python/samba/samba3/libsmb_samba_internal.py

   1 # Copyright (C) Volker Lendecke <vl@samba.org> 2020
   2 #
   3 # This program is free software; you can redistribute it and/or modify
   4 # it under the terms of the GNU General Public License as published by
   5 # the Free Software Foundation; either version 3 of the License, or
   6 # (at your option) any later version.
   7 #
   8 # This program is distributed in the hope that it will be useful,
   9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11 # GNU General Public License for more details.
  12 #
  13 # You should have received a copy of the GNU General Public License
  14 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  15
  16 from samba.samba3.libsmb_samba_cwrapper import *
  17 from samba.dcerpc import security
  18
  19 class Conn(LibsmbCConn):
  20     def deltree(self, path):
  21         if self.chkpath(path):
  22             for entry in self.list(path):
  23                 self.deltree(path + "\\" + entry['name'])
  24             self.rmdir(path)
  25         else:
  26             self.unlink(path)
  27
  28     SECINFO_DEFAULT_FLAGS = \
  29         security.SECINFO_OWNER | \
  30         security.SECINFO_GROUP | \
  31         security.SECINFO_DACL | \
  32         security.SECINFO_SACL
  33
  34     def required_access_for_get_secinfo(self, secinfo):
  35         access = 0
  36
  37         #
  38         # This is based on MS-FSA
  39         # 2.1.5.13 Server Requests a Query of Security Information
  40         #
  41         # Note that MS-SMB2 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY
  42         # doesn't specify any extra checks
  43         #
  44
  45         if secinfo & security.SECINFO_OWNER:
  46             access |= security.SEC_STD_READ_CONTROL
  47         if secinfo & security.SECINFO_GROUP:
  48             access |= security.SEC_STD_READ_CONTROL
  49         if secinfo & security.SECINFO_DACL:
  50             access |= security.SEC_STD_READ_CONTROL
  51         if secinfo & security.SECINFO_SACL:
  52             access |= security.SEC_FLAG_SYSTEM_SECURITY
  53
  54         if secinfo & security.SECINFO_LABEL:
  55             access |= security.SEC_STD_READ_CONTROL
  56
  57         return access
  58
  59     def required_access_for_set_secinfo(self, secinfo):
  60         access = 0
  61
  62         #
  63         # This is based on MS-FSA
  64         # 2.1.5.16 Server Requests Setting of Security Information
  65         # and additional constraints from
  66         # MS-SMB2 3.3.5.21.3 Handling SMB2_0_INFO_SECURITY
  67         #
  68
  69         if secinfo & security.SECINFO_OWNER:
  70             access |= security.SEC_STD_WRITE_OWNER
  71         if secinfo & security.SECINFO_GROUP:
  72             access |= security.SEC_STD_WRITE_OWNER
  73         if secinfo & security.SECINFO_DACL:
  74             access |= security.SEC_STD_WRITE_DAC
  75         if secinfo & security.SECINFO_SACL:
  76             access |= security.SEC_FLAG_SYSTEM_SECURITY
  77
  78         if secinfo & security.SECINFO_LABEL:
  79             access |= security.SEC_STD_WRITE_OWNER
  80
  81         if secinfo & security.SECINFO_ATTRIBUTE:
  82             access |= security.SEC_STD_WRITE_DAC
  83
  84         if secinfo & security.SECINFO_SCOPE:
  85             access |= security.SEC_FLAG_SYSTEM_SECURITY
  86
  87         if secinfo & security.SECINFO_BACKUP:
  88             access |= security.SEC_STD_WRITE_OWNER
  89             access |= security.SEC_STD_WRITE_DAC
  90             access |= security.SEC_FLAG_SYSTEM_SECURITY
  91
  92         return access
  93
  94     def get_acl(self,
  95                 filename,
  96                 sinfo=None,
  97                 access_mask=None):
  98         """Get security descriptor for file."""
  99         if sinfo is None:
 100             sinfo = self.SECINFO_DEFAULT_FLAGS
 101         if access_mask is None:
 102             access_mask = self.required_access_for_get_secinfo(sinfo)
 103         fnum = self.create(
 104             Name=filename,
 105             DesiredAccess=access_mask,
 106             ShareAccess=(FILE_SHARE_READ|FILE_SHARE_WRITE))
 107         try:
 108             sd = self.get_sd(fnum, sinfo)
 109         finally:
 110             self.close(fnum)
 111         return sd
 112
 113     def set_acl(self,
 114                 filename,
 115                 sd,
 116                 sinfo=None,
 117                 access_mask=None):
 118         """Set security descriptor for file."""
 119         if sinfo is None:
 120             sinfo = self.SECINFO_DEFAULT_FLAGS
 121         if access_mask is None:
 122             access_mask = self.required_access_for_set_secinfo(sinfo)
 123         fnum = self.create(
 124             Name=filename,
 125             DesiredAccess=access_mask,
 126             ShareAccess=(FILE_SHARE_READ|FILE_SHARE_WRITE))
 127         try:
 128             self.set_sd(fnum, sd, sinfo)
 129         finally:
 130             self.close(fnum)