|
Lines 1691-1701
def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
|
Link Here
|
|---|
|
|---|
| 1691 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1691 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
| 1692 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1692 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
| 1693 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1693 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
|
|
1694 |
|
| 1695 |
LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) |
| 1696 |
DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
| 1697 |
CO = security.dom_sid(security.SID_CREATOR_OWNER) |
| 1698 |
|
| 1699 |
PAI_filter = False |
| 1700 |
PAI = (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) |
| 1701 |
|
| 1702 |
if fsacl.type & PAI == PAI: |
| 1703 |
PAI_filter = True |
| 1704 |
|
| 1705 |
sd = security.descriptor.from_sddl(acl, domainsid) |
| 1706 |
sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED |
| 1707 |
acl = sd.as_sddl(domainsid) |
| 1708 |
|
| 1709 |
sd3 = security.descriptor() |
| 1710 |
sd3.owner_sid = sd.owner_sid |
| 1711 |
sd3.group_sid = sd.group_sid |
| 1712 |
sd3.type = sd.type |
| 1713 |
sd3.type &= ~ security.SEC_DESC_DACL_PROTECTED |
| 1714 |
sd3.revision = sd.revision |
| 1715 |
|
| 1716 |
sd2 = security.descriptor() |
| 1717 |
sd2.owner_sid = sd.owner_sid |
| 1718 |
sd2.group_sid = sd.group_sid |
| 1719 |
sd2.type = sd.type |
| 1720 |
sd2.type &= ~ security.SEC_DESC_DACL_PROTECTED |
| 1721 |
sd2.revision = sd.revision |
| 1722 |
skip_other_da_aces = False |
| 1723 |
for i in range(0, len(sd.dacl.aces)): |
| 1724 |
if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): |
| 1725 |
continue |
| 1726 |
if sd.dacl.aces[i].trustee == DA: |
| 1727 |
skip_other_da_aces = True |
| 1728 |
if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: |
| 1729 |
continue |
| 1730 |
#sd.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE |
| 1731 |
sd3.dacl_add(sd.dacl.aces[i]) |
| 1732 |
sd.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE |
| 1733 |
sd.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT) |
| 1734 |
sd2.dacl_add(sd.dacl.aces[i]) |
| 1735 |
acl2 = sd2.as_sddl(domainsid) |
| 1736 |
acl3 = sd3.as_sddl(domainsid) |
| 1737 |
#print "ACL1: %s" % acl |
| 1738 |
#print "ACL2: %s" % acl2 |
| 1739 |
#print "ACL3: %s" % acl3 |
| 1740 |
else: |
| 1741 |
sd = security.descriptor.from_sddl(acl, domainsid) |
| 1742 |
|
| 1743 |
sd3 = security.descriptor() |
| 1744 |
sd3.owner_sid = sd.owner_sid |
| 1745 |
sd3.group_sid = sd.group_sid |
| 1746 |
sd3.type = sd.type |
| 1747 |
sd3.revision = sd.revision |
| 1748 |
|
| 1749 |
skip_other_da_aces = False |
| 1750 |
for i in range(0, len(sd.dacl.aces)): |
| 1751 |
if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): |
| 1752 |
continue |
| 1753 |
if sd.dacl.aces[i].trustee == DA: |
| 1754 |
skip_other_da_aces = True |
| 1755 |
if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: |
| 1756 |
continue |
| 1757 |
sd3.dacl_add(sd.dacl.aces[i]) |
| 1758 |
acl3 = sd3.as_sddl(domainsid) |
| 1759 |
acl2 = acl3 |
| 1760 |
#print "ACL1: %s" % acl |
| 1761 |
#print "ACL3: %s" % acl3 |
| 1694 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
1762 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
| 1695 |
|
1763 |
|
| 1696 |
|
1764 |
|
| 1697 |
if fsacl_sddl_mapped != acl: |
1765 |
if fsacl_sddl_mapped != acl: |
| 1698 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl)) |
1766 |
raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl)) |
| 1699 |
|
1767 |
|
| 1700 |
for root, dirs, files in os.walk(path, topdown=False): |
1768 |
for root, dirs, files in os.walk(path, topdown=False): |
| 1701 |
for name in files: |
1769 |
for name in files: |
|
Lines 1708-1717
def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
|
Link Here
|
|---|
|
|---|
| 1708 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1776 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
| 1709 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1777 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
| 1710 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1778 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
| 1711 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
|
|
| 1712 |
|
1779 |
|
| 1713 |
if fsacl_sddl_mapped != acl: |
1780 |
fsacl2 = security.descriptor() |
| 1714 |
raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) |
1781 |
fsacl2.owner_sid = fsacl.owner_sid |
|
|
1782 |
fsacl2.group_sid = fsacl.group_sid |
| 1783 |
fsacl2.type = fsacl.type |
| 1784 |
fsacl2.revision = fsacl.revision |
| 1785 |
skip_other_da_aces = False |
| 1786 |
for i in range(0, len(fsacl.dacl.aces)): |
| 1787 |
if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): |
| 1788 |
continue |
| 1789 |
if fsacl.dacl.aces[i].trustee == DA: |
| 1790 |
skip_other_da_aces = True |
| 1791 |
fsacl2.dacl_add(fsacl.dacl.aces[i]) |
| 1792 |
try: |
| 1793 |
fsacl2.dacl_del(CO) |
| 1794 |
except: |
| 1795 |
pass |
| 1796 |
|
| 1797 |
fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) |
| 1798 |
|
| 1799 |
if fsacl_sddl_mapped != acl2: |
| 1800 |
raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl2)) |
| 1715 |
|
1801 |
|
| 1716 |
for name in dirs: |
1802 |
for name in dirs: |
| 1717 |
fsacl = getntacl(lp, os.path.join(root, name), |
1803 |
fsacl = getntacl(lp, os.path.join(root, name), |
|
Lines 1723-1732
def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
|
Link Here
|
|---|
|
|---|
| 1723 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
1809 |
## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) |
| 1724 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
1810 |
if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): |
| 1725 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
1811 |
fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) |
| 1726 |
fsacl_sddl_mapped = fsacl.as_sddl(domainsid) |
|
|
| 1727 |
|
1812 |
|
| 1728 |
if fsacl_sddl_mapped != acl: |
1813 |
fsacl2 = security.descriptor() |
| 1729 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) |
1814 |
fsacl2.owner_sid = fsacl.owner_sid |
|
|
1815 |
fsacl2.group_sid = fsacl.group_sid |
| 1816 |
fsacl2.type = fsacl.type |
| 1817 |
fsacl2.revision = fsacl.revision |
| 1818 |
skip_other_da_aces = False |
| 1819 |
for i in range(0, len(fsacl.dacl.aces)): |
| 1820 |
if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): |
| 1821 |
continue |
| 1822 |
fsacl.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE |
| 1823 |
if fsacl.dacl.aces[i].trustee == DA: |
| 1824 |
skip_other_da_aces = True |
| 1825 |
fsacl2.dacl_add(fsacl.dacl.aces[i]) |
| 1826 |
try: |
| 1827 |
fsacl2.dacl_del(CO) |
| 1828 |
except: |
| 1829 |
pass |
| 1830 |
|
| 1831 |
fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) |
| 1832 |
|
| 1833 |
if fsacl_sddl_mapped != acl3: |
| 1834 |
raise ProvisioningError('%s XNTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl3)) |
| 1730 |
|
1835 |
|
| 1731 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
1836 |
def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, |
| 1732 |
direct_db_access): |
1837 |
direct_db_access): |
| 1733 |
- |
|
|