diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-10-16 18:23:42 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-10-17 13:01:03 +1100 |
commit | 7226ba73a0519f853b53adc3591d2358ff7429b2 (patch) | |
tree | 63ffdffd11c83daf154a90396b3f5d25a353a2a7 /source4/torture | |
parent | 9526487010fff240d2f55f29352e7f74d3cec65a (diff) | |
download | samba-7226ba73a0519f853b53adc3591d2358ff7429b2.tar.gz samba-7226ba73a0519f853b53adc3591d2358ff7429b2.tar.bz2 samba-7226ba73a0519f853b53adc3591d2358ff7429b2.zip |
s4-torture: add a special check for administrators and privileges
lsa privileges calls don't expand groups. darn.
Diffstat (limited to 'source4/torture')
-rw-r--r-- | source4/torture/basic/denytest.c | 12 | ||||
-rw-r--r-- | source4/torture/raw/acls.c | 24 | ||||
-rw-r--r-- | source4/torture/util.h | 3 | ||||
-rw-r--r-- | source4/torture/util_smb.c | 36 |
4 files changed, 57 insertions, 18 deletions
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c index 6b7ae2614f..52b4d582e0 100644 --- a/source4/torture/basic/denytest.c +++ b/source4/torture/basic/denytest.c @@ -2715,17 +2715,17 @@ bool torture_maximum_allowed(struct torture_context *tctx, owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); - status = smblsa_sid_check_privilege(cli, - owner_sid, - sec_privilege_name(SEC_PRIV_RESTORE)); + status = torture_check_privilege(cli, + owner_sid, + sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n", owner_sid, has_restore_privilege?"Yes":"No"); - status = smblsa_sid_check_privilege(cli, - owner_sid, - sec_privilege_name(SEC_PRIV_BACKUP)); + status = torture_check_privilege(cli, + owner_sid, + sec_privilege_name(SEC_PRIV_BACKUP)); has_backup_privilege = NT_STATUS_IS_OK(status); torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n", owner_sid, diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 3d3aae4bb9..b56345656a 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -778,21 +778,21 @@ static bool test_generic_bits(struct torture_context *tctx, owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); - status = smblsa_sid_check_privilege(cli, + status = torture_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { - printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + printf("torture_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); - status = smblsa_sid_check_privilege(cli, + status = torture_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { - printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + printf("torture_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); @@ -943,21 +943,21 @@ static bool test_generic_bits(struct torture_context *tctx, owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); - status = smblsa_sid_check_privilege(cli, + status = torture_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { - printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + printf("torture_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); - status = smblsa_sid_check_privilege(cli, + status = torture_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { - printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + printf("torture_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); @@ -1132,21 +1132,21 @@ static bool test_owner_bits(struct torture_context *tctx, owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); - status = smblsa_sid_check_privilege(cli, + status = torture_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { - printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + printf("torture_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); - status = smblsa_sid_check_privilege(cli, + status = torture_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { - printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status)); + printf("torture_check_privilege - %s\n", nt_errstr(status)); } printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); diff --git a/source4/torture/util.h b/source4/torture/util.h index 6a8ae36baf..501d14d57c 100644 --- a/source4/torture/util.h +++ b/source4/torture/util.h @@ -93,5 +93,8 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx, struct smbcli_tree **res); +NTSTATUS torture_check_privilege(struct smbcli_state *cli, + const char *sid_str, + const char *privilege); #endif /* _TORTURE_UTIL_H_ */ diff --git a/source4/torture/util_smb.c b/source4/torture/util_smb.c index 7d3d04cdbb..b6f2bee635 100644 --- a/source4/torture/util_smb.c +++ b/source4/torture/util_smb.c @@ -33,6 +33,8 @@ #include "auth/credentials/credentials.h" #include "libcli/resolve/resolve.h" #include "param/param.h" +#include "libcli/security/security.h" +#include "libcli/util/clilsa.h" /** @@ -927,3 +929,37 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx, talloc_free(tmp_ctx); return NT_STATUS_OK; } + +/* + a wrapper around smblsa_sid_check_privilege, that tries to take + account of the fact that the lsa privileges calls don't expand + group memberships, using an explicit check for administrator. There + must be a better way ... + */ +NTSTATUS torture_check_privilege(struct smbcli_state *cli, + const char *sid_str, + const char *privilege) +{ + struct dom_sid *sid; + TALLOC_CTX *tmp_ctx = talloc_new(cli); + uint32_t rid; + NTSTATUS status; + + sid = dom_sid_parse_talloc(tmp_ctx, sid_str); + if (sid == NULL) { + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_SID; + } + + status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid); + NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx); + + if (rid == DOMAIN_RID_ADMINISTRATOR) { + /* assume the administrator has them all */ + return NT_STATUS_OK; + } + + talloc_free(tmp_ctx); + + return smblsa_sid_check_privilege(cli, sid_str, privilege); +} |