PATCHS: manipulation of NT ACL in command line
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
PATCHS: manipulation of NT ACL in command line
by Matthieu Patou-5
::
Rate this Message:
Dear all,
Please find attached a huge serie of patchs related to NTACL manipulation in command line or in python scripts. 0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch: Creation of the setntacl utils which allow to set the NTACL from commandline from its SDDL representation. It also add the option to export the NTACL as a SDDL 0002-s4-Create-torture-test-for-samba-utils.patch: This patch a simple torture test for getntacl and setntacl. 0003-S4-Allow-an-optional-parameter-in-generated-python-b.patch: This patch for the PIDL generator. With this patch the generated python code allow the specification of a "notallflag" so that either ndr_pull_struct_blob or ndr_pull_struct_blob_all can be used. This patch follow the talk that I had with metze today on IRC about on how to workaround the wrong calculation of consumed bytes when unpacking an xattr.NTACL object 0004-s4-Create-a-library-for-xattr-python-bindings.patch: This patch allow to create a .so with the python binding generated code for xattr.idl 0005-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch: This patch add the python bindings for wrap_getxattr and wrap_setxattr 0006-s4-Create-unit-tests-for-python-glue-module.patch: This patch add torture test for the 0007-s4-regroup-gpo-modification-in-one-function-set-acl-.patch: This patch regroup GPO related stuff in provision (and remove them from setup samdb) it also make provision to set NT ACL on GPO files with rights synchronized with those in the AD. Please let me know ... Matthieu. [0004-s4-Create-a-library-for-xattr-python-bindings.patch] >From 080e00e3d73255e549027048ce4c40435b77672e Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 20:18:59 +0300 Subject: [PATCH 4/7] s4: Create a library for xattr python bindings --- source4/librpc/config.mk | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index 501b88b..1053cc1 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -251,7 +251,7 @@ NDR_KRB5PAC_OBJ_FILES = ../librpc/gen_ndr/ndr_krb5pac.o ../librpc/ndr/ndr_krb5pa [SUBSYSTEM::NDR_XATTR] PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY -NDR_XATTR_OBJ_FILES = ../librpc/gen_ndr/ndr_xattr.o ../librpc/ndr/ndr_xattr.o +NDR_XATTR_OBJ_FILES = ../librpc/gen_ndr/ndr_xattr.o ../librpc/ndr/ndr_xattr.o [SUBSYSTEM::NDR_OPENDB] PUBLIC_DEPENDENCIES = LIBNDR @@ -356,6 +356,11 @@ PUBLIC_DEPENDENCIES = \ NDR_TABLE_OBJ_FILES = ../librpc/ndr/ndr_table.o $(gen_ndrsrcdir)/tables.o +[SUBSYSTEM::RPC_NDR_XATTR] +PUBLIC_DEPENDENCIES = NDR_XATTR dcerpc + +RPC_NDR_XATTR_OBJ_FILES = ../librpc/gen_ndr/ndr_xattr_c.o + [SUBSYSTEM::RPC_NDR_ROT] PUBLIC_DEPENDENCIES = NDR_ROT dcerpc @@ -708,6 +713,12 @@ PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc NDR_SECURITY python_dcerpc_security_OBJ_FILES = ../librpc/gen_ndr/py_security.o +[PYTHON::python_dcerpc_xattr] +LIBRARY_REALNAME = samba/dcerpc/xattr.$(SHLIBEXT) +PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc python_dcerpc_security NDR_XATTR RPC_NDR_XATTR + +python_dcerpc_xattr_OBJ_FILES = ../librpc/gen_ndr/py_xattr.o + $(IDL_HEADER_FILES) $(IDL_NDR_PARSE_H_FILES) $(IDL_NDR_PARSE_C_FILES) \ $(IDL_NDR_CLIENT_C_FILES) $(IDL_NDR_CLIENT_H_FILES) \ $(IDL_NDR_SERVER_C_FILES) $(IDL_SWIG_FILES) \ -- 1.6.3.3 [0007-s4-regroup-gpo-modification-in-one-function-set-acl-.patch] >From 2657f069d459ae26981d4094000128d2c248cb76 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 26 Oct 2009 00:27:44 +0300 Subject: [PATCH 7/7] s4: regroup gpo modification in one function, set acl on files accordingly with ACL in LDAP --- source4/scripting/python/samba/misc.py | 40 +++++++++++++++++++++ source4/scripting/python/samba/provision.py | 50 +++++++++++++++++--------- 2 files changed, 73 insertions(+), 17 deletions(-) create mode 100644 source4/scripting/python/samba/misc.py diff --git a/source4/scripting/python/samba/misc.py b/source4/scripting/python/samba/misc.py new file mode 100644 index 0000000..8b69390 --- /dev/null +++ b/source4/scripting/python/samba/misc.py @@ -0,0 +1,40 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. +# Copyright (C) Matthieu Patou <mat@...> 2009 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +import samba.glue +from samba.dcerpc import security, xattr +from samba.ndr import ndr_pack, ndr_unpack + + +def getntacl(file): + attribute = samba.glue.wrap_getxattr(file,xattr.XATTR_NTACL_NAME) + anysid=security.dom_sid(security.SID_NT_SELF) + ntacl = ndr_unpack(xattr.NTACL,attribute,1) + return ntacl.info.as_sddl(anysid) + +def setntacl(file,sddl): + ntacl=xattr.NTACL() + ntacl.version = 1 + anysid=security.dom_sid(security.SID_NT_SELF) + sd = security.descriptor.from_sddl(sddl, anysid) + ntacl.info = sd + attribute = samba.glue.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl)) + diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index ffafa2c..a3d6af5 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -47,7 +47,8 @@ from samba import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTI from samba.samdb import SamDB from samba.idmap import IDmapDB from samba.dcerpc import security -from samba.ndr import ndr_pack +from samba.misc import setntacl +from samba.ndr import ndr_pack,ndr_unpack import urllib from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError from ms_display_specifiers import read_ms_ldif @@ -920,6 +921,36 @@ def setup_self_join(samdb, names, "NETBIOSNAME": names.netbiosname, "NTDSGUID": names.ntdsguid }) +def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid): + policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies", + "{" + policyguid + "}") + os.makedirs(policy_path, 0755) + open(os.path.join(policy_path, "GPT.INI"), 'w').write( + "[General]\r\nVersion=65543") + os.makedirs(os.path.join(policy_path, "MACHINE"), 0755) + os.makedirs(os.path.join(policy_path, "USER"), 0755) + + policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies", + "{" + policyguid_dc + "}") + os.makedirs(policy_path_dc, 0755) + open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write( + "[General]\r\nVersion=2") + os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755) + os.makedirs(os.path.join(policy_path_dc, "USER"), 0755) +# call setntacl ... + res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid,names.domaindn), + attrs=["nTSecurityDescriptor"], + expression="", scope=SCOPE_BASE) + assert(len(res) > 0) + acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1")) + setntacl(policy_path,acl) + + res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid_dc,names.domaindn), + attrs=["nTSecurityDescriptor"], + expression="", scope=SCOPE_BASE) + assert(len(res) > 0) + acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1")) + setntacl(policy_path_dc,acl) def setup_samdb(path, setup_path, session_info, provision_backend, lp, @@ -1305,22 +1336,7 @@ def provision(setup_dir, message, session_info, assert(paths.sysvol is not None) # Set up group policies (domain policy and domain controller policy) - - policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies", - "{" + policyguid + "}") - os.makedirs(policy_path, 0755) - open(os.path.join(policy_path, "GPT.INI"), 'w').write( - "[General]\r\nVersion=65543") - os.makedirs(os.path.join(policy_path, "MACHINE"), 0755) - os.makedirs(os.path.join(policy_path, "USER"), 0755) - - policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies", - "{" + policyguid_dc + "}") - os.makedirs(policy_path_dc, 0755) - open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write( - "[General]\r\nVersion=2") - os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755) - os.makedirs(os.path.join(policy_path_dc, "USER"), 0755) + setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid) if not os.path.isdir(paths.netlogon): os.makedirs(paths.netlogon, 0755) -- 1.6.3.3 [0005-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch] >From 5a49e32787bda166a40d1920a8b89eb0d47ca86c Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 20:53:34 +0300 Subject: [PATCH 5/7] s4: add python bindings for wrap_(s|g)etxattr --- source4/scripting/python/config.mk | 2 +- source4/scripting/python/pyglue.c | 54 ++++++++++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/source4/scripting/python/config.mk b/source4/scripting/python/config.mk index a5e3f25..45a1e43 100644 --- a/source4/scripting/python/config.mk +++ b/source4/scripting/python/config.mk @@ -17,7 +17,7 @@ python_uuid_OBJ_FILES = $(pyscriptsrcdir)/uuidmodule.o [PYTHON::python_glue] LIBRARY_REALNAME = samba/glue.