1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
# vgp_files_ext samba gpo policy
# Copyright (C) David Mulder <dmulder@suse.com> 2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os, pwd, grp
from samba.gp.gpclass import gp_xml_ext, check_safe_path, gp_file_applier
from tempfile import NamedTemporaryFile
from shutil import copyfile, move
from samba.gp.util.logging import log
def calc_mode(entry):
mode = 0o000
for permissions in entry.findall('permissions'):
ptype = permissions.get('type')
if ptype == 'user':
if permissions.find('read') is not None:
mode |= 0o400
if permissions.find('write') is not None:
mode |= 0o200
if permissions.find('execute') is not None:
mode |= 0o100
elif ptype == 'group':
if permissions.find('read') is not None:
mode |= 0o040
if permissions.find('write') is not None:
mode |= 0o020
if permissions.find('execute') is not None:
mode |= 0o010
elif ptype == 'other':
if permissions.find('read') is not None:
mode |= 0o004
if permissions.find('write') is not None:
mode |= 0o002
if permissions.find('execute') is not None:
mode |= 0o001
return mode
def stat_from_mode(mode):
stat = '-'
for i in range(6, -1, -3):
mask = {0o4: 'r', 0o2: 'w', 0o1: 'x'}
for x in mask.keys():
if mode & (x << i):
stat += mask[x]
else:
stat += '-'
return stat
def source_file_change(fname):
if os.path.exists(fname):
return b'%d' % os.stat(fname).st_ctime
class vgp_files_ext(gp_xml_ext, gp_file_applier):
def __str__(self):
return 'VGP/Unix Settings/Files'
def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
for guid, settings in deleted_gpo_list:
if str(self) in settings:
for attribute, _ in settings[str(self)].items():
self.unapply(guid, attribute, attribute)
for gpo in changed_gpo_list:
if gpo.file_sys_path:
xml = 'MACHINE/VGP/VTLA/Unix/Files/manifest.xml'
path = os.path.join(gpo.file_sys_path, xml)
xml_conf = self.parse(path)
if not xml_conf:
continue
policy = xml_conf.find('policysetting')
data = policy.find('data')
for entry in data.findall('file_properties'):
local_path = self.lp.cache_path('gpo_cache')
source = entry.find('source').text
source_file = os.path.join(local_path,
os.path.dirname(check_safe_path(path)).upper(),
source.upper())
if not os.path.exists(source_file):
log.warn('Source file does not exist', source_file)
continue
target = entry.find('target').text
user = entry.find('user').text
group = entry.find('group').text
mode = calc_mode(entry)
# The attribute is simply the target file.
attribute = target
# The value hash is generated from the source file last
# change stamp, the user, the group, and the mode, ensuring
# any changes to this GPO will cause the file to be
# rewritten.
value_hash = self.generate_value_hash(
source_file_change(source_file),
user, group, b'%d' % mode)
def applier_func(source_file, target, user, group, mode):
with NamedTemporaryFile(dir=os.path.dirname(target),
delete=False) as f:
copyfile(source_file, f.name)
os.chown(f.name, pwd.getpwnam(user).pw_uid,
grp.getgrnam(group).gr_gid)
os.chmod(f.name, mode)
move(f.name, target)
return [target]
self.apply(gpo.name, attribute, value_hash, applier_func,
source_file, target, user, group, mode)
def rsop(self, gpo):
output = {}
xml = 'MACHINE/VGP/VTLA/Unix/Files/manifest.xml'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, xml)
xml_conf = self.parse(path)
if not xml_conf:
return output
policy = xml_conf.find('policysetting')
data = policy.find('data')
for entry in data.findall('file_properties'):
source = entry.find('source').text
target = entry.find('target').text
user = entry.find('user').text
group = entry.find('group').text
mode = calc_mode(entry)
p = '%s\t%s\t%s\t%s -> %s' % \
(stat_from_mode(mode), user, group, target, source)
if str(self) not in output.keys():
output[str(self)] = []
output[str(self)].append(p)
return output
|
