summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-12-06 07:13:50 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:23 -0500
commit690b352fc19cb5444b923c220af91f17a88a5e3c (patch)
treeea3bde7209502060e890eaa68a6ed02a547de76c
parentad3ee0a81c4b2bf2ae67ba461e936f7777584345 (diff)
downloadsamba-690b352fc19cb5444b923c220af91f17a88a5e3c.tar.gz
samba-690b352fc19cb5444b923c220af91f17a88a5e3c.tar.bz2
samba-690b352fc19cb5444b923c220af91f17a88a5e3c.zip
r4074: make the RAW-ACLS test use the new lsa helper functions to determine
the privileges of the user running the test. This allows the test to work out what the expected access masks are. (This used to be commit dcf6c297d372cfa421d757d43897f00ad1d4f5f5)
-rw-r--r--source4/torture/config.mk2
-rw-r--r--source4/torture/raw/acls.c55
2 files changed, 40 insertions, 17 deletions
diff --git a/source4/torture/config.mk b/source4/torture/config.mk
index 4cba73062f..58089fa172 100644
--- a/source4/torture/config.mk
+++ b/source4/torture/config.mk
@@ -52,7 +52,7 @@ ADD_OBJ_FILES = \
torture/raw/acls.o \
torture/raw/seek.o
REQUIRED_SUBSYSTEMS = \
- LIBSMB
+ LIBSMB LIBCLI_LSA
# End SUBSYSTEM TORTURE_RAW
#################################
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 46e9fbdb3a..9e518f8fc9 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -481,6 +481,8 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
{ SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
{ SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL }
};
+ BOOL has_restore_privilege;
+ BOOL has_take_ownership_privilege;
printf("TESTING FILE GENERIC BITS\n");
@@ -515,8 +517,31 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
+ status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_RESTORE);
+ has_restore_privilege = NT_STATUS_IS_OK(status);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ }
+ printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
+
+ status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_TAKE_OWNERSHIP);
+ has_take_ownership_privilege = NT_STATUS_IS_OK(status);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ }
+ printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No");
for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
+ uint32_t expected_mask =
+ SEC_STD_WRITE_DAC |
+ SEC_STD_READ_CONTROL |
+ SEC_FILE_READ_ATTRIBUTE |
+ SEC_STD_DELETE;
+ uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
+
+ if (has_restore_privilege) {
+ expected_mask_anon |= SEC_STD_DELETE;
+ }
printf("testing generic bits 0x%08x\n",
file_mappings[i].gen_bits);
@@ -556,18 +581,17 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
- SEC_STD_READ_CONTROL |
- SEC_STD_WRITE_DAC |
- SEC_STD_DELETE |
- SEC_FILE_READ_ATTRIBUTE |
- file_mappings[i].specific_bits);
+ expected_mask | file_mappings[i].specific_bits);
smbcli_close(cli->tree, io.ntcreatex.out.fnum);
+ if (!has_take_ownership_privilege) {
+ continue;
+ }
printf("testing generic bits 0x%08x (anonymous)\n",
file_mappings[i].gen_bits);
sd = security_descriptor_create(mem_ctx,
- SID_ANONYMOUS, NULL,
+ SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].gen_bits,
@@ -582,7 +606,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
CHECK_STATUS(status, NT_STATUS_OK);
sd2 = security_descriptor_create(mem_ctx,
- SID_ANONYMOUS, NULL,
+ SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].specific_bits,
@@ -602,9 +626,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
- SEC_STD_DELETE |
- SEC_FILE_READ_ATTRIBUTE |
- file_mappings[i].specific_bits);
+ expected_mask_anon | file_mappings[i].specific_bits);
smbcli_close(cli->tree, io.ntcreatex.out.fnum);
}
@@ -649,6 +671,11 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
+ uint32_t expected_mask =
+ SEC_STD_WRITE_DAC |
+ SEC_STD_READ_CONTROL |
+ SEC_FILE_READ_ATTRIBUTE |
+ SEC_STD_DELETE;
printf("testing generic bits 0x%08x\n",
file_mappings[i].gen_bits);
@@ -688,14 +715,10 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
- SEC_STD_WRITE_DAC |
- SEC_STD_READ_CONTROL |
- SEC_STD_DELETE |
- SEC_FILE_READ_ATTRIBUTE |
- dir_mappings[i].specific_bits);
+ expected_mask | dir_mappings[i].specific_bits);
smbcli_close(cli->tree, io.ntcreatex.out.fnum);
-
}
+
printf("put back original sd\n");
set.set_secdesc.in.sd = sd_orig;
status = smb_raw_setfileinfo(cli->tree, &set);