$(SHLIBEXT) -PRIVATE_DEPENDENCIES = LIBNDR LIBLDB SAMDB CREDENTIALS pyldb python_dcerpc_misc python_dcerpc_security pyauth pyldb_util pyparam_util +PRIVATE_DEPENDENCIES = LIBNDR LIBLDB SAMDB CREDENTIALS pyldb python_dcerpc_misc python_dcerpc_security pyauth pyldb_util pyparam_util WRAP_XATTR python_glue_OBJ_FILES = $(pyscriptsrcdir)/pyglue.o diff --git a/source4/scripting/python/pyglue.c b/source4/scripting/python/pyglue.c index b138e3e..0b73340 100644 --- a/source4/scripting/python/pyglue.c +++ b/source4/scripting/python/pyglue.c @@ -34,6 +34,7 @@ #include "auth/pyauth.h" #include "param/pyparam.h" #include "auth/credentials/pycredentials.h" +#include "lib/util/wrap_xattr.h" #ifndef Py_RETURN_NONE #define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None @@ -54,8 +55,8 @@ static void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ return; /* Python exception should already be set, just keep that */ PyErr_SetObject(error, - Py_BuildValue(discard_const_p(char, "(i,s)"), ret, - ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); + Py_BuildValue(discard_const_p(char, "(i,s)"), ret, + ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); } static PyObject *py_ldb_get_exception(void) @@ -67,6 +68,49 @@ static PyObject *py_ldb_get_exception(void) return PyObject_GetAttrString(mod, "LdbError"); } +static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) +{ + char *filename, *attribute; + int ret = 0; + DATA_BLOB blob; + if (!PyArg_ParseTuple(args, "sss#", &filename,&attribute,&blob.data,&blob.length)) + return NULL; + ret = wrap_setxattr(filename,attribute,blob.data,blob.length,0); + if( ret < 0 ) { + PyErr_SetString(PyExc_TypeError, strerror(errno)); + return NULL; + } + Py_RETURN_NONE; +} + +static PyObject *py_wrap_getxattr(PyObject *self, PyObject *args) +{ + char *filename, *attribute; + int len; + TALLOC_CTX *mem_ctx; + uint8_t *buf; + PyObject *ret; + if (!PyArg_ParseTuple(args, "ss", &filename,&attribute)) + return NULL; + + mem_ctx = talloc_new(NULL); + len = wrap_getxattr(filename,attribute,NULL,0); + if( len < 0 ) { + PyErr_SetString(PyExc_TypeError, strerror(errno)); + return NULL; + } + /* check length ... */ + buf = talloc_zero_array(mem_ctx, uint8_t, len); + len = getxattr(filename,attribute,buf,len); + if( len < 0 ) { + PyErr_SetString(PyExc_TypeError, strerror(errno)); + return NULL; + } + ret = PyString_FromStringAndSize(buf,len); + talloc_free(buf); + return ret; +} + static PyObject *py_generate_random_str(PyObject *self, PyObject *args) { int len; @@ -464,6 +508,12 @@ static PyObject *py_dom_sid_to_rid(PyLdbObject *self, PyObject *args) } static PyMethodDef py_misc_methods[] = { + { "wrap_getxattr", (PyCFunction)py_wrap_getxattr, METH_VARARGS, + "wrap_getxattr(filename,attribute) -> blob\n" + "Retreive given attribute on the given file." }, + { "wrap_setxattr", (PyCFunction)py_wrap_setxattr, METH_VARARGS, + "wrap_setxattr(filename,attribute,value)\n" + "Set the given attribute to the given value on the given file." }, { "generate_random_str", (PyCFunction)py_generate_random_str, METH_VARARGS, "random_password(len) -> string\n" "Generate random password with specified length." }, -- 1.6.3.3 [0006-s4-Create-unit-tests-for-python-glue-module.patch] >From f3708f6c7066fa55fea4ccb2e1d9af8f98c46a15 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 22:01:04 +0300 Subject: [PATCH 6/7] s4: Create unit tests for python "glue" module --- source4/scripting/python/samba/tests/glue.py | 47 ++++++++++++++++++++++++++ 1 files changed, 47 insertions(+), 0 deletions(-) create mode 100644 source4/scripting/python/samba/tests/glue.py diff --git a/source4/scripting/python/samba/tests/glue.py b/source4/scripting/python/samba/tests/glue.py new file mode 100644 index 0000000..d84bd93 --- /dev/null +++ b/source4/scripting/python/samba/tests/glue.py @@ -0,0 +1,47 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. Tests for shares +# Copyright (C) Jelmer Vernooij <jelmer@...> 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +from samba.glue import wrap_getxattr, wrap_setxattr +from samba.dcerpc import xattr +from samba.ndr import ndr_pack, ndr_unpack +from unittest import TestCase +import random +import os + +class GlueTests(TestCase): + + + def test_set_packeddata(self): + random.seed() + tempf=os.path.join("/tmp","pytests"+str(int(100000*random.random()))) + ntacl=xattr.NTACL() + ntacl.version = 1 + open(tempf, 'w').write("empty") + wrap_setxattr(tempf,"user.unittests",ndr_pack(ntacl)) + os.unlink(tempf) + + def test_set_and_get(self): + random.seed() + tempf=os.path.join("/tmp","pytests"+str(int(100000*random.random()))) + reftxt="this is a test" + open(tempf, 'w').write("empty") + wrap_setxattr(tempf,"user.unittests",reftxt) + text = wrap_getxattr(tempf,"user.unittests") + self.assertEquals(text,reftxt) + os.unlink(tempf) + -- 1.6.3.3 [0003-S4-Allow-an-optional-parameter-in-generated-python-b.patch] >From 73c8c220bf2abd235494b811f67ad81579bf4e6f Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 20:16:20 +0300 Subject: [PATCH 3/7] S4: Allow an optional parameter in generated python binding. The newly introduced paramter allow to select ndr_pull_struct_blob_all or ndr_pull_struct_blob in *_ndr_unpack function as it is needed sometimes. --- pidl/lib/Parse/Pidl/Samba4/Python.pm | 24 ++++++++++++++++++++---- source4/scripting/python/samba/ndr.py | 7 +++++-- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm index c785619..5c6ff7b 100644 --- a/pidl/lib/Parse/Pidl/Samba4/Python.pm +++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm @@ -272,10 +272,6 @@ sub PythonStruct($$$$$$) $self->pidl("$cname *object = ($cname *)py_talloc_get_ptr(py_obj);"); $self->pidl("DATA_BLOB blob;"); $self->pidl("enum ndr_err_code err;"); - $self->pidl("if (!PyArg_ParseTuple(args, \"s#:__ndr_unpack__\", &blob.data, &blob.length))"); - $self->pidl("\treturn NULL;"); - $self->pidl(""); - # This disgusting hack works around the fact that ndr_pull_struct_blob_all will always fail on structures with relative pointers. # So, map ndr_unpack to ndr_pull_struct_blob_all only if we don't have any relative pointers in this my $got_relative = 0; @@ -289,7 +285,27 @@ sub PythonStruct($$$$$$) } } if ($got_relative == 0) { + $self->pidl("int notallflag = 0; +"); + $self->pidl("if (!PyArg_ParseTuple(args, \"s#:__ndr_unpack__|I\", &blob.data, &blob.length, ¬allflag ))"); + } + else { + $self->pidl("if (!PyArg_ParseTuple(args, \"s#:__ndr_unpack__\", &blob.data, &blob.length))"); + } + $self->pidl("\treturn NULL;"); + $self->pidl(""); + + if ($got_relative == 0) { + $self->pidl("if (! notallflag) {"); + $self->indent; $self->pidl("err = ndr_pull_struct_blob_all(&blob, py_talloc_get_mem_ctx(py_obj), NULL, object, (ndr_pull_flags_fn_t)ndr_pull_$name);"); + $self->deindent; + $self->pidl("}"); + $self->pidl("else {"); + $self->indent; + $self->pidl("err = ndr_pull_struct_blob(&blob, py_talloc_get_mem_ctx(py_obj), NULL, object, (ndr_pull_flags_fn_t)ndr_pull_$name);"); + $self->deindent; + $self->pidl("}"); } else { $self->pidl("err = ndr_pull_struct_blob(&blob, py_talloc_get_mem_ctx(py_obj), NULL, object, (ndr_pull_flags_fn_t)ndr_pull_$name);"); } diff --git a/source4/scripting/python/samba/ndr.py b/source4/scripting/python/samba/ndr.py index e718ff3..6f5d69c 100644 --- a/source4/scripting/python/samba/ndr.py +++ b/source4/scripting/python/samba/ndr.py @@ -22,7 +22,10 @@ def ndr_pack(object): return object.__ndr_pack__() -def ndr_unpack(cls, data): +def ndr_unpack(cls, data,flag=None): object = cls() - object.__ndr_unpack__(data) + if( flag != None ): + object.__ndr_unpack__(data,flag) + else: + object.__ndr_unpack__(data) return object -- 1.6.3.3 [0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch] >From 85ca10d580a8c8314b1c070c6b989f7bb6a35b88 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Sat, 24 Oct 2009 15:34:31 +0400 Subject: [PATCH 1/7] s4: utils recreate setntacl and improve setntacl setntacl is able to set NTACL attribute from command line getntacl now use getopt for parsing command line option and is also able to dump the acl in the SDDL format. --- source4/utils/config.mk | 18 +++++-- source4/utils/getntacl.c | 58 ++++++++++++++++---- source4/utils/setntacl.c | 136 +++++++++++++++++++++++++++++++++++++++------- 3 files changed, 176 insertions(+), 36 deletions(-) diff --git a/source4/utils/config.mk b/source4/utils/config.mk index f485fae..9b6a2f1 100644 --- a/source4/utils/config.mk +++ b/source4/utils/config.mk @@ -30,6 +30,7 @@ INSTALLDIR = BINDIR PRIVATE_DEPENDENCIES = \ LIBSAMBA-HOSTCONFIG \ LIBSAMBA-UTIL \ + POPT_SAMBA \ NDR_XATTR \ WRAP_XATTR \ LIBSAMBA-ERRORS @@ -44,12 +45,19 @@ MANPAGES += $(utilssrcdir)/man/getntacl.1 ################################# # Start BINARY setntacl [BINARY::setntacl] -# disabled until rewritten -#INSTALLDIR = BINDIR -# End BINARY setntacl -################################# +INSTALLDIR = BINDIR +PRIVATE_DEPENDENCIES = \ + LIBSAMBA-HOSTCONFIG \ + LIBSAMBA-UTIL \ + POPT_SAMBA \ + NDR_XATTR \ + WRAP_XATTR \ + LIBSAMBA-ERRORS -setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o +setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o + +# End BINARY getntacl +################################# ################################# # Start BINARY generateblob diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c index f26c87b..f75920c 100644 --- a/source4/utils/getntacl.c +++ b/source4/utils/getntacl.c @@ -20,10 +20,13 @@ */ #include "includes.h" +#include "libcli/security/security.h" #include "system/filesys.h" #include "librpc/gen_ndr/ndr_xattr.h" -#include "../lib/util/wrap_xattr.h" +#include "lib/cmdline/popt_common.h" #include "param/param.h" +#include "param/loadparm.h" + static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3); @@ -82,6 +85,13 @@ static NTSTATUS get_ntacl(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +static void print_ntacl_sddl(TALLOC_CTX *mem_ctx, + struct xattr_NTACL *ntacl) +{ + const char *sddl; + sddl = sddl_encode(mem_ctx,ntacl->info.sd,NULL); + printf("%s\n",sddl); +} static void print_ntacl(TALLOC_CTX *mem_ctx, const char *fname, struct xattr_NTACL *ntacl) @@ -96,24 +106,52 @@ static void print_ntacl(TALLOC_CTX *mem_ctx, talloc_free(pr); } -int main(int argc, char *argv[]) +int main(int argc, const char *argv[]) { - NTSTATUS status; + int ret = 0; + NTSTATUS status; struct xattr_NTACL *ntacl; ssize_t ntacl_len; - - if (argc != 2) { - fprintf(stderr, "Usage: getntacl FILENAME\n"); - return 1; + int print_as_sddl = 0; + char *readfile = NULL; + poptContext pc; + struct loadparm_context *lp_ctx; + struct poptOption long_options[] = { + POPT_AUTOHELP + {"as-sddl", '\0', POPT_ARG_NONE, &print_as_sddl, true, "Print NT ACL as SDDL"}, + POPT_COMMON_SAMBA + POPT_COMMON_VERSION + { NULL } + }; + + setup_logging(NULL, DEBUG_STDERR); + + pc = poptGetContext(NULL, argc, argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + poptSetOtherOptionHelp(pc, "[OPTION(S)...] file"); + + while(poptGetNextOpt(pc) != -1); + // Skip programe name + poptGetArg(pc); + if(poptPeekArg(pc)) { + readfile = strdup(poptGetArg(pc)); } - status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len); + + lp_ctx = cmdline_lp_ctx; + + status = get_ntacl(NULL, readfile, &ntacl, &ntacl_len); + if (!NT_STATUS_IS_OK(status)) { fprintf(stderr, "get_ntacl failed: %s\n", nt_errstr(status)); return 1; } - - print_ntacl(ntacl, argv[1], ntacl); + + if( print_as_sddl ) { + print_ntacl_sddl(ntacl, ntacl); + } else { + print_ntacl(ntacl, readfile, ntacl); + } talloc_free(ntacl); diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c index 3a008a4..4db608c 100644 --- a/source4/utils/setntacl.c +++ b/source4/utils/setntacl.c @@ -1,28 +1,122 @@ /* - Unix SMB/CIFS implementation. - - Set NT ACLs on UNIX files. - - Copyright (C) Tim Potter <tpot@...> 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. + Unix SMB/CIFS implementation. + + Get NT ACLs from UNIX files. + + Copyright (C) Tim Potter <tpot@...> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" +#include "libcli/security/security.h" +#include "librpc/gen_ndr/ndr_xattr.h" +#include "param/param.h" +#include "lib/cmdline/popt_common.h" +#include "param/param.h" +#include "param/loadparm.h" + +static NTSTATUS build_acl(TALLOC_CTX *mem_ctx, char* acls, struct xattr_NTACL **ntacl) +{ + struct xattr_NTACL *acl = talloc(mem_ctx, struct xattr_NTACL); + struct security_descriptor *sd; + NTSTATUS status; + sd = sddl_decode(mem_ctx,acls,NULL); + if( !sd ) + { + return NT_STATUS_INTERNAL_ERROR; + } + + acl->version = 1; + acl->info.sd = sd; + + *ntacl = acl; + return NT_STATUS_OK; +} + +static NTSTATUS set_ntacl(TALLOC_CTX *mem_ctx, + char *filename, + void *ntacl) +{ + enum ndr_err_code ndr_err; + int ret; + DATA_BLOB blob; + + ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(NULL), ntacl ,(ndr_push_flags_fn_t)ndr_push_xattr_NTACL); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + ret = wrap_setxattr(filename, XATTR_NTACL_NAME, blob.data,blob.length, 0); + + if (ret != 0) { + fprintf(stderr, "set_ntacl: %s\n", strerror(errno)); + return NT_STATUS_INTERNAL_ERROR; + } + return NT_STATUS_OK; +} -int main(int argc, char **argv) +int main(int argc, const char *argv[]) { - printf("This utility disabled until rewritten\n"); - return 1; + NTSTATUS status; + char *acl = NULL; + char *writtenfile = NULL; + struct xattr_NTACL *ntacl; + poptContext pc; + struct loadparm_context *lp_ctx; + struct poptOption long_options[] = { + POPT_AUTOHELP + POPT_COMMON_SAMBA + POPT_COMMON_VERSION + { NULL } + }; + + setup_logging(NULL, DEBUG_STDERR); + + pc = poptGetContext(NULL, argc, argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + poptSetOtherOptionHelp(pc, "[OPTION(S)...] acl file\nacl must be in SDDL format check documentation for more information"); + + while(poptGetNextOpt(pc) != -1); + // Skip program name + poptGetArg(pc); + if(poptPeekArg(pc)) { + acl = strdup(poptGetArg(pc)); + } + + if(poptPeekArg(pc)) { + writtenfile = strdup(poptGetArg(pc)); + } + + if ( !acl || !writtenfile ) { + fprintf(stderr,"ACL and/or file to be written are missing !\nThese parameters are mandatory\n"); + exit(1); + } + + lp_ctx = cmdline_lp_ctx; + + status = build_acl(NULL, acl, &ntacl); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, "build_acl failed: %s\n", nt_errstr(status)); + return 1; + } + status = set_ntacl(NULL, writtenfile, ntacl); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, "set_ntacl failed: %s\n", nt_errstr(status)); + return 1; + } + + talloc_free(ntacl); + + return 0; } -- 1.6.3.3 [0002-s4-Create-torture-test-for-samba-utils.patch] >From 91fe8816ec85bfea7ddaa35fb2f86e7d59918b17 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Sat, 7 Nov 2009 13:19:19 +0300 Subject: [PATCH 2/7] s4: Create torture test for samba utils. Currently tested: getntacl / setntacl --- .gitignore | 1 + source4/torture/config.mk | 18 +++++ source4/torture/torture.c | 1 + source4/torture/utils/acls.c | 155 +++++++++++++++++++++++++++++++++++++++++ source4/torture/utils/utils.c | 38 ++++++++++ 5 files changed, 213 insertions(+), 0 deletions(-) create mode 100644 source4/torture/utils/acls.c create mode 100644 source4/torture/utils/utils.c diff --git a/.gitignore b/.gitignore index 13dd2d8..2660940 100644 --- a/.gitignore +++ b/.gitignore @@ -282,6 +282,7 @@ source4/st source4/templates.ldb source4/test-results source4/tests +source4/torture/utils/proto.h source4/torture/auth/proto.h source4/torture/basic/proto.h source4/torture/ldap/proto.h diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 00362b6..2fb59fe 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -40,6 +40,24 @@ TORTURE_BASIC_OBJ_FILES = $(addprefix $(torturesrcdir)/basic/, \ $(eval $(call proto_header_template,$(torturesrcdir)/basic/proto.h,$(TORTURE_BASIC_OBJ_FILES:.o=.c))) ################################# +# Start SUBSYSTEM TORTURE_UTILS +[MODULE::TORTURE_UTILS] +OUTPUT_TYPE = MERGED_OBJ +SUBSYSTEM = smbtorture +INIT_FUNCTION = torture_utils_init +PRIVATE_DEPENDENCIES = \ + LIBCLI_SMB LIBCLI_LSA LIBCLI_SMB_COMPOSITE \ + POPT_CREDENTIALS TORTURE_UTIL +# End SUBSYSTEM TORTURE_UTILS +################################# + +TORTURE_UTILS_OBJ_FILES = $(addprefix $(torturesrcdir)/utils/, \ + utils.o \ + acls.o) + +$(eval $(call proto_header_template,$(torturesrcdir)/utils/proto.h,$(TORTURE_UTILS_OBJ_FILES:.o=.c))) + +################################# # Start SUBSYSTEM TORTURE_RAW [MODULE::TORTURE_RAW] OUTPUT_TYPE = MERGED_OBJ diff --git a/source4/torture/torture.c b/source4/torture/torture.c index 49a6a8c..9b8f1b7 100644 --- a/source4/torture/torture.c +++ b/source4/torture/torture.c @@ -64,6 +64,7 @@ _PUBLIC_ int torture_init(void) extern NTSTATUS torture_net_init(void); extern NTSTATUS torture_libnetapi_init(void); extern NTSTATUS torture_raw_init(void); + extern NTSTATUS torture_utils_init(void); extern NTSTATUS torture_unix_init(void); extern NTSTATUS torture_winbind_init(void); extern NTSTATUS torture_drs_init(void); diff --git a/source4/torture/utils/acls.c b/source4/torture/utils/acls.c new file mode 100644 index 0000000..d721928 --- /dev/null +++ b/source4/torture/utils/acls.c @@ -0,0 +1,155 @@ +/* + Unix SMB/CIFS implementation. + + test acl tools + + Copyright (C) Matthieu Patou 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include <unistd.h> +#include "torture/torture.h" +#include "libcli/libcli.h" +#include "librpc/gen_ndr/xattr.h" +/*#include "librpc/gen_ndr/lsa.h" +#include "libcli/raw/libcliraw.h" +#include "libcli/util/clilsa.h" +#include "libcli/security/security.h" +#include "torture/util.h" +#include "librpc/gen_ndr/ndr_security.h" +*/ +#define BASEDIR "/tmp" +static const char *refsddl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513" + "D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"; +/* Blob equivalent for refsddl */ +static const char blob[] = { + 0x01,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x04,0x80,0x1c,0x00,0x00,0x00,0x38, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x54,0x00,0x00,0x00,0x01,0x05,0x00,0x00,0x00,0x00, + 0x00,0x05,0x15,0x00,0x00,0x00,0x37,0xd5,0xe1,0x83,0x9a,0xdb,0xa4,0xa0,0xeb,0x71,0x40, + 0x7d,0x00,0x02,0x00,0x00,0x01,0x05,0x00,0x00,0x00,0x00,0x00,0x05,0x15,0x00,0x00,0x00, + 0x37,0xd5,0xe1,0x83,0x9a,0xdb,0xa4,0xa0,0xeb,0x71,0x40,0x7d,0x01,0x02,0x00,0x00,0x02, + 0x00,0x2c,0x00,0x01,0x00,0x00,0x00,0x00,0x03,0x24,0x00,0xff,0x01,0x1f,0x00,0x01,0x05, + 