summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/torture/basic/denytest.c12
-rw-r--r--source4/torture/raw/acls.c24
-rw-r--r--source4/torture/util.h3
-rw-r--r--source4/torture/util_smb.c36
4 files changed, 57 insertions, 18 deletions
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 6b7ae2614f..52b4d582e0 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2715,17 +2715,17 @@ bool torture_maximum_allowed(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
- owner_sid,
- sec_privilege_name(SEC_PRIV_RESTORE));
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n",
owner_sid,
has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
- owner_sid,
- sec_privilege_name(SEC_PRIV_BACKUP));
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_BACKUP));
has_backup_privilege = NT_STATUS_IS_OK(status);
torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n",
owner_sid,
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 3d3aae4bb9..b56345656a 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -778,21 +778,21 @@ static bool test_generic_bits(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
@@ -943,21 +943,21 @@ static bool test_generic_bits(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
@@ -1132,21 +1132,21 @@ static bool test_owner_bits(struct torture_context *tctx,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
diff --git a/source4/torture/util.h b/source4/torture/util.h
index 6a8ae36baf..501d14d57c 100644
--- a/source4/torture/util.h
+++ b/source4/torture/util.h
@@ -93,5 +93,8 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
struct smbcli_tree **res);
+NTSTATUS torture_check_privilege(struct smbcli_state *cli,
+ const char *sid_str,
+ const char *privilege);
#endif /* _TORTURE_UTIL_H_ */
diff --git a/source4/torture/util_smb.c b/source4/torture/util_smb.c
index 7d3d04cdbb..b6f2bee635 100644
--- a/source4/torture/util_smb.c
+++ b/source4/torture/util_smb.c
@@ -33,6 +33,8 @@
#include "auth/credentials/credentials.h"
#include "libcli/resolve/resolve.h"
#include "param/param.h"
+#include "libcli/security/security.h"
+#include "libcli/util/clilsa.h"
/**
@@ -927,3 +929,37 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
+
+/*
+ a wrapper around smblsa_sid_check_privilege, that tries to take
+ account of the fact that the lsa privileges calls don't expand
+ group memberships, using an explicit check for administrator. There
+ must be a better way ...
+ */
+NTSTATUS torture_check_privilege(struct smbcli_state *cli,
+ const char *sid_str,
+ const char *privilege)
+{
+ struct dom_sid *sid;
+ TALLOC_CTX *tmp_ctx = talloc_new(cli);
+ uint32_t rid;
+ NTSTATUS status;
+
+ sid = dom_sid_parse_talloc(tmp_ctx, sid_str);
+ if (sid == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_SID;
+ }
+
+ status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
+ NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
+
+ if (rid == DOMAIN_RID_ADMINISTRATOR) {
+ /* assume the administrator has them all */
+ return NT_STATUS_OK;
+ }
+
+ talloc_free(tmp_ctx);
+
+ return smblsa_sid_check_privilege(cli, sid_str, privilege);
+}