diff options
author | Günther Deschner <gd@samba.org> | 2007-11-02 14:43:11 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2007-12-21 05:44:08 +0100 |
commit | fb6d99e3449564d4ec82c230efd647c534b09da6 (patch) | |
tree | afda4d66fd2a2ab9fa008e50817469c77d3a5c9d /source4 | |
parent | 1181e6c79163b3cc712f844240762a75ec029dbe (diff) | |
download | samba-fb6d99e3449564d4ec82c230efd647c534b09da6.tar.gz samba-fb6d99e3449564d4ec82c230efd647c534b09da6.tar.bz2 samba-fb6d99e3449564d4ec82c230efd647c534b09da6.zip |
r25810: Add test for blocking security descriptor inheritance in winreg.
Guenther
(This used to be commit cfa501fbc7d74b1f15bcf0df96d2a1d3ad13b289)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/torture/rpc/winreg.c | 181 |
1 files changed, 180 insertions, 1 deletions
diff --git a/source4/torture/rpc/winreg.c b/source4/torture/rpc/winreg.c index 238ccba734..4bce174f7d 100644 --- a/source4/torture/rpc/winreg.c +++ b/source4/torture/rpc/winreg.c @@ -422,6 +422,58 @@ static bool test_SecurityDescriptor(struct dcerpc_pipe *p, return ret; } +static bool test_dacl_trustee_present(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + const struct dom_sid *sid) +{ + struct security_descriptor *sd = NULL; + int i; + + if (!test_GetKeySecurity(p, tctx, handle, &sd)) { + return false; + } + + if (!sd || !sd->dacl) { + return false; + } + + for (i = 0; i < sd->dacl->num_aces; i++) { + if (dom_sid_equal(&sd->dacl->aces[i].trustee, sid)) { + return true; + } + } + + return false; +} + +static bool test_dacl_trustee_flags_present(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + const struct dom_sid *sid, + uint8_t flags) +{ + struct security_descriptor *sd = NULL; + int i; + + if (!test_GetKeySecurity(p, tctx, handle, &sd)) { + return false; + } + + if (!sd || !sd->dacl) { + return false; + } + + for (i = 0; i < sd->dacl->num_aces; i++) { + if ((dom_sid_equal(&sd->dacl->aces[i].trustee, sid)) && + (sd->dacl->aces[i].flags == flags)) { + return true; + } + } + + return false; +} + static bool test_dacl_ace_present(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle, @@ -585,6 +637,129 @@ static bool test_SecurityDescriptorInheritance(struct dcerpc_pipe *p, return true; } +static bool test_SecurityDescriptorBlockInheritance(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle, + const char *key) +{ + /* get sd + add ace SEC_ACE_FLAG_NO_PROPAGATE_INHERIT + set sd + add subkey/subkey + get sd + check ace + get sd from subkey + check ace + del subkey/subkey + del subkey + reset sd + */ + + struct security_descriptor *sd = NULL; + struct security_descriptor *sd_orig = NULL; + struct security_ace *ace = NULL; + struct policy_handle new_handle; + struct dom_sid *sid = NULL; + NTSTATUS status; + bool ret = true; + uint8_t ace_flags = 0x0; + + torture_comment(tctx, "SecurityDescriptor inheritance block\n"); + + if (!test_OpenKey(p, tctx, handle, key, &new_handle)) { + return false; + } + + if (!_test_GetKeySecurity(p, tctx, &new_handle, NULL, WERR_OK, &sd)) { + return false; + } + + sd_orig = security_descriptor_copy(tctx, sd); + if (sd_orig == NULL) { + return false; + } + + ace = security_ace_create(tctx, + TEST_SID, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_STD_REQUIRED, + SEC_ACE_FLAG_CONTAINER_INHERIT | + SEC_ACE_FLAG_NO_PROPAGATE_INHERIT); + + status = security_descriptor_dacl_add(sd, ace); + if (!NT_STATUS_IS_OK(status)) { + printf("failed to add ace: %s\n", nt_errstr(status)); + return false; + } + + if (!_test_SetKeySecurity(p, tctx, &new_handle, NULL, sd, WERR_OK)) { + return false; + } + + if (!test_dacl_ace_present(p, tctx, &new_handle, ace)) { + printf("new ACE not present!\n"); + return false; + } + + if (!test_CloseKey(p, tctx, &new_handle)) { + return false; + } + + if (!test_CreateKey(p, tctx, handle, TEST_SUBSUBKEY_SD, NULL)) { + return false; + } + + if (!test_OpenKey(p, tctx, handle, TEST_SUBSUBKEY_SD, &new_handle)) { + ret = false; + goto out; + } + + if (test_dacl_ace_present(p, tctx, &new_handle, ace)) { + printf("inherited ACE present but should not!\n"); + ret = false; + goto out; + } + + sid = dom_sid_parse_talloc(tctx, TEST_SID); + if (sid == NULL) { + return false; + } + + if (test_dacl_trustee_present(p, tctx, &new_handle, sid)) { + printf("inherited trustee SID present but should not!\n"); + ret = false; + goto out; + } + + test_CloseKey(p, tctx, &new_handle); + + if (!test_OpenKey(p, tctx, handle, TEST_SUBKEY_SD, &new_handle)) { + ret = false; + goto out; + } + + if (test_dacl_ace_present(p, tctx, &new_handle, ace)) { + printf("inherited ACE present but should not!\n"); + ret = false; + goto out; + } + + if (!test_dacl_trustee_flags_present(p, tctx, &new_handle, sid, ace_flags)) { + printf("inherited trustee SID with flags 0x%02x not present!\n", + ace_flags); + ret = false; + goto out; + } + + out: + test_CloseKey(p, tctx, &new_handle); + test_Cleanup(p, tctx, handle, TEST_SUBSUBKEY_SD); + test_Cleanup(p, tctx, handle, TEST_SUBKEY_SD); + test_RestoreSecurity(p, tctx, handle, key, sd_orig); + + return ret; +} + static bool test_SecurityDescriptors(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle, @@ -592,7 +767,6 @@ static bool test_SecurityDescriptors(struct dcerpc_pipe *p, { bool ret = true; - if (!test_SecurityDescriptor(p, tctx, handle, key)) { printf("test_SecurityDescriptor failed\n"); ret = false; @@ -603,6 +777,11 @@ static bool test_SecurityDescriptors(struct dcerpc_pipe *p, ret = false; } + if (!test_SecurityDescriptorBlockInheritance(p, tctx, handle, key)) { + printf("test_SecurityDescriptorBlockInheritance failed\n"); + ret = false; + } + return ret; } |