0x00,0x00,0x00,0x00,0x00,0x05,0x15,0x00,0x00,0x00,0x37,0xd5,0xe1,0x83,0x9a,0xdb,0xa4, + 0xa0,0xeb,0x71,0x40,0x7d,0x00,0x02,0x00,0x00 }; +static int bloblen = 128; + +bool torture_getntacls(struct torture_context *tctx, struct smbcli_state *cli) +{ + bool ret = true; + long int l = random(); + char *path_fname; + FILE *file; + FILE *pipe; + char buf[1024]; + char *path_env; + char *new_path_env; + char *cmdline; + int fd; + int res; + + memset(buf,0,1024); + asprintf(&path_fname, BASEDIR "/torture_acl%ld",l); + file = fopen(path_fname,"w"); + if (file == NULL) { + return false; + } + fclose(file); + /* First write the blob directly into the security.NTACL attribute */ + wrap_setxattr(path_fname, XATTR_NTACL_NAME, blob,bloblen, 0); + path_env = getenv("PATH"); + asprintf(&new_path_env,"./bin:%s",path_env); + setenv("PATH",new_path_env,1); + asprintf(&cmdline,"getntacl --as-sddl %s",path_fname); + + /* Then check that getntacl give the good result*/ + pipe = popen(cmdline,"r"); + fd = fileno(pipe); + res = read(fd,buf,1024); + if( res < 0 ) { + ret = false; + } + else { + if ( strncmp(buf,refsddl,strlen(refsddl)) != 0 ) + ret = false; + } + + pclose(pipe); + unlink(path_fname); + return ret; +} + +bool torture_setntacls(struct torture_context *tctx, struct smbcli_state *cli) +{ + bool ret = true; + long int l = random(); + char *path_fname; + FILE *file; + FILE *pipe; + char buf[1024]; + char *path_env; + char *new_path_env; + char *cmdline; + pid_t pid; + char dest_blob[1024]; + int dest_bloblen = 1024; + int fd; + int res; + + memset(buf,0,1024); + asprintf(&path_fname, BASEDIR "/torture_acl%ld",l); + file = fopen(path_fname,"w"); + if (file == NULL) { + return false; + } + fclose(file); + + path_env = getenv("PATH"); + asprintf(&new_path_env,"./bin:%s",path_env); + setenv("PATH",new_path_env,1); + asprintf(&cmdline,"setntacl \"%s\" %s",refsddl,path_fname); + + pipe = popen(cmdline,"r"); + fd = fileno(pipe); + res = read(fd,buf,1024); + if( res < 0 ) { + ret = false; + } + else { + if( buf[0] != '\0' ) { + ret = false; + } + else { + res = wrap_getxattr(path_fname,XATTR_NTACL_NAME,dest_blob,dest_bloblen); + if( res != bloblen ) { + ret = false; + } + else { + int i; + for(i=0;i<bloblen;i++) { + if( dest_blob[i] != blob[i] ) { + ret = false; + break; + } + } + } + } + } + pclose(pipe); + + + unlink(path_fname); + return ret; +} diff --git a/source4/torture/utils/utils.c b/source4/torture/utils/utils.c new file mode 100644 index 0000000..3da199e --- /dev/null +++ b/source4/torture/utils/utils.c @@ -0,0 +1,38 @@ +/* + Unix SMB/CIFS implementation. + Utils torture tester + Copyright (C) Matthieu Patou 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "torture/util.h" +#include "torture/smbtorture.h" +#include "torture/utils/proto.h" + +NTSTATUS torture_utils_init(void) +{ + struct torture_suite *suite = torture_suite_create( + talloc_autofree_context(), + "UTILS"); + /* UTILS tests */ + torture_suite_add_simple_test(suite, "GETNTACL", torture_getntacls); + torture_suite_add_simple_test(suite, "SETNTACL", torture_setntacls); + suite->description = talloc_strdup(suite, "Tests for samba utils "); + + torture_register_suite(suite); + + return NT_STATUS_OK; +} -- 1.6.3.3 |
|
|
Re: PATCHS: manipulation of NT ACL in command line
by Stefan (metze) Metzmacher
::
Rate this Message:
Matthieu Patou schrieb:
> Dear all, > > Please find attached a huge serie of patchs related to NTACL > manipulation in command line or in python scripts. > > 0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch: Creation of > the setntacl utils which allow to set the NTACL from commandline from > its SDDL representation. It also add the option to export the NTACL as a > SDDL > 0002-s4-Create-torture-test-for-samba-utils.patch: This patch a simple > torture test for getntacl and setntacl. and it uses unistd.h directly, you should use "system/filesys.h" from libreplace instead. > 0003-S4-Allow-an-optional-parameter-in-generated-python-b.patch: This > patch for the PIDL generator. With this patch the generated python code > allow the specification of a "notallflag" so that either > ndr_pull_struct_blob or ndr_pull_struct_blob_all can be used. This patch > follow the talk that I had with metze today on IRC about on how to > workaround the wrong calculation of consumed bytes when unpacking an > xattr.NTACL object I didn't noticed we already have a $got_relative variable there, I think the real problem is that we didn't detect that relative pointers are used... We could fix that (maybe impossible because we reference types defined in other idl files) or remove this check completely and always let the caller pass in the not all flag (I'd prefer this one). I'd like the callers to use keywords, something like this: obj.ndr_unpack(blob, notall=true) instead of obj.ndr_unpack(blob, true) metze |
|
|
Re: PATCHS: manipulation of NT ACL in command line
by Andrew Bartlett
::
Rate this Message:
On Tue, 2009-11-10 at 10:33 +0100, Stefan (metze) Metzmacher wrote:
> Matthieu Patou schrieb: > > 0003-S4-Allow-an-optional-parameter-in-generated-python-b.patch: This > > patch for the PIDL generator. With this patch the generated python code > > allow the specification of a "notallflag" so that either > > ndr_pull_struct_blob or ndr_pull_struct_blob_all can be used. This patch > > follow the talk that I had with metze today on IRC about on how to > > workaround the wrong calculation of consumed bytes when unpacking an > > xattr.NTACL object > > I didn't noticed we already have a $got_relative variable there, > I think the real problem is that we didn't detect that relative pointers > are used... my code, so I'm sure that there are still corner cases (I'm no pidl hacker...) > We could fix that (maybe impossible because we reference types defined > in other idl files) or remove this check completely and always let the > caller pass in the not all flag (I'd prefer this one). > > I'd like the callers to use keywords, something like this: > obj.ndr_unpack(blob, notall=true) > instead of obj.ndr_unpack(blob, true) That would work, but I would like to know why my pidl hack doesn't work. Perhaps it needs to recurse down the structures? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. |
|
|
Re: PATCHS: manipulation of NT ACL in command line
by Jelmer Vernooij
::
Rate this Message:
Hi Matthieu,
Some quick comments. On Tue, 2009-11-10 at 00:29 +0300, Matthieu Patou wrote: > Please find attached a huge serie of patchs related to NTACL > manipulation in command line or in python scripts. > > 0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch: Creation of > the setntacl utils which allow to set the NTACL from commandline from > its SDDL representation. It also add the option to export the NTACL as a > SDDL > 0002-s4-Create-torture-test-for-samba-utils.patch: This patch a simple > torture test for getntacl and setntacl. > 0003-S4-Allow-an-optional-parameter-in-generated-python-b.patch: This > patch for the PIDL generator. With this patch the generated python code > allow the specification of a "notallflag" so that either > ndr_pull_struct_blob or ndr_pull_struct_blob_all can be used. This patch > follow the talk that I had with metze today on IRC about on how to > workaround the wrong calculation of consumed bytes when unpacking an > xattr.NTACL object was left rather than abusing the existing function that is supposed to parse the full text. > 0004-s4-Create-a-library-for-xattr-python-bindings.patch: This patch > allow to create a .so with the python binding generated code for xattr.idl > 0005-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch: This patch add > the python bindings for wrap_getxattr and wrap_setxattr Please put the xattr stuff in a separate python module. pyglue is a big hack and catchall for things not appropriate elsewhere, it shouldn't be increased in size unless really necessary. > 0006-s4-Create-unit-tests-for-python-glue-module.patch: This patch add > torture test for the Please add your own copyright for code you have written, not mine :-) > 0007-s4-regroup-gpo-modification-in-one-function-set-acl-.patch: This > patch regroup GPO related stuff in provision (and remove them from setup > samdb) it also make provision to set NT ACL on GPO files with rights > synchronized with those in the AD. > > Please let me know ... > > Matthieu. > > > > |
|
|
Re: PATCHS: manipulation of NT ACL in command line
by Matthieu Patou-5
::
Rate this Message:
Hello, this is a rework of this,
