summaryrefslogtreecommitdiff
path: root/source4/torture
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-10-16 18:23:42 +1100
committerAndrew Tridgell <tridge@samba.org>2009-10-17 13:01:03 +1100
commit7226ba73a0519f853b53adc3591d2358ff7429b2 (patch)
tree63ffdffd11c83daf154a90396b3f5d25a353a2a7 /source4/torture
parent9526487010fff240d2f55f29352e7f74d3cec65a (diff)
downloadsamba-7226ba73a0519f853b53adc3591d2358ff7429b2.tar.gz
samba-7226ba73a0519f853b53adc3591d2358ff7429b2.tar.bz2
samba-7226ba73a0519f853b53adc3591d2358ff7429b2.zip
s4-torture: add a special check for administrators and privileges
lsa privileges calls don't expand groups. darn.
Diffstat (limited to 'source4/torture')
-rw-r--r--source4/torture/basic/denytest.c12
-rw-r--r--source4/torture/raw/acls.c24
-rw-r--r--source4/torture/util.h3
-rw-r--r--source4/torture/util_smb.c36
4 files changed, 57 insertions, 18 deletions
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 6b7ae2614f..52b4d582e0 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2715,17 +2715,17 @@ bool torture_maximum_allowed(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
- owner_sid,
- sec_privilege_name(SEC_PRIV_RESTORE));
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n",
owner_sid,
has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
- owner_sid,
- sec_privilege_name(SEC_PRIV_BACKUP));
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_BACKUP));
has_backup_privilege = NT_STATUS_IS_OK(status);
torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n",
owner_sid,
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 3d3aae4bb9..b56345656a 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -778,21 +778,21 @@ static bool test_generic_bits(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
@@ -943,21 +943,21 @@ static bool test_generic_bits(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
@@ -1132,21 +1132,21 @@ static bool test_owner_bits(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
diff --git a/source4/torture/util.h b/source4/torture/util.h
index 6a8ae36baf..501d14d57c 100644
--- a/source4/torture/util.h
+++ b/source4/torture/util.h
@@ -93,5 +93,8 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
struct smbcli_tree **res);
+NTSTATUS torture_check_privilege(struct smbcli_state *cli,
+ const char *sid_str,
+ const char *privilege);
#endif /* _TORTURE_UTIL_H_ */
diff --git a/source4/torture/util_smb.c b/source4/torture/util_smb.c
index 7d3d04cdbb..b6f2bee635 100644
--- a/source4/torture/util_smb.c
+++ b/source4/torture/util_smb.c
@@ -33,6 +33,8 @@
#include "auth/credentials/credentials.h"
#include "libcli/resolve/resolve.h"
#include "param/param.h"
+#include "libcli/security/security.h"
+#include "libcli/util/clilsa.h"
/**
@@ -927,3 +929,37 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
+
+/*
+ a wrapper around smblsa_sid_check_privilege, that tries to take
+ account of the fact that the lsa privileges calls don't expand
+ group memberships, using an explicit check for administrator. There
+ must be a better way ...
+ */
+NTSTATUS torture_check_privilege(struct smbcli_state *cli,
+ const char *sid_str,
+ const char *privilege)
+{
+ struct dom_sid *sid;
+ TALLOC_CTX *tmp_ctx = talloc_new(cli);
+ uint32_t rid;
+ NTSTATUS status;
+
+ sid = dom_sid_parse_talloc(tmp_ctx, sid_str);
+ if (sid == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_SID;
+ }
+
+ status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
+ NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
+
+ if (rid == DOMAIN_RID_ADMINISTRATOR) {
+ /* assume the administrator has them all */
+ return NT_STATUS_OK;
+ }
+
+ talloc_free(tmp_ctx);
+
+ return smblsa_sid_check_privilege(cli, sid_str, privilege);
+}