Getting and setting SDs from Python for testing ...

Matthieu Patou mat at samba.org
Sun Mar 25 18:04:15 MDT 2012


On 03/25/2012 04:16 PM, Richard Sharpe wrote:
> On Sun, Mar 25, 2012 at 4:07 PM, Amitay Isaacs<amitay at gmail.com>  wrote:
>> Hi Richard,
>>
>> 2012/3/26 Richard Sharpe<realrichardsharpe at gmail.com>:
>>> Hi Folks,
>>>
>>> Well, this patch now works for me but I am unhappy with it and want to
>>> move to treating the security_info parameters as optional. The
>>> following patch is sent mainly to get feedback ...
>>>
>>> diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c
>>> index 2f9a579..bc90df7 100644
>>> --- a/source4/libcli/pysmb.c
>>> +++ b/source4/libcli/pysmb.c
>>> @@ -302,9 +302,10 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObj
>>>         union smb_fileinfo fio;
>>>         struct smb_private_data *spdata;
>>>         const char *filename;
>>> +       int sinfo = 0;
>>>         int fnum;
>>>
>>> -       if (!PyArg_ParseTuple(args, "s:get_acl",&filename)) {
>>> +       if (!PyArg_ParseTuple(args, "si:get_acl",&filename,&sinfo)) {
>>>                 return NULL;
>>>         }
>>>
>>> @@ -335,7 +336,10 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObj
>>>
>>>         fio.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
>>>         fio.query_secdesc.in.file.fnum = fnum;
>>> -       fio.query_secdesc.in.secinfo_flags = SECINFO_OWNER |
>>> +       if (sinfo)
>>> +               fio.query_secdesc.in.secinfo_flags = sinfo;
>>> +       else
>>> +               fio.query_secdesc.in.secinfo_flags = SECINFO_OWNER |
>>>                                                 SECINFO_GROUP |
>>>                                                 SECINFO_DACL |
>>>                                                 SECINFO_PROTECTED_DACL |
>>> @@ -367,9 +371,10 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObj
>>>         const char *filename;
>>>         PyObject *py_sd;
>>>         struct security_descriptor *sd;
>>> +       uint32_t sinfo = 0;
>>>         int fnum;
>>>
>>> -       if (!PyArg_ParseTuple(args, "sO:set_acl",&filename,&py_sd)) {
>>> +       if (!PyArg_ParseTuple(args, "sOi:set_acl",&filename,&py_sd,&sinfo)) {
>>>                 return NULL;
>>>         }
>>>
>>> @@ -410,7 +415,7 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObje
>>>
>>>         fio.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>>>         fio.set_secdesc.in.file.fnum = fnum;
>>> -       fio.set_secdesc.in.secinfo_flags = 0;
>>> +       fio.set_secdesc.in.secinfo_flags = sinfo;
>>>         fio.set_secdesc.in.sd = sd;
>>>
>>>         status = smb_raw_set_secdesc(spdata->tree,&fio);
>>> @@ -447,10 +452,10 @@ static PyMethodDef py_smb_methods[] = {
>>>                 "chkpath(path) ->  True or False\n\n \
>>>                 Return true if path exists, false otherwise." },
>>>         { "get_acl", (PyCFunction)py_smb_getacl, METH_VARARGS,
>>> -               "get_acl(path) ->  security_descriptor object\n\n \
>>> +               "get_acl(path, security_info) ->  security_descriptor object\n\n
>>>                 Get security descriptor for file." },
>>>         { "set_acl", (PyCFunction)py_smb_setacl, METH_VARARGS,
>>> -               "set_acl(path, security_descriptor) ->  None\n\n \
>>> +               "set_acl(path, security_descriptor, security_info) ->  None\n\n \
>>>                 Set security descriptor for file." },
>>>         { NULL },
>>>   };
>>> @@ -522,7 +527,7 @@ static PyTypeObject PySMB = {
>>>         .tp_new = py_smb_new,
>>>         .tp_flags = Py_TPFLAGS_DEFAULT,
>>>         .tp_methods = py_smb_methods,
>>> -       .tp_doc = "SMB(hostname, service[, lp[, creds]]) ->  SMB connection objec
>>> +       .tp_doc = "SMB(hostname, service[, creds[, lp]]) ->  SMB connection objec
>>>
>>>   };
>>>
>> You can convert sinfo as an optional argument using kwargs.
>>
>> For example, check py_smb_new().
> Sure, thanks.
>
> Do you have any objections to the approach I am taking?
>
> I would also want to fix the issue in set_acl (security_info needs to
> be set to something useful if it is not supplied on the call.)
As a reminder if you want to manipulate SD from the command line you 
have an option in samba-tool:

./bin/samba-tool ntacl get ~/workspace/samba/s4.shmn/sysvol --as-sddl

O:S-1-5-21-2074221360-3551385602-955440892-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

You can also you the set sub command to set it if you supply an SDDL.

Matthieu.



-- 
Matthieu Patou
Samba Team
http://samba.org



More information about the samba-technical mailing list