0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch,Creation of the setntacl utils which allow to set the NTACL from commandline from its SDDL representation. It also add the option to export the NTACL as a SDDL 0002-s4-Create-torture-test-for-samba-utils.patch: This patch a simple torture test for getntacl and setntacl. 0003-s4-Create-a-library-for-xattr-python-bindings.patch: This patch allow to create a .so with the python binding generated code for xattr.idl 0004-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch: This patch allow to create a .so with the python binding generated code for xattr.idl 0005-s4-Create-unit-tests-for-python-samba.xattr-module.patch: Unit tests for the above stuff 0006-s4-regroup-gpo-modification-in-one-function-set-acl-.patch: Use the above functions for setacl on GPO objects. Let me know. Matthieu. On 18/11/2009 22:00, Jelmer Vernooij wrote: > Hi Matthieu, > > Some quick comments. > > On Tue, 2009-11-10 at 00:29 +0300, Matthieu Patou wrote: > >> Please find attached a huge serie of patchs related to NTACL >> manipulation in command line or in python scripts. >> >> 0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch: Creation of >> the setntacl utils which allow to set the NTACL from commandline from >> its SDDL representation. It also add the option to export the NTACL as a >> SDDL >> 0002-s4-Create-torture-test-for-samba-utils.patch: This patch a simple >> torture test for getntacl and setntacl. >> 0003-S4-Allow-an-optional-parameter-in-generated-python-b.patch: This >> patch for the PIDL generator. With this patch the generated python code >> allow the specification of a "notallflag" so that either >> ndr_pull_struct_blob or ndr_pull_struct_blob_all can be used. This patch >> follow the talk that I had with metze today on IRC about on how to >> workaround the wrong calculation of consumed bytes when unpacking an >> xattr.NTACL object >> > Please do this in a separate function that also returns how much data > was left rather than abusing the existing function that is supposed to > parse the full text. > > >> 0004-s4-Create-a-library-for-xattr-python-bindings.patch: This patch >> allow to create a .so with the python binding generated code for xattr.idl >> > >> 0005-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch: This patch add >> the python bindings for wrap_getxattr and wrap_setxattr >> > Please put the xattr stuff in a separate python module. pyglue is a big > hack and catchall for things not appropriate elsewhere, it shouldn't be > increased in size unless really necessary. > > >> 0006-s4-Create-unit-tests-for-python-glue-module.patch: This patch add >> torture test for the >> > Please add your own copyright for code you have written, not mine :-) > > >> 0007-s4-regroup-gpo-modification-in-one-function-set-acl-.patch: This >> patch regroup GPO related stuff in provision (and remove them from setup >> samdb) it also make provision to set NT ACL on GPO files with rights >> synchronized with those in the AD. >> >> Please let me know ... >> >> Matthieu. >> >> >> >> >> > [0002-s4-Create-torture-test-for-samba-utils.patch] From 8ef905270c58a202dcbc00c42b3438984b3b5565 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Sat, 7 Nov 2009 13:19:19 +0300 Subject: [PATCH 2/6] s4: Create torture test for samba utils. Currently tested: getntacl / setntacl --- .gitignore | 1 + source4/torture/config.mk | 18 +++++ source4/torture/torture.c | 1 + source4/torture/utils/acls.c | 149 +++++++++++++++++++++++++++++++++++++++++ source4/torture/utils/utils.c | 38 +++++++++++ 5 files changed, 207 insertions(+), 0 deletions(-) create mode 100644 source4/torture/utils/acls.c create mode 100644 source4/torture/utils/utils.c diff --git a/.gitignore b/.gitignore index 13dd2d8..2660940 100644 --- a/.gitignore +++ b/.gitignore @@ -282,6 +282,7 @@ source4/st source4/templates.ldb source4/test-results source4/tests +source4/torture/utils/proto.h source4/torture/auth/proto.h source4/torture/basic/proto.h source4/torture/ldap/proto.h diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 00362b6..2fb59fe 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -40,6 +40,24 @@ TORTURE_BASIC_OBJ_FILES = $(addprefix $(torturesrcdir)/basic/, \ $(eval $(call proto_header_template,$(torturesrcdir)/basic/proto.h,$(TORTURE_BASIC_OBJ_FILES:.o=.c))) ################################# +# Start SUBSYSTEM TORTURE_UTILS +[MODULE::TORTURE_UTILS] +OUTPUT_TYPE = MERGED_OBJ +SUBSYSTEM = smbtorture +INIT_FUNCTION = torture_utils_init +PRIVATE_DEPENDENCIES = \ + LIBCLI_SMB LIBCLI_LSA LIBCLI_SMB_COMPOSITE \ + POPT_CREDENTIALS TORTURE_UTIL +# End SUBSYSTEM TORTURE_UTILS +################################# + +TORTURE_UTILS_OBJ_FILES = $(addprefix $(torturesrcdir)/utils/, \ + utils.o \ + acls.o) + +$(eval $(call proto_header_template,$(torturesrcdir)/utils/proto.h,$(TORTURE_UTILS_OBJ_FILES:.o=.c))) + +################################# # Start SUBSYSTEM TORTURE_RAW [MODULE::TORTURE_RAW] OUTPUT_TYPE = MERGED_OBJ diff --git a/source4/torture/torture.c b/source4/torture/torture.c index 49a6a8c..9b8f1b7 100644 --- a/source4/torture/torture.c +++ b/source4/torture/torture.c @@ -64,6 +64,7 @@ _PUBLIC_ int torture_init(void) extern NTSTATUS torture_net_init(void); extern NTSTATUS torture_libnetapi_init(void); extern NTSTATUS torture_raw_init(void); + extern NTSTATUS torture_utils_init(void); extern NTSTATUS torture_unix_init(void); extern NTSTATUS torture_winbind_init(void); extern NTSTATUS torture_drs_init(void); diff --git a/source4/torture/utils/acls.c b/source4/torture/utils/acls.c new file mode 100644 index 0000000..237f0cc --- /dev/null +++ b/source4/torture/utils/acls.c @@ -0,0 +1,149 @@ +/* + Unix SMB/CIFS implementation. + + test acl tools + + Copyright (C) Matthieu Patou 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/filesys.h" +#include "torture/torture.h" +#include "libcli/libcli.h" +#include "librpc/gen_ndr/xattr.h" +#define BASEDIR "/tmp" + +static const char *refsddl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513" + "D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"; +/* Blob equivalent for refsddl */ +static const char blob[] = { + 0x01,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x04,0x80,0x1c,0x00,0x00,0x00,0x38, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x54,0x00,0x00,0x00,0x01,0x05,0x00,0x00,0x00,0x00, + 0x00,0x05,0x15,0x00,0x00,0x00,0x37,0xd5,0xe1,0x83,0x9a,0xdb,0xa4,0xa0,0xeb,0x71,0x40, + 0x7d,0x00,0x02,0x00,0x00,0x01,0x05,0x00,0x00,0x00,0x00,0x00,0x05,0x15,0x00,0x00,0x00, + 0x37,0xd5,0xe1,0x83,0x9a,0xdb,0xa4,0xa0,0xeb,0x71,0x40,0x7d,0x01,0x02,0x00,0x00,0x02, + 0x00,0x2c,0x00,0x01,0x00,0x00,0x00,0x00,0x03,0x24,0x00,0xff,0x01,0x1f,0x00,0x01,0x05, + 0x00,0x00,0x00,0x00,0x00,0x05,0x15,0x00,0x00,0x00,0x37,0xd5,0xe1,0x83,0x9a,0xdb,0xa4, + 0xa0,0xeb,0x71,0x40,0x7d,0x00,0x02,0x00,0x00 }; +static int bloblen = 128; + +bool torture_getntacls(struct torture_context *tctx, struct smbcli_state *cli) +{ + bool ret = true; + long int l = random(); + char *path_fname; + FILE *file; + FILE *pipe; + char buf[1024]; + char *path_env; + char *new_path_env; + char *cmdline; + int fd; + int res; + + memset(buf,0,1024); + asprintf(&path_fname, BASEDIR "/torture_acl%ld",l); + file = fopen(path_fname,"w"); + if (file == NULL) { + return false; + } + fclose(file); + /* First write the blob directly into the security.NTACL attribute */ + wrap_setxattr(path_fname, XATTR_NTACL_NAME, blob,bloblen, 0); + path_env = getenv("PATH"); + asprintf(&new_path_env,"./bin:%s",path_env); + setenv("PATH",new_path_env,1); + asprintf(&cmdline,"getntacl --as-sddl %s",path_fname); + + /* Then check that getntacl give the good result*/ + pipe = popen(cmdline,"r"); + fd = fileno(pipe); + res = read(fd,buf,1024); + if( res < 0 ) { + ret = false; + } + else { + if ( strncmp(buf,refsddl,strlen(refsddl)) != 0 ) + ret = false; + } + + pclose(pipe); + unlink(path_fname); + return ret; +} + +bool torture_setntacls(struct torture_context *tctx, struct smbcli_state *cli) +{ + bool ret = true; + long int l = random(); + char *path_fname; + FILE *file; + FILE *pipe; + char buf[1024]; + char *path_env; + char *new_path_env; + char *cmdline; + pid_t pid; + char dest_blob[1024]; + int dest_bloblen = 1024; + int fd; + int res; + + memset(buf,0,1024); + asprintf(&path_fname, BASEDIR "/torture_acl%ld",l); + file = fopen(path_fname,"w"); + if (file == NULL) { + return false; + } + fclose(file); + + path_env = getenv("PATH"); + asprintf(&new_path_env,"./bin:%s",path_env); + setenv("PATH",new_path_env,1); + asprintf(&cmdline,"setntacl \"%s\" %s",refsddl,path_fname); + + pipe = popen(cmdline,"r"); + fd = fileno(pipe); + res = read(fd,buf,1024); + if( res < 0 ) { + ret = false; + } + else { + if( buf[0] != '\0' ) { + ret = false; + } + else { + res = wrap_getxattr(path_fname,XATTR_NTACL_NAME,dest_blob,dest_bloblen); + if( res != bloblen ) { + ret = false; + } + else { + int i; + for(i=0;i<bloblen;i++) { + if( dest_blob[i] != blob[i] ) { + ret = false; + break; + } + } + } + } + } + pclose(pipe); + + + unlink(path_fname); + return ret; +} diff --git a/source4/torture/utils/utils.c b/source4/torture/utils/utils.c new file mode 100644 index 0000000..3da199e --- /dev/null +++ b/source4/torture/utils/utils.c @@ -0,0 +1,38 @@ +/* + Unix SMB/CIFS implementation. + Utils torture tester + Copyright (C) Matthieu Patou 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "torture/util.h" +#include "torture/smbtorture.h" +#include "torture/utils/proto.h" + +NTSTATUS torture_utils_init(void) +{ + struct torture_suite *suite = torture_suite_create( + talloc_autofree_context(), + "UTILS"); + /* UTILS tests */ + torture_suite_add_simple_test(suite, "GETNTACL", torture_getntacls); + torture_suite_add_simple_test(suite, "SETNTACL", torture_setntacls); + suite->description = talloc_strdup(suite, "Tests for samba utils "); + + torture_register_suite(suite); + + return NT_STATUS_OK; +} -- 1.6.3.3 [0005-s4-Create-unit-tests-for-python-samba.xattr-module.patch] From aeae421f8136cc299c0dc2b8b65b9fd4f8d21e4b Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 22:01:04 +0300 Subject: [PATCH 5/6] s4: Create unit tests for python "samba.xattr" module --- source4/scripting/python/pyxattr.c | 1 - source4/scripting/python/samba/tests/xattr.py | 47 +++++++++++++++++++++++++ source4/selftest/tests.sh | 1 + 3 files changed, 48 insertions(+), 1 deletions(-) create mode 100644 source4/scripting/python/samba/tests/xattr.py diff --git a/source4/scripting/python/pyxattr.c b/source4/scripting/python/pyxattr.c index 371334f..4e10ad7 100644 --- a/source4/scripting/python/pyxattr.c +++ b/source4/scripting/python/pyxattr.c @@ -86,7 +86,6 @@ void initxattr(void) { PyObject *m; - fprintf(stderr,"called ?