diff options
author | Andrew Tridgell <tridge@samba.org> | 2004-12-06 07:13:50 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:06:23 -0500 |
commit | 690b352fc19cb5444b923c220af91f17a88a5e3c (patch) | |
tree | ea3bde7209502060e890eaa68a6ed02a547de76c | |
parent | ad3ee0a81c4b2bf2ae67ba461e936f7777584345 (diff) | |
download | samba-690b352fc19cb5444b923c220af91f17a88a5e3c.tar.gz samba-690b352fc19cb5444b923c220af91f17a88a5e3c.tar.bz2 samba-690b352fc19cb5444b923c220af91f17a88a5e3c.zip |
r4074: make the RAW-ACLS test use the new lsa helper functions to determine
the privileges of the user running the test. This allows the test to
work out what the expected access masks are.
(This used to be commit dcf6c297d372cfa421d757d43897f00ad1d4f5f5)
-rw-r--r-- | source4/torture/config.mk | 2 | ||||
-rw-r--r-- | source4/torture/raw/acls.c | 55 |
2 files changed, 40 insertions, 17 deletions
diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 4cba73062f..58089fa172 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -52,7 +52,7 @@ ADD_OBJ_FILES = \ torture/raw/acls.o \ torture/raw/seek.o REQUIRED_SUBSYSTEMS = \ - LIBSMB + LIBSMB LIBCLI_LSA # End SUBSYSTEM TORTURE_RAW ################################# diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 46e9fbdb3a..9e518f8fc9 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -481,6 +481,8 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) { SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE }, { SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL } }; + BOOL has_restore_privilege; + BOOL has_take_ownership_privilege; printf("TESTING FILE GENERIC BITS\n"); @@ -515,8 +517,31 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid); + status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_RESTORE); + has_restore_privilege = NT_STATUS_IS_OK(status); + if (!NT_STATUS_IS_OK(status)) { + printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + } + printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); + + status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_TAKE_OWNERSHIP); + has_take_ownership_privilege = NT_STATUS_IS_OK(status); + if (!NT_STATUS_IS_OK(status)) { + printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + } + printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No"); for (i=0;i<ARRAY_SIZE(file_mappings);i++) { + uint32_t expected_mask = + SEC_STD_WRITE_DAC | + SEC_STD_READ_CONTROL | + SEC_FILE_READ_ATTRIBUTE | + SEC_STD_DELETE; + uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE; + + if (has_restore_privilege) { + expected_mask_anon |= SEC_STD_DELETE; + } printf("testing generic bits 0x%08x\n", file_mappings[i].gen_bits); @@ -556,18 +581,17 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, - SEC_STD_READ_CONTROL | - SEC_STD_WRITE_DAC | - SEC_STD_DELETE | - SEC_FILE_READ_ATTRIBUTE | - file_mappings[i].specific_bits); + expected_mask | file_mappings[i].specific_bits); smbcli_close(cli->tree, io.ntcreatex.out.fnum); + if (!has_take_ownership_privilege) { + continue; + } printf("testing generic bits 0x%08x (anonymous)\n", file_mappings[i].gen_bits); sd = security_descriptor_create(mem_ctx, - SID_ANONYMOUS, NULL, + SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, @@ -582,7 +606,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_create(mem_ctx, - SID_ANONYMOUS, NULL, + SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, @@ -602,9 +626,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, - SEC_STD_DELETE | - SEC_FILE_READ_ATTRIBUTE | - file_mappings[i].specific_bits); + expected_mask_anon | file_mappings[i].specific_bits); smbcli_close(cli->tree, io.ntcreatex.out.fnum); } @@ -649,6 +671,11 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) for (i=0;i<ARRAY_SIZE(dir_mappings);i++) { + uint32_t expected_mask = + SEC_STD_WRITE_DAC | + SEC_STD_READ_CONTROL | + SEC_FILE_READ_ATTRIBUTE | + SEC_STD_DELETE; printf("testing generic bits 0x%08x\n", file_mappings[i].gen_bits); @@ -688,14 +715,10 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, - SEC_STD_WRITE_DAC | - SEC_STD_READ_CONTROL | - SEC_STD_DELETE | - SEC_FILE_READ_ATTRIBUTE | - dir_mappings[i].specific_bits); + expected_mask | dir_mappings[i].specific_bits); smbcli_close(cli->tree, io.ntcreatex.out.fnum); - } + printf("put back original sd\n"); set.set_secdesc.in.sd = sd_orig; status = smb_raw_setfileinfo(cli->tree, &set); |