diff options
-rw-r--r-- | selftest/knownfail | 1 | ||||
-rw-r--r-- | source4/torture/basic/denytest.c | 31 |
2 files changed, 28 insertions, 4 deletions
diff --git a/selftest/knownfail b/selftest/knownfail index 93f1dfc732..4e6eb43add 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -93,6 +93,7 @@ ^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet ^samba4.rpc.samr.passwords.lockout ^samba4.base.charset.*.Testing partial surrogate +^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT .*net.api.delshare.* # DelShare isn't implemented yet ^samba4.rap.*netservergetinfo ^samba4.rap.*netsessionenum diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c index 2e21c83fad..69717be3ba 100644 --- a/source4/torture/basic/denytest.c +++ b/source4/torture/basic/denytest.c @@ -2687,7 +2687,7 @@ bool torture_maximum_allowed(struct torture_context *tctx, NTSTATUS status; union smb_fileinfo q; const char *owner_sid; - bool has_restore_privilege, has_backup_privilege; + bool has_restore_privilege, has_backup_privilege, has_system_security_privilege; mem_ctx = talloc_init("torture_maximum_allowed"); @@ -2747,18 +2747,41 @@ bool torture_maximum_allowed(struct torture_context *tctx, owner_sid, has_backup_privilege?"Yes":"No"); + status = torture_check_privilege(cli, + owner_sid, + sec_privilege_name(SEC_PRIV_SECURITY)); + has_system_security_privilege = NT_STATUS_IS_OK(status); + torture_comment(tctx, "Checked SEC_PRIV_SECURITY for %s - %s\n", + owner_sid, + has_system_security_privilege?"Yes":"No"); + smbcli_close(cli->tree, fnum); for (i = 0; i < 32; i++) { uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i); - uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | + /* + * SEC_GENERIC_EXECUTE is a complete subset of + * SEC_GENERIC_READ when mapped to specific bits, + * so we need to include it in the basic OK mask. + */ + uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | SEC_GENERIC_EXECUTE | SEC_STD_DELETE | SEC_STD_WRITE_DAC; + /* + * Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP + * don't include any generic bits (they're used directly + * in the fileserver where the generic bits have already + * been mapped into file specific bits) we need to add the + * generic bits to the ok_mask when we have these privileges. + */ if (has_restore_privilege) { - ok_mask |= SEC_RIGHTS_PRIV_RESTORE; + ok_mask |= SEC_RIGHTS_PRIV_RESTORE|SEC_GENERIC_WRITE; } if (has_backup_privilege) { - ok_mask |= SEC_RIGHTS_PRIV_BACKUP; + ok_mask |= SEC_RIGHTS_PRIV_BACKUP|SEC_GENERIC_READ; + } + if (has_system_security_privilege) { + ok_mask |= SEC_FLAG_SYSTEM_SECURITY; } /* Skip all SACL related tests. */ |