group_sid = ref.group_sid
+	fdescr.type = ref.type
+	fdescr.revision = ref.revision
+	fdescr.sacl = ref.sacl
+	aces = ref.dacl.aces
+	for i in range(0,len(aces)):
+		ace = aces[i]
+		if not ace.type &  security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K:
+		#	if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED:
+			ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT
+			if str(ace.trustee) == security.SID_CREATOR_OWNER:
+				# For Creator/Owner the IO flag is set as this ACE has only a sense for child objects
+				ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY
+			ace.access_mask =  ldapmask2filemask(ace.access_mask)
+			fdescr.dacl_add(ace)
+
+	return fdescr.as_sddl(anysid)
-- 
cgit