[PATCH] Port of samba.security Python module

Andreas Schneider asn at samba.org
Thu Aug 24 12:22:52 UTC 2017 

On Thursday, 24 August 2017 13:21:27 CEST Lumir Balhar via samba-technical 
wrote:
> On 08/08/2017 11:47 AM, Lumir Balhar via samba-technical wrote:
> > On 08/08/2017 10:47 AM, Stefan Metzmacher wrote:
> >> Hi Lumir,
> >> 
> >>> +
> >>> +class CheckAccessTests(samba.tests.TestCase):
> >>> +
> >>> +    def test_check_access(self):
> >>> +        desc =
> >>> security.descriptor.from_sddl("O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-
> >>> 0-0)", security.dom_sid("S-2-0-0"))
> >>> +        token = security.token()
> >>> +
> >>> +        self.assertEqual(access_check(desc, token, 0), 0)
> >>> +
> >>> +        params = (
> >>> +            (-1, -1073741727, 'A required privilege is not held by
> >>> the client.'),
> >>> +            (1, -1073741790, '{Access Denied} A process has
> >>> requested access to an object but has not been granted those access
> >>> rights.')
> >>> +        )
> >> 
> >> Can you use string constants for the integer values?
> >> 
> >> I guess you can use
> >> security.SEC_FLAG_SYSTEM_SECURITY/ntstatus.NT_STATUS_PRIVILEGE_NOT_HELD
> >> and
> >> security.SEC_STD_READ_CONTROL/ntstatus.NT_STATUS_ACCESS_DENIED
> >> 
> >> And I guess checking the status code is enough, we don't
> >> need to assert on the error message.
> >> 
> >> metze
> > 
> > Thank you for the review. Yes, I can use constants instead of integers
> > - good idea - but samba.ntstatus module is not ready for Python 3 yet.
> > It is not a big problem because I am working on samba.ntstatus and
> > samba.werror modules right now so I am gonna send another patchset
> > today and when it will be merged I'll fix these test.
> > 
> > Thank you one more time and have a nice day.
> > Lumír
> 
> Hello.
> 
> Because samba.ntstatus module is now available for Python 3 in master, I
> tried your suggestion and I replaced integers values with constants from
> samba.dcerpc.security and samba.ntstatus.
> 
> Replaced arguments SEC_FLAG_SYSTEM_SECURITY and SEC_STD_READ_CONTROL are
> working well but exceptions contain different error numbers than
> NT_STATUS_PRIVILEGE_NOT_HELD and NT_STATUS_ACCESS_DENIED and I cannot
> find the right ones.
> 
> NT_STATUS_PRIVILEGE_NOT_HELD = 3221225569 but exception contains -1073741727
> NT_STATUS_ACCESS_DENIED = 3221225506 but exception contains -1073741790

Sounds like the bug. The exception seems to return an int where it should 
return an unsigned int??

i2c -1073741727
18446744072635809889 0xFFFFFFFFC0000061 01777777777770000000141

#define NT_STATUS_PRIVILEGE_NOT_HELD NT_STATUS(0xc0000061)


	Andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list