summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/torture/config.mk2
-rw-r--r--source4/torture/raw/acls.c55
2 files changed, 40 insertions, 17 deletions
diff --git a/source4/torture/config.mk b/source4/torture/config.mk
index 4cba73062f..58089fa172 100644
--- a/source4/torture/config.mk
+++ b/source4/torture/config.mk
@@ -52,7 +52,7 @@ ADD_OBJ_FILES = \
torture/raw/acls.o \
torture/raw/seek.o
REQUIRED_SUBSYSTEMS = \
- LIBSMB
+ LIBSMB LIBCLI_LSA
# End SUBSYSTEM TORTURE_RAW
#################################
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 46e9fbdb3a..9e518f8fc9 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -481,6 +481,8 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
{ SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
{ SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL }
};
+ BOOL has_restore_privilege;
+ BOOL has_take_ownership_privilege;
printf("TESTING FILE GENERIC BITS\n");
@@ -515,8 +517,31 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
+ status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_RESTORE);
+ has_restore_privilege = NT_STATUS_IS_OK(status);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ }
+ printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
+
+ status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_TAKE_OWNERSHIP);
+ has_take_ownership_privilege = NT_STATUS_IS_OK(status);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ }
+ printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No");
for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
+ uint32_t expected_mask =
+ SEC_STD_WRITE_DAC |
+ SEC_STD_READ_CONTROL |
+ SEC_FILE_READ_ATTRIBUTE |
+ SEC_STD_DELETE;
+ uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
+
+ if (has_restore_privilege) {
+ expected_mask_anon |= SEC_STD_DELETE;
+ }
printf("testing generic bits 0x%08x\n",
file_mappings[i].gen_bits);
@@ -556,18 +581,17 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
- SEC_STD_READ_CONTROL |
- SEC_STD_WRITE_DAC |
- SEC_STD_DELETE |
- SEC_FILE_READ_ATTRIBUTE |
- file_mappings[i].specific_bits);
+ expected_mask | file_mappings[i].specific_bits);
smbcli_close(cli->tree, io.ntcreatex.out.fnum);
+ if (!has_take_ownership_privilege) {
+ continue;
+ }
printf("testing generic bits 0x%08x (anonymous)\n",
file_mappings[i].gen_bits);
sd = security_descriptor_create(mem_ctx,
- SID_ANONYMOUS, NULL,
+ SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].gen_bits,
@@ -582,7 +606,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
CHECK_STATUS(status, NT_STATUS_OK);
sd2 = security_descriptor_create(mem_ctx,
- SID_ANONYMOUS, NULL,
+ SID_NT_ANONYMOUS, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
file_mappings[i].specific_bits,
@@ -602,9 +626,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
- SEC_STD_DELETE |
- SEC_FILE_READ_ATTRIBUTE |
- file_mappings[i].specific_bits);
+ expected_mask_anon | file_mappings[i].specific_bits);
smbcli_close(cli->tree, io.ntcreatex.out.fnum);
}
@@ -649,6 +671,11 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
+ uint32_t expected_mask =
+ SEC_STD_WRITE_DAC |
+ SEC_STD_READ_CONTROL |
+ SEC_FILE_READ_ATTRIBUTE |
+ SEC_STD_DELETE;
printf("testing generic bits 0x%08x\n",
file_mappings[i].gen_bits);
@@ -688,14 +715,10 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
- SEC_STD_WRITE_DAC |
- SEC_STD_READ_CONTROL |
- SEC_STD_DELETE |
- SEC_FILE_READ_ATTRIBUTE |
- dir_mappings[i].specific_bits);
+ expected_mask | dir_mappings[i].specific_bits);
smbcli_close(cli->tree, io.ntcreatex.out.fnum);
-
}
+
printf("put back original sd\n");
set.set_secdesc.in.sd = sd_orig;
status = smb_raw_setfileinfo(cli->tree, &set);