[PATCH] Port of samba.security Python module
Andreas Schneider
asn at samba.org
Thu Aug 24 12:22:52 UTC 2017
On Thursday, 24 August 2017 13:21:27 CEST Lumir Balhar via samba-technical
wrote:
> On 08/08/2017 11:47 AM, Lumir Balhar via samba-technical wrote:
> > On 08/08/2017 10:47 AM, Stefan Metzmacher wrote:
> >> Hi Lumir,
> >>
> >>> +
> >>> +class CheckAccessTests(samba.tests.TestCase):
> >>> +
> >>> + def test_check_access(self):
> >>> + desc =
> >>> security.descriptor.from_sddl("O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-
> >>> 0-0)", security.dom_sid("S-2-0-0"))
> >>> + token = security.token()
> >>> +
> >>> + self.assertEqual(access_check(desc, token, 0), 0)
> >>> +
> >>> + params = (
> >>> + (-1, -1073741727, 'A required privilege is not held by
> >>> the client.'),
> >>> + (1, -1073741790, '{Access Denied} A process has
> >>> requested access to an object but has not been granted those access
> >>> rights.')
> >>> + )
> >>
> >> Can you use string constants for the integer values?
> >>
> >> I guess you can use
> >> security.SEC_FLAG_SYSTEM_SECURITY/ntstatus.NT_STATUS_PRIVILEGE_NOT_HELD
> >> and
> >> security.SEC_STD_READ_CONTROL/ntstatus.NT_STATUS_ACCESS_DENIED
> >>
> >> And I guess checking the status code is enough, we don't
> >> need to assert on the error message.
> >>
> >> metze
> >
> > Thank you for the review. Yes, I can use constants instead of integers
> > - good idea - but samba.ntstatus module is not ready for Python 3 yet.
> > It is not a big problem because I am working on samba.ntstatus and
> > samba.werror modules right now so I am gonna send another patchset
> > today and when it will be merged I'll fix these test.
> >
> > Thank you one more time and have a nice day.
> > LumÃr
>
> Hello.
>
> Because samba.ntstatus module is now available for Python 3 in master, I
> tried your suggestion and I replaced integers values with constants from
> samba.dcerpc.security and samba.ntstatus.
>
> Replaced arguments SEC_FLAG_SYSTEM_SECURITY and SEC_STD_READ_CONTROL are
> working well but exceptions contain different error numbers than
> NT_STATUS_PRIVILEGE_NOT_HELD and NT_STATUS_ACCESS_DENIED and I cannot
> find the right ones.
>
> NT_STATUS_PRIVILEGE_NOT_HELD = 3221225569 but exception contains -1073741727
> NT_STATUS_ACCESS_DENIED = 3221225506 but exception contains -1073741790
Sounds like the bug. The exception seems to return an int where it should
return an unsigned int??
i2c -1073741727
18446744072635809889 0xFFFFFFFFC0000061 01777777777770000000141
#define NT_STATUS_PRIVILEGE_NOT_HELD NT_STATUS(0xc0000061)
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list