summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/torture/rpc/samr_accessmask.c57
1 files changed, 57 insertions, 0 deletions
diff --git a/source4/torture/rpc/samr_accessmask.c b/source4/torture/rpc/samr_accessmask.c
index c50a67d74c..9459485674 100644
--- a/source4/torture/rpc/samr_accessmask.c
+++ b/source4/torture/rpc/samr_accessmask.c
@@ -332,6 +332,47 @@ static bool test_samr_connect_user_acl(struct torture_context *tctx,
return ret;
}
+/*
+ * test if the ACLs are enforced for users.
+ * a normal testuser only gets the rights provided in hte ACL for
+ * Everyone which does not include the SAMR_ACCESS_SHUTDOWN_SERVER
+ * right. If the ACLs are checked when a user connects
+ * a testuser that requests the accessmask with only this bit set
+ * the connect should fail.
+ */
+static bool test_samr_connect_user_acl_enforced(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *test_credentials,
+ const struct dom_sid *test_sid)
+
+{
+ NTSTATUS status;
+ struct policy_handle uch;
+ bool ret = True;
+ struct dcerpc_pipe *test_p;
+ const char *binding = torture_setting_string(tctx, "binding", NULL);
+
+ printf("testing if ACLs are enforced for non domain admin users when connecting to SAMR");
+
+
+ status = dcerpc_pipe_connect(tctx,
+ &test_p, binding, &ndr_table_samr,
+ test_credentials, NULL);
+
+ /* connect to SAMR as the user */
+ status = torture_samr_Connect5(tctx, test_p, SAMR_ACCESS_SHUTDOWN_SERVER, &uch);
+ if (NT_STATUS_IS_OK(status)) {
+ printf("Connect5 failed - %s\n", nt_errstr(status));
+ return False;
+ }
+ printf(" OK\n");
+
+ /* disconnec the user */
+ talloc_free(test_p);
+
+ return ret;
+}
+
/* check which bits in accessmask allows us to LookupDomain()
by default we must specify at least one of :
in the access mask to Connect5() in order to be allowed to perform
@@ -579,6 +620,22 @@ static bool test_samr_connect(struct torture_context *tctx,
ret = False;
}
+ /* test if the ACLs that are reported from the Connect5
+ * policy handle is enforced.
+ * i.e. an ordinary user only has the same rights as Everybody
+ * ReadControl
+ * Samr/OpenDomain
+ * Samr/EnumDomains
+ * Samr/ConnectToServer
+ * is granted and should therefore not be able to connect when
+ * requesting SAMR_ACCESS_SHUTDOWN_SERVER
+ */
+ if (!test_samr_connect_user_acl_enforced(tctx, p, test_credentials, test_sid)) {
+ ret = False;
+ }
+
+
+
/* remove the test user */
torture_leave_domain(testuser);