[PATCH] Improve provision acl handling

Jelmer Vernooij jelmer at samba.org
Mon Nov 5 13:25:43 MST 2012


On Mon, Nov 05, 2012 at 10:08:12PM +1100, Andrew Bartlett wrote:
> This patch avoids going to and from a string in dsacl2fsacl and catches
> a missing case (directory checking) in the sysvolcheck code.
> 
> The directory walk was missed due to a cut-and-paste error.
... This would be really nice to unit-test I think. :-)

Either way, it's an improvement over the current situation so +1 with
one minor note:

> @@ -1071,7 +1071,6 @@ class cmd_del(Command):
>  
>          self.outf.write("GPO %s deleted.\n" % gpo)
>  
> -
>  class cmd_gpo(SuperCommand):
>      """Group Policy Object (GPO) management."""
>  
The Python coding standard (PEP8) prescribes two empty lines between
top-level classes. We might not be sticking to that everywhere, but
please don't remove existing whitespace like that. :-)

> @@ -1395,7 +1395,7 @@ def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, p
>          acl = ndr_unpack(security.descriptor,
>                           str(policy["nTSecurityDescriptor"])).as_sddl()
>          policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
> -        set_dir_acl(policy_path, dsacl2fsacl(acl, str(domainsid)), lp,
> +        set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>                      str(domainsid), use_ntvfs,
>                      passdb=passdb)
>  
> @@ -1522,7 +1522,7 @@ def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>          acl = ndr_unpack(security.descriptor,
>                           str(policy["nTSecurityDescriptor"])).as_sddl()
>          policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
> -        check_dir_acl(policy_path, dsacl2fsacl(acl, str(domainsid)), lp,
> +        check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>                        domainsid, direct_db_access)

As a sidethought, I wonder if we need to add a convenience function in
the C bindings that allows us to convert a Python object to a dom_sid,
whether it is a Python dom_sid object or a Python string. Having to
cast sids everywhere in the Python code is annoying and prone to bugs.

Cheers,

Jelmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121105/3df66512/attachment.pgp>


More information about the samba-technical mailing list