\n"); m = Py_InitModule3("xattr", py_xattr_methods, "Python bindings for xattr manipulation."); if (m == NULL) diff --git a/source4/scripting/python/samba/tests/xattr.py b/source4/scripting/python/samba/tests/xattr.py new file mode 100644 index 0000000..fa93acd --- /dev/null +++ b/source4/scripting/python/samba/tests/xattr.py @@ -0,0 +1,47 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. Tests for xattr manipulation +# Copyright (C) Matthieu Patou <mat@...> 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +from samba.xattr import wrap_getxattr, wrap_setxattr +from samba.dcerpc import xattr +from samba.ndr import ndr_pack, ndr_unpack +from unittest import TestCase +import random +import os + +class GlueTests(TestCase): + + + def test_set_packeddata(self): + random.seed() + tempf=os.path.join("/tmp","pytests"+str(int(100000*random.random()))) + ntacl=xattr.NTACL() + ntacl.version = 1 + open(tempf, 'w').write("empty") + wrap_setxattr(tempf,"user.unittests",ndr_pack(ntacl)) + os.unlink(tempf) + + def test_set_and_get(self): + random.seed() + tempf=os.path.join("/tmp","pytests"+str(int(100000*random.random()))) + reftxt="this is a test" + open(tempf, 'w').write("empty") + wrap_setxattr(tempf,"user.unittests",reftxt) + text = wrap_getxattr(tempf,"user.unittests") + self.assertEquals(text,reftxt) + os.unlink(tempf) + diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh index 8888637..baf4052 100755 --- a/source4/selftest/tests.sh +++ b/source4/selftest/tests.sh @@ -463,6 +463,7 @@ plantest "ldap.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python" $PYTHON plantest "ldap.possibleInferiors.python" dc $PYTHON $samba4srcdir/dsdb/samdb/ldb_modules/tests/possibleinferiors.py $CONFIGURATION ldap://\$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN plantest "ldap.secdesc.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python" $PYTHON $samba4srcdir/lib/ldb/tests/python/sec_descriptor.py $CONFIGURATION \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN plantest "ldap.acl.python" dc PYTHONPATH="$PYTHONPATH:../lib/subunit/python" $PYTHON $samba4srcdir/lib/ldb/tests/python/acl.py $CONFIGURATION \$SERVER -U\$USERNAME%\$PASSWORD -W \$DOMAIN +plantest "xattr.python" none $SUBUNITRUN samba.tests.xattr plantest "blackbox.samba3dump" none $PYTHON $samba4srcdir/scripting/bin/samba3dump $samba4srcdir/../testdata/samba3 rm -rf $PREFIX/upgrade plantest "blackbox.upgrade" none $PYTHON $samba4srcdir/setup/upgrade $CONFIGURATION --targetdir=$PREFIX/upgrade $samba4srcdir/../testdata/samba3 ../testdata/samba3/smb.conf -- 1.6.3.3 [0003-s4-Create-a-library-for-xattr-python-bindings.patch] From e6c80078a5215c6a48f30d35b2ed6d106ae4a983 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 20:18:59 +0300 Subject: [PATCH 3/6] s4: Create a library for xattr python bindings --- source4/librpc/config.mk | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index 501b88b..1053cc1 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -251,7 +251,7 @@ NDR_KRB5PAC_OBJ_FILES = ../librpc/gen_ndr/ndr_krb5pac.o ../librpc/ndr/ndr_krb5pa [SUBSYSTEM::NDR_XATTR] PUBLIC_DEPENDENCIES = LIBNDR NDR_SECURITY -NDR_XATTR_OBJ_FILES = ../librpc/gen_ndr/ndr_xattr.o ../librpc/ndr/ndr_xattr.o +NDR_XATTR_OBJ_FILES = ../librpc/gen_ndr/ndr_xattr.o ../librpc/ndr/ndr_xattr.o [SUBSYSTEM::NDR_OPENDB] PUBLIC_DEPENDENCIES = LIBNDR @@ -356,6 +356,11 @@ PUBLIC_DEPENDENCIES = \ NDR_TABLE_OBJ_FILES = ../librpc/ndr/ndr_table.o $(gen_ndrsrcdir)/tables.o +[SUBSYSTEM::RPC_NDR_XATTR] +PUBLIC_DEPENDENCIES = NDR_XATTR dcerpc + +RPC_NDR_XATTR_OBJ_FILES = ../librpc/gen_ndr/ndr_xattr_c.o + [SUBSYSTEM::RPC_NDR_ROT] PUBLIC_DEPENDENCIES = NDR_ROT dcerpc @@ -708,6 +713,12 @@ PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc NDR_SECURITY python_dcerpc_security_OBJ_FILES = ../librpc/gen_ndr/py_security.o +[PYTHON::python_dcerpc_xattr] +LIBRARY_REALNAME = samba/dcerpc/xattr.$(SHLIBEXT) +PRIVATE_DEPENDENCIES = PYTALLOC python_dcerpc_misc python_dcerpc python_dcerpc_security NDR_XATTR RPC_NDR_XATTR + +python_dcerpc_xattr_OBJ_FILES = ../librpc/gen_ndr/py_xattr.o + $(IDL_HEADER_FILES) $(IDL_NDR_PARSE_H_FILES) $(IDL_NDR_PARSE_C_FILES) \ $(IDL_NDR_CLIENT_C_FILES) $(IDL_NDR_CLIENT_H_FILES) \ $(IDL_NDR_SERVER_C_FILES) $(IDL_SWIG_FILES) \ -- 1.6.3.3 [0004-s4-add-python-bindings-for-wrap_-s-g-etxattr.patch] From e6074303508d0acf4ebacb1af692e4f44caae523 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Mon, 9 Nov 2009 20:53:34 +0300 Subject: [PATCH 4/6] s4: add python bindings for wrap_(s|g)etxattr --- source4/scripting/python/config.mk | 11 +++- source4/scripting/python/pyglue.c | 4 +- source4/scripting/python/pyxattr.c | 107 ++++++++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+), 3 deletions(-) create mode 100644 source4/scripting/python/pyxattr.c diff --git a/source4/scripting/python/config.mk b/source4/scripting/python/config.mk index a5e3f25..c861772 100644 --- a/source4/scripting/python/config.mk +++ b/source4/scripting/python/config.mk @@ -17,12 +17,21 @@ python_uuid_OBJ_FILES = $(pyscriptsrcdir)/uuidmodule.o [PYTHON::python_glue] LIBRARY_REALNAME = samba/glue.$(SHLIBEXT) -PRIVATE_DEPENDENCIES = LIBNDR LIBLDB SAMDB CREDENTIALS pyldb python_dcerpc_misc python_dcerpc_security pyauth pyldb_util pyparam_util +PRIVATE_DEPENDENCIES = LIBNDR LIBLDB SAMDB CREDENTIALS pyldb python_dcerpc_misc python_dcerpc_security pyauth pyldb_util pyparam_util WRAP_XATTR python_glue_OBJ_FILES = $(pyscriptsrcdir)/pyglue.o $(python_glue_OBJ_FILES): CFLAGS+=-I$(ldbsrcdir) +[PYTHON::python_xattr] +LIBRARY_REALNAME = samba/xattr.$(SHLIBEXT) +PRIVATE_DEPENDENCIES = LIBNDR LIBLDB SAMDB CREDENTIALS python_dcerpc_security pyparam_util WRAP_XATTR +#PRIVATE_DEPENDENCIES = LIBNDR LIBLDB SAMDB CREDENTIALS python_dcerpc_security pyauth pyldb_util pyparam_util WRAP_XATTR + +python_xattr_OBJ_FILES = $(pyscriptsrcdir)/pyxattr.o + +$(python_xattr_OBJ_FILES): CFLAGS+=-I$(ldbsrcdir) + _PY_FILES = $(shell find $(pyscriptsrcdir)/samba ../lib/subunit/python -name "*.py") $(eval $(foreach pyfile, $(_PY_FILES),$(call python_py_module_template,$(patsubst $(pyscriptsrcdir)/%,%,$(subst ../lib/subunit/python,,$(pyfile))),$(pyfile)))) diff --git a/source4/scripting/python/pyglue.c b/source4/scripting/python/pyglue.c index b138e3e..2d30ba7 100644 --- a/source4/scripting/python/pyglue.c +++ b/source4/scripting/python/pyglue.c @@ -54,8 +54,8 @@ static void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ return; /* Python exception should already be set, just keep that */ PyErr_SetObject(error, - Py_BuildValue(discard_const_p(char, "(i,s)"), ret, - ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); + Py_BuildValue(discard_const_p(char, "(i,s)"), ret, + ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); } static PyObject *py_ldb_get_exception(void) diff --git a/source4/scripting/python/pyxattr.c b/source4/scripting/python/pyxattr.c new file mode 100644 index 0000000..371334f --- /dev/null +++ b/source4/scripting/python/pyxattr.c @@ -0,0 +1,107 @@ +/* + Unix SMB/CIFS implementation. Xattr manipulation bindings. + Copyright (C) Matthieu Patou <mat@...> 2009 + Base on work of pyglue.c by Jelmer Vernooij <jelmer@...