Getting and setting SDs from Python for testing ...
Matthieu Patou
mat at samba.org
Sun Mar 25 18:04:15 MDT 2012
On 03/25/2012 04:16 PM, Richard Sharpe wrote:
> On Sun, Mar 25, 2012 at 4:07 PM, Amitay Isaacs<amitay at gmail.com> wrote:
>> Hi Richard,
>>
>> 2012/3/26 Richard Sharpe<realrichardsharpe at gmail.com>:
>>> Hi Folks,
>>>
>>> Well, this patch now works for me but I am unhappy with it and want to
>>> move to treating the security_info parameters as optional. The
>>> following patch is sent mainly to get feedback ...
>>>
>>> diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c
>>> index 2f9a579..bc90df7 100644
>>> --- a/source4/libcli/pysmb.c
>>> +++ b/source4/libcli/pysmb.c
>>> @@ -302,9 +302,10 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObj
>>> union smb_fileinfo fio;
>>> struct smb_private_data *spdata;
>>> const char *filename;
>>> + int sinfo = 0;
>>> int fnum;
>>>
>>> - if (!PyArg_ParseTuple(args, "s:get_acl",&filename)) {
>>> + if (!PyArg_ParseTuple(args, "si:get_acl",&filename,&sinfo)) {
>>> return NULL;
>>> }
>>>
>>> @@ -335,7 +336,10 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObj
>>>
>>> fio.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
>>> fio.query_secdesc.in.file.fnum = fnum;
>>> - fio.query_secdesc.in.secinfo_flags = SECINFO_OWNER |
>>> + if (sinfo)
>>> + fio.query_secdesc.in.secinfo_flags = sinfo;
>>> + else
>>> + fio.query_secdesc.in.secinfo_flags = SECINFO_OWNER |
>>> SECINFO_GROUP |
>>> SECINFO_DACL |
>>> SECINFO_PROTECTED_DACL |
>>> @@ -367,9 +371,10 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObj
>>> const char *filename;
>>> PyObject *py_sd;
>>> struct security_descriptor *sd;
>>> + uint32_t sinfo = 0;
>>> int fnum;
>>>
>>> - if (!PyArg_ParseTuple(args, "sO:set_acl",&filename,&py_sd)) {
>>> + if (!PyArg_ParseTuple(args, "sOi:set_acl",&filename,&py_sd,&sinfo)) {
>>> return NULL;
>>> }
>>>
>>> @@ -410,7 +415,7 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObje
>>>
>>> fio.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>>> fio.set_secdesc.in.file.fnum = fnum;
>>> - fio.set_secdesc.in.secinfo_flags = 0;
>>> + fio.set_secdesc.in.secinfo_flags = sinfo;
>>> fio.set_secdesc.in.sd = sd;
>>>
>>> status = smb_raw_set_secdesc(spdata->tree,&fio);
>>> @@ -447,10 +452,10 @@ static PyMethodDef py_smb_methods[] = {
>>> "chkpath(path) -> True or False\n\n \
>>> Return true if path exists, false otherwise." },
>>> { "get_acl", (PyCFunction)py_smb_getacl, METH_VARARGS,
>>> - "get_acl(path) -> security_descriptor object\n\n \
>>> + "get_acl(path, security_info) -> security_descriptor object\n\n
>>> Get security descriptor for file." },
>>> { "set_acl", (PyCFunction)py_smb_setacl, METH_VARARGS,
>>> - "set_acl(path, security_descriptor) -> None\n\n \
>>> + "set_acl(path, security_descriptor, security_info) -> None\n\n \
>>> Set security descriptor for file." },
>>> { NULL },
>>> };
>>> @@ -522,7 +527,7 @@ static PyTypeObject PySMB = {
>>> .tp_new = py_smb_new,
>>> .tp_flags = Py_TPFLAGS_DEFAULT,
>>> .tp_methods = py_smb_methods,
>>> - .tp_doc = "SMB(hostname, service[, lp[, creds]]) -> SMB connection objec
>>> + .tp_doc = "SMB(hostname, service[, creds[, lp]]) -> SMB connection objec
>>>
>>> };
>>>
>> You can convert sinfo as an optional argument using kwargs.
>>
>> For example, check py_smb_new().
> Sure, thanks.
>
> Do you have any objections to the approach I am taking?
>
> I would also want to fix the issue in set_acl (security_info needs to
> be set to something useful if it is not supplied on the call.)
As a reminder if you want to manipulate SD from the command line you
have an option in samba-tool:
./bin/samba-tool ntacl get ~/workspace/samba/s4.shmn/sysvol --as-sddl
O:S-1-5-21-2074221360-3551385602-955440892-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
You can also you the set sub command to set it if you supply an SDDL.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list