diff options
author | Jeremy Allison <jra@samba.org> | 2012-08-31 14:42:21 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2012-08-31 20:32:37 -0700 |
commit | 5e0365dfe891f556eed180bc44ac7120c37141fb (patch) | |
tree | 813a9032dbafd09dbc7fd9562c0c7b3a1b855c06 | |
parent | 6550bc0d26278ce96a2a752231efef274c0dcf12 (diff) | |
download | samba-5e0365dfe891f556eed180bc44ac7120c37141fb.tar.gz samba-5e0365dfe891f556eed180bc44ac7120c37141fb.tar.bz2 samba-5e0365dfe891f556eed180bc44ac7120c37141fb.zip |
Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges.
Mark samba4.base.maximum_allowed knownfail until we implement NTCREATEX_OPTIONS_BACKUP_INTENT.
-rw-r--r-- | selftest/knownfail | 1 | ||||
-rw-r--r-- | source4/torture/basic/denytest.c | 31 |
2 files changed, 28 insertions, 4 deletions
diff --git a/selftest/knownfail b/selftest/knownfail index 93f1dfc732..4e6eb43add 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -93,6 +93,7 @@ ^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet ^samba4.rpc.samr.passwords.lockout ^samba4.base.charset.*.Testing partial surrogate +^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT .*net.api.delshare.* # DelShare isn't implemented yet ^samba4.rap.*netservergetinfo ^samba4.rap.*netsessionenum diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c index 2e21c83fad..69717be3ba 100644 --- a/source4/torture/basic/denytest.c +++ b/source4/torture/basic/denytest.c @@ -2687,7 +2687,7 @@ bool torture_maximum_allowed(struct torture_context *tctx, NTSTATUS status; union smb_fileinfo q; const char *owner_sid; - bool has_restore_privilege, has_backup_privilege; + bool has_restore_privilege, has_backup_privilege, has_system_security_privilege; mem_ctx = talloc_init("torture_maximum_allowed"); @@ -2747,18 +2747,41 @@ bool torture_maximum_allowed(struct torture_context *tctx, owner_sid, has_backup_privilege?"Yes":"No"); + status = torture_check_privilege(cli, + owner_sid, + sec_privilege_name(SEC_PRIV_SECURITY)); + has_system_security_privilege = NT_STATUS_IS_OK(status); + torture_comment(tctx, "Checked SEC_PRIV_SECURITY for %s - %s\n", + owner_sid, + has_system_security_privilege?"Yes":"No"); + smbcli_close(cli->tree, fnum); for (i = 0; i < 32; i++) { uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i); - uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | + /* + * SEC_GENERIC_EXECUTE is a complete subset of + * SEC_GENERIC_READ when mapped to specific bits, + * so we need to include it in the basic OK mask. + */ + uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | SEC_GENERIC_EXECUTE | SEC_STD_DELETE | SEC_STD_WRITE_DAC; + /* + * Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP + * don't include any generic bits (they're used directly + * in the fileserver where the generic bits have already + * been mapped into file specific bits) we need to add the + * generic bits to the ok_mask when we have these privileges. + */ if (has_restore_privilege) { - ok_mask |= SEC_RIGHTS_PRIV_RESTORE; + ok_mask |= SEC_RIGHTS_PRIV_RESTORE|SEC_GENERIC_WRITE; } if (has_backup_privilege) { - ok_mask |= SEC_RIGHTS_PRIV_BACKUP; + ok_mask |= SEC_RIGHTS_PRIV_BACKUP|SEC_GENERIC_READ; + } + if (has_system_security_privilege) { + ok_mask |= SEC_FLAG_SYSTEM_SECURITY; } /* Skip all SACL related tests. */ |