> 2007 and + Matthias Dieter Wallnöfer 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <Python.h> +#include "version.h" +#include "includes.h" +#include "librpc/ndr/libndr.h" +#include "lib/util/wrap_xattr.h" + +#ifndef Py_RETURN_NONE +#define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None +#endif + + +static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) +{ + char *filename, *attribute; + int ret = 0; + DATA_BLOB blob; + if (!PyArg_ParseTuple(args, "sss#", &filename,&attribute,&blob.data,&blob.length)) + return NULL; + ret = wrap_setxattr(filename,attribute,blob.data,blob.length,0); + if( ret < 0 ) { + PyErr_SetString(PyExc_TypeError, strerror(errno)); + return NULL; + } + Py_RETURN_NONE; +} + +static PyObject *py_wrap_getxattr(PyObject *self, PyObject *args) +{ + char *filename, *attribute; + int len; + TALLOC_CTX *mem_ctx; + uint8_t *buf; + PyObject *ret; + if (!PyArg_ParseTuple(args, "ss", &filename,&attribute)) + return NULL; + + mem_ctx = talloc_new(NULL); + len = wrap_getxattr(filename,attribute,NULL,0); + if( len < 0 ) { + PyErr_SetString(PyExc_TypeError, strerror(errno)); + return NULL; + } + /* check length ... */ + buf = talloc_zero_array(mem_ctx, uint8_t, len); + len = getxattr(filename,attribute,buf,len); + if( len < 0 ) { + PyErr_SetString(PyExc_TypeError, strerror(errno)); + return NULL; + } + ret = PyString_FromStringAndSize(buf,len); + talloc_free(buf); + return ret; +} + +static PyMethodDef py_xattr_methods[] = { + { "wrap_getxattr", (PyCFunction)py_wrap_getxattr, METH_VARARGS, + "wrap_getxattr(filename,attribute) -> blob\n" + "Retreive given attribute on the given file." }, + { "wrap_setxattr", (PyCFunction)py_wrap_setxattr, METH_VARARGS, + "wrap_setxattr(filename,attribute,value)\n" + "Set the given attribute to the given value on the given file." }, + { NULL } +}; + +void initxattr(void) +{ + PyObject *m; + + fprintf(stderr,"called ?\n"); + m = Py_InitModule3("xattr", py_xattr_methods, + "Python bindings for xattr manipulation."); + if (m == NULL) + return; + + PyModule_AddObject(m, "version", PyString_FromString(SAMBA_VERSION_STRING)); + + /* one of the most annoying things about python scripts is + that they don't die when you hit control-C. This fixes that + sillyness. As we do all database operations using + transactions, this is also safe. In fact, not dying + immediately is unsafe as we could end up treating the + control-C exception as a different error and try to modify + as database incorrectly + */ + signal(SIGINT, SIG_DFL); +} + -- 1.6.3.3 [0001-s4-utils-recreate-setntacl-and-improve-setntacl.patch] From 2d7113691cb4cd4839e63140145833932aff481f Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Sat, 24 Oct 2009 15:34:31 +0400 Subject: [PATCH 1/6] s4: utils recreate setntacl and improve setntacl setntacl is able to set NTACL attribute from command line getntacl now use getopt for parsing command line option and is also able to dump the acl in the SDDL format. --- source4/utils/config.mk | 18 +++++-- source4/utils/getntacl.c | 58 ++++++++++++++++---- source4/utils/setntacl.c | 136 +++++++++++++++++++++++++++++++++++++++------- 3 files changed, 176 insertions(+), 36 deletions(-) diff --git a/source4/utils/config.mk b/source4/utils/config.mk index f485fae..9b6a2f1 100644 --- a/source4/utils/config.mk +++ b/source4/utils/config.mk @@ -30,6 +30,7 @@ INSTALLDIR = BINDIR PRIVATE_DEPENDENCIES = \ LIBSAMBA-HOSTCONFIG \ LIBSAMBA-UTIL \ + POPT_SAMBA \ NDR_XATTR \ WRAP_XATTR \ LIBSAMBA-ERRORS @@ -44,12 +45,19 @@ MANPAGES += $(utilssrcdir)/man/getntacl.1 ################################# # Start BINARY setntacl [BINARY::setntacl] -# disabled until rewritten -#INSTALLDIR = BINDIR -# End BINARY setntacl -################################# +INSTALLDIR = BINDIR +PRIVATE_DEPENDENCIES = \ + LIBSAMBA-HOSTCONFIG \ + LIBSAMBA-UTIL \ + POPT_SAMBA \ + NDR_XATTR \ + WRAP_XATTR \ + LIBSAMBA-ERRORS -setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o +setntacl_OBJ_FILES = $(utilssrcdir)/setntacl.o + +# End BINARY getntacl +################################# ################################# # Start BINARY generateblob diff --git a/source4/utils/getntacl.c b/source4/utils/getntacl.c index f26c87b..f75920c 100644 --- a/source4/utils/getntacl.c +++ b/source4/utils/getntacl.c @@ -20,10 +20,13 @@ */ #include "includes.h" +#include "libcli/security/security.h" #include "system/filesys.h" #include "librpc/gen_ndr/ndr_xattr.h" -#include "../lib/util/wrap_xattr.h" +#include "lib/cmdline/popt_common.h" #include "param/param.h" +#include "param/loadparm.h" + static void ntacl_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3); @@ -82,6 +85,13 @@ static NTSTATUS get_ntacl(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +static void print_ntacl_sddl(TALLOC_CTX *mem_ctx, + struct xattr_NTACL *ntacl) +{ + const char *sddl; + sddl = sddl_encode(mem_ctx,ntacl->info.sd,NULL); + printf("%s\n",sddl); +} static void print_ntacl(TALLOC_CTX *mem_ctx, const char *fname, struct xattr_NTACL *ntacl) @@ -96,24 +106,52 @@ static void print_ntacl(TALLOC_CTX *mem_ctx, talloc_free(pr); } -int main(int argc, char *argv[]) +int main(int argc, const char *argv[]) { - NTSTATUS status; + int ret = 0; + NTSTATUS status; struct xattr_NTACL *ntacl; ssize_t ntacl_len; - - if (argc != 2) { - fprintf(stderr, "Usage: getntacl FILENAME\n"); - return 1; + int print_as_sddl = 0; + char *readfile = NULL; + poptContext pc; + struct loadparm_context *lp_ctx; + struct poptOption long_options[] = { + POPT_AUTOHELP + {"as-sddl", '\0', POPT_ARG_NONE, &print_as_sddl, true, "Print NT ACL as SDDL"}, + POPT_COMMON_SAMBA + POPT_COMMON_VERSION + { NULL } + }; + + setup_logging(NULL, DEBUG_STDERR); + + pc = poptGetContext(NULL, argc, argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + poptSetOtherOptionHelp(pc, "[OPTION(S)...] file"); + + while(poptGetNextOpt(pc) != -1); + // Skip programe name + poptGetArg(pc); + if(poptPeekArg(pc)) { + readfile = strdup(poptGetArg(pc)); } - status = get_ntacl(NULL, argv[1], &ntacl, &ntacl_len); + + lp_ctx = cmdline_lp_ctx; + + status = get_ntacl(NULL, readfile, &ntacl, &ntacl_len); + if (!NT_STATUS_IS_OK(status)) { fprintf(stderr, "get_ntacl failed: %s\n", nt_errstr(status)); return 1; } - - print_ntacl(ntacl, argv[1], ntacl); + + if( print_as_sddl ) { + print_ntacl_sddl(ntacl, ntacl); + } else { + print_ntacl(ntacl, readfile, ntacl); + } talloc_free(ntacl); diff --git a/source4/utils/setntacl.c b/source4/utils/setntacl.c index 3a008a4..4db608c 100644 --- a/source4/utils/setntacl.c +++ b/source4/utils/setntacl.c @@ -1,28 +1,122 @@ /* - Unix SMB/CIFS implementation. - - Set NT ACLs on UNIX files. - - Copyright (C) Tim Potter <tpot@...> 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. + Unix SMB/CIFS implementation. + + Get NT ACLs from UNIX files. + + Copyright (C) Tim Potter <tpot@...> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" +#include "libcli/security/security.h" +#include "librpc/gen_ndr/ndr_xattr.h" +#include "param/param.h" +#include "lib/cmdline/popt_common.h" +#include "param/param.h" +#include "param/loadparm.h" + +static NTSTATUS build_acl(TALLOC_CTX *mem_ctx, char* acls, struct xattr_NTACL **ntacl) +{ + struct xattr_NTACL *acl = talloc(mem_ctx, struct xattr_NTACL); + struct security_descriptor *sd; + NTSTATUS status; + sd = sddl_decode(mem_ctx,acls,NULL); + if( !sd ) + { + return NT_STATUS_INTERNAL_ERROR; + } + + acl->version = 1; + acl->info.sd = sd; + + *ntacl = acl; + return NT_STATUS_OK; +} + +static NTSTATUS set_ntacl(TALLOC_CTX *mem_ctx, + char *filename, + void *ntacl) +{ + enum ndr_err_code ndr_err; + int ret; + DATA_BLOB blob; + + ndr_err = ndr_push_struct_blob(&blob, mem_ctx, lp_iconv_convenience(NULL), ntacl ,(ndr_push_flags_fn_t)ndr_push_xattr_NTACL); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + ret = wrap_setxattr(filename, XATTR_NTACL_NAME, blob.data,blob.length, 0); + + if (ret != 0) { + fprintf(stderr, "set_ntacl: %s\n", strerror(errno)); + return NT_STATUS_INTERNAL_ERROR; + } + return NT_STATUS_OK; +} -int main(int argc, char **argv) +int main(int argc, const char *argv[]) { - printf("This utility disabled until rewritten\n"); - return 1; + NTSTATUS status; + char *acl = NULL; + char *writtenfile = NULL; + struct xattr_NTACL *ntacl; + poptContext pc; + struct loadparm_context *lp_ctx; + struct poptOption long_options[] = { + POPT_AUTOHELP + POPT_COMMON_SAMBA + POPT_COMMON_VERSION + { NULL } + }; + + setup_logging(NULL, DEBUG_STDERR); + + pc = poptGetContext(NULL, argc, argv, long_options, + POPT_CONTEXT_KEEP_FIRST); + poptSetOtherOptionHelp(pc, "[OPTION(S)...] acl file\nacl must be in SDDL format check documentation for more information"); + + while(poptGetNextOpt(pc) != -1); + // Skip program name + poptGetArg(pc); + if(poptPeekArg(pc)) { + acl = strdup(poptGetArg(pc)); + } + + if(poptPeekArg(pc)) { + writtenfile = strdup(poptGetArg(pc)); + } + + if ( !acl || !writtenfile ) { + fprintf(stderr,"ACL and/or file to be written are missing !\nThese parameters are mandatory\n"); + exit(1); + } + + lp_ctx = cmdline_lp_ctx; + + status = build_acl(NULL, acl, &ntacl); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, "build_acl failed: %s\n", nt_errstr(status)); + return 1; + } + status = set_ntacl(NULL, writtenfile, ntacl); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, "set_ntacl failed: %s\n", nt_errstr(status)); + return 1; + } + + talloc_free(ntacl); + + return 0; } -- 1.6.3.3 [0006-s4-regroup-gpo-modification-in-one-function-set-acl-.patch] From 184ad35f2cc13d32296f2e0093ba3b3df0e4faa5 Mon Sep 17 00:00:00 2001 From: Matthieu Patou <mat@...