diff options
author | Andrew Tridgell <tridge@samba.org> | 2004-12-29 07:28:03 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:07:41 -0500 |
commit | d39ae5434185b6e54d029b1868ec610f0d638d6f (patch) | |
tree | fecb3c47adcbe5681515d49d98e021193a738f85 /source4 | |
parent | 66b8ff22e0a37e217333799a3b42e06c594d3976 (diff) | |
download | samba-d39ae5434185b6e54d029b1868ec610f0d638d6f.tar.gz samba-d39ae5434185b6e54d029b1868ec610f0d638d6f.tar.bz2 samba-d39ae5434185b6e54d029b1868ec610f0d638d6f.zip |
r4389: added checking for the default inherited ACL, which is used when no ACEs
are inheritable
(This used to be commit e30b8d5783e073a31f738a36400fe866c970464b)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/torture/raw/acls.c | 45 |
1 files changed, 39 insertions, 6 deletions
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 75a5b31693..82e04ffcc7 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -762,7 +762,7 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) int fnum, fnum2, i; union smb_fileinfo q; union smb_setfileinfo set; - struct security_descriptor *sd, *sd_orig; + struct security_descriptor *sd, *sd_orig, *sd_def; const char *owner_sid; const struct { uint32_t parent_flags; @@ -901,12 +901,24 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid); + sd_def = security_descriptor_create(mem_ctx, + owner_sid, NULL, + owner_sid, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_ALL, + 0, + SID_NT_SYSTEM, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_ALL, + 0, + NULL); + for (i=0;i<ARRAY_SIZE(test_flags);i++) { sd = security_descriptor_create(mem_ctx, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, - SEC_FILE_ALL | SEC_STD_ALL, + SEC_FILE_WRITE_DATA, test_flags[i].parent_flags, SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, @@ -933,15 +945,23 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) smbcli_close(cli->tree, fnum2); smbcli_unlink(cli->tree, fname1); + if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) { + printf("Expected default sd at %d - got:\n", i); + NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); + } + goto check_dir; + } if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces < 1 || + q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid)) { - printf("Bad sd in child at %d\n", i); + printf("Bad sd in child file at %d\n", i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = False; - goto done; + goto check_dir; } if (q.query_secdesc.out.sd->dacl->aces[0].flags != @@ -954,6 +974,7 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) ret = False; } + check_dir: io.ntcreatex.in.fname = fname2; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; status = smb_raw_open(cli->tree, mem_ctx, &io); @@ -967,14 +988,26 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) smbcli_close(cli->tree, fnum2); smbcli_rmdir(cli->tree, fname2); + if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) && + (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) || + (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) { + if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) { + printf("Expected default sd for dir at %d - got:\n", i); + NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); + } + continue; + } + if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces < 1 || + q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid)) { - printf("Bad sd in child at %d\n", i); + printf("Bad sd in child dir at %d (parent 0x%x)\n", + i, test_flags[i].parent_flags); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = False; - goto done; + continue; } if (q.query_secdesc.out.sd->dacl->aces[0].flags != |