> Date: Wed, 18 Nov 2009 21:07:25 +0300 Subject: [PATCH 6/6] s4: regroup gpo modification in one function, set acl on files accordingly with ACL in LDAP --- source4/scripting/python/samba/misc.py | 120 +++++++++++++++++++++++++++ source4/scripting/python/samba/provision.py | 63 ++++++++++---- source4/setup/provision | 3 +- 3 files changed, 166 insertions(+), 20 deletions(-) create mode 100644 source4/scripting/python/samba/misc.py diff --git a/source4/scripting/python/samba/misc.py b/source4/scripting/python/samba/misc.py new file mode 100644 index 0000000..66b6b27 --- /dev/null +++ b/source4/scripting/python/samba/misc.py @@ -0,0 +1,120 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. +# Copyright (C) Matthieu Patou <mat@...> 2009 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +import samba.xattr +from samba.dcerpc import security, xattr +from samba.ndr import ndr_pack, ndr_unpack + + +def getntacl(file): + attribute = samba.xattr.wrap_getxattr(file,xattr.XATTR_NTACL_NAME) + anysid=security.dom_sid(security.SID_NT_SELF) + ntacl = ndr_unpack(xattr.NTACL,attribute,1) + return ntacl.info.as_sddl(anysid) + +def setntacl(file,sddl): + ntacl=xattr.NTACL() + ntacl.version = 1 + anysid=security.dom_sid(security.SID_NT_SELF) + sd = security.descriptor.from_sddl(sddl, anysid) + ntacl.info = sd + attribute = samba.xattr.wrap_setxattr(file,xattr.XATTR_NTACL_NAME,ndr_pack(ntacl)) + +# Takes the access mask of a DS ACE and transform them in a File ACE mask +def ldapmask2filemask(ldm): + RIGHT_DS_CREATE_CHILD = 0x00000001 + RIGHT_DS_DELETE_CHILD = 0x00000002 + RIGHT_DS_LIST_CONTENTS = 0x00000004 + ACTRL_DS_SELF = 0x00000008 + RIGHT_DS_READ_PROPERTY = 0x00000010 + RIGHT_DS_WRITE_PROPERTY = 0x00000020 + RIGHT_DS_DELETE_TREE = 0x00000040 + RIGHT_DS_LIST_OBJECT = 0x00000080 + RIGHT_DS_CONTROL_ACCESS = 0x00000100 + FILE_READ_DATA = 0x0001 + FILE_LIST_DIRECTORY = 0x0001 + FILE_WRITE_DATA = 0x0002 + FILE_ADD_FILE = 0x0002 + FILE_APPEND_DATA = 0x0004 + FILE_ADD_SUBDIRECTORY = 0x0004 + FILE_CREATE_PIPE_INSTANCE = 0x0004 + FILE_READ_EA = 0x0008 + FILE_WRITE_EA = 0x0010 + FILE_EXECUTE = 0x0020 + FILE_TRAVERSE = 0x0020 + FILE_DELETE_CHILD = 0x0040 + FILE_READ_ATTRIBUTES = 0x0080 + FILE_WRITE_ATTRIBUTES = 0x0100 + DELETE = 0x00010000 + READ_CONTROL = 0x00020000 + WRITE_DAC = 0x00040000 + WRITE_OWNER = 0x00080000 + SYNCHRONIZE = 0x00100000 + STANDARD_RIGHTS_ALL = 0x001F0000 + + filemask = ldm & STANDARD_RIGHTS_ALL + #filemask = 0 + + if( (ldm & RIGHT_DS_READ_PROPERTY) and (ldm & RIGHT_DS_LIST_CONTENTS) ): + filemask = filemask | (SYNCHRONIZE | FILE_LIST_DIRECTORY |\ + FILE_READ_ATTRIBUTES | FILE_READ_EA |\ + FILE_READ_DATA | FILE_EXECUTE) + + if( (ldm & RIGHT_DS_WRITE_PROPERTY) ): + filemask = filemask | (SYNCHRONIZE | FILE_WRITE_DATA |\ + FILE_APPEND_DATA | FILE_WRITE_EA |\ + FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |\ + FILE_ADD_SUBDIRECTORY) + + if( (ldm & RIGHT_DS_CREATE_CHILD) ): + filemask = filemask | (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE) + + if( (ldm & RIGHT_DS_DELETE_CHILD) ): + filemask = filemask | FILE_DELETE_CHILD + + return filemask + +# This function takes an the SDDL representation of a DS +# ACL and return the SDDL representation of this ACL adapted +# for files. It's used for Policy object provision + +def dsacl2fsacl(dssddl): + anysid = security.dom_sid(security.SID_NT_SELF) + ref = security.descriptor.from_sddl(dssddl,anysid) + fdescr = security.descriptor() + fdescr.owner_sid = ref.owner_sid + fdescr.group_sid = ref.group_sid + fdescr.type = ref.type + fdescr.revision = ref.revision + fdescr.sacl = ref.sacl + aces = ref.dacl.aces + for i in range(0,len(aces)): + ace = aces[i] + if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K: + # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED: + ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT + if str(ace.trustee) == security.SID_CREATOR_OWNER: + # For Creator/Owner the IO flag is set as this ACE has only a sense for child objects + ace.flags = ace.flags | security.SEC_ACE_FLAG_INHERIT_ONLY + ace.access_mask = ldapmask2filemask(ace.access_mask) + fdescr.dacl_add(ace) + + return fdescr.as_sddl(anysid) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 6d779c3..cc42037 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -47,7 +47,8 @@ from samba import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTI from samba.samdb import SamDB from samba.idmap import IDmapDB from samba.dcerpc import security -from samba.ndr import ndr_pack +from samba.misc import setntacl,dsacl2fsacl +from samba.ndr import ndr_pack,ndr_unpack import urllib from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError from ms_display_specifiers import read_ms_ldif @@ -55,7 +56,6 @@ from schema import Schema from provisionbackend import LDBBackend, ExistingBackend, FDSBackend, OpenLDAPBackend from signal import SIGTERM from dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA - __docformat__ = "restructuredText" def find_setup_dir(): @@ -891,6 +891,46 @@ def setup_self_join(samdb, names, "NTDSGUID": names.ntdsguid }) +def set_gpo_acl(path,acl,setfileacl): + if setfileacl: + setntacl(path,acl) + for root, dirs, files in os.walk(path, topdown=False): + for name in files: + setntacl(os.path.join(root, name),acl) + for name in dirs: + setntacl(os.path.join(root, name),acl) + +def setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl): + policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies", + "{" + policyguid + "}") + os.makedirs(policy_path, 0755) + open(os.path.join(policy_path, "GPT.INI"), 'w').write( + "[General]\r\nVersion=65543") + os.makedirs(os.path.join(policy_path, "MACHINE"), 0755) + os.makedirs(os.path.join(policy_path, "USER"), 0755) + + policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies", + "{" + policyguid_dc + "}") + os.makedirs(policy_path_dc, 0755) + open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write( + "[General]\r\nVersion=2") + os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755) + os.makedirs(os.path.join(policy_path_dc, "USER"), 0755) +# call setntacl ... + res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid,names.domaindn), + attrs=["nTSecurityDescriptor"], + expression="", scope=SCOPE_BASE) + assert(len(res) > 0) + acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1")) + set_gpo_acl(policy_path_dc,dsacl2fsacl(acl),setfileacl) + + res = samdb.search(base="CN={%s},CN=Policies,CN=System,%s"%(policyguid_dc,names.domaindn), + attrs=["nTSecurityDescriptor"], + expression="", scope=SCOPE_BASE) + assert(len(res) > 0) + acl = ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(security.dom_sid("S-1-5-21-1")) + set_gpo_acl(policy_path,dsacl2fsacl(acl),setfileacl) + def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, message, @@ -1111,7 +1151,7 @@ def provision(setup_dir, message, session_info, sitename=None, ol_mmr_urls=None, ol_olc=None, setup_ds_path=None, slapd_path=None, nosync=False, - ldap_dryrun_mode=False): + ldap_dryrun_mode=False,setfileacl=False): """Provision samba4 :note: caution, this wipes all existing data! @@ -1308,22 +1348,7 @@ def provision(setup_dir, message, session_info, assert(paths.sysvol is not None) # Set up group policies (domain policy and domain controller policy) - - policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies", - "{" + policyguid + "}") - os.makedirs(policy_path, 0755) - open(os.path.join(policy_path, "GPT.INI"), 'w').write( - "[General]\r\nVersion=65543") - os.makedirs(os.path.join(policy_path, "MACHINE"), 0755) - os.makedirs(os.path.join(policy_path, "USER"), 0755) - - policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies", - "{" + policyguid_dc + "}") - os.makedirs(policy_path_dc, 0755) - open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write( - "[General]\r\nVersion=2") - os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755) - os.makedirs(os.path.join(policy_path_dc, "USER"), 0755) + setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid,setfileacl) if not os.path.isdir(paths.netlogon): os.makedirs(paths.netlogon, 0755) diff --git a/source4/setup/provision b/source4/setup/provision index ed350dd..4ad4d96 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -110,6 +110,7 @@ parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH", parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH", help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.") parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") +parser.add_option("--setfileacl", help="Set NT ACL on files", action="store_true") parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE", action="store_true") opts = parser.parse_args()[0] @@ -210,4 +211,4 @@ provision(setup_dir, message, backend_type=opts.ldap_backend_type, ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls, slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path, - nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode) + nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,setfileacl=opts.setfileacl) -- 1.6.3.3 |
signature.asc (268 bytes) | Free embeddable forum powered by Nabble | Forum Help |
