From 690b352fc19cb5444b923c220af91f17a88a5e3c Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Mon, 6 Dec 2004 07:13:50 +0000
Subject: r4074: make the RAW-ACLS test use the new lsa helper functions to
 determine the privileges of the user running the test. This allows the test
 to work out what the expected access masks are. (This used to be commit
 dcf6c297d372cfa421d757d43897f00ad1d4f5f5)

---
 source4/torture/raw/acls.c | 55 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 39 insertions(+), 16 deletions(-)

(limited to 'source4/torture/raw')

diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 46e9fbdb3a..9e518f8fc9 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -481,6 +481,8 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 		{ SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
 		{ SEC_GENERIC_ALL,     SEC_RIGHTS_DIR_ALL }
 	};
+	BOOL has_restore_privilege;
+	BOOL has_take_ownership_privilege;
 
 	printf("TESTING FILE GENERIC BITS\n");
 
@@ -515,8 +517,31 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 
 	owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
 
+	status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_RESTORE);
+	has_restore_privilege = NT_STATUS_IS_OK(status);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+	}
+	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
+
+	status = smblsa_sid_check_privilege(cli, owner_sid, SEC_PRIV_TAKE_OWNERSHIP);
+	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+	}
+	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No");
 
 	for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
+		uint32_t expected_mask = 
+			SEC_STD_WRITE_DAC | 
+			SEC_STD_READ_CONTROL | 
+			SEC_FILE_READ_ATTRIBUTE |
+			SEC_STD_DELETE;
+		uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
+
+		if (has_restore_privilege) {
+			expected_mask_anon |= SEC_STD_DELETE;
+		}
 
 		printf("testing generic bits 0x%08x\n", 
 		       file_mappings[i].gen_bits);
@@ -556,18 +581,17 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 		status = smb_raw_open(cli->tree, mem_ctx, &io);
 		CHECK_STATUS(status, NT_STATUS_OK);
 		CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, 
-				   SEC_STD_READ_CONTROL | 
-				   SEC_STD_WRITE_DAC | 
-				   SEC_STD_DELETE | 
-				   SEC_FILE_READ_ATTRIBUTE |
-				   file_mappings[i].specific_bits);
+				   expected_mask | file_mappings[i].specific_bits);
 		smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 
+		if (!has_take_ownership_privilege) {
+			continue;
+		}
 
 		printf("testing generic bits 0x%08x (anonymous)\n", 
 		       file_mappings[i].gen_bits);
 		sd = security_descriptor_create(mem_ctx,
-						SID_ANONYMOUS, NULL,
+						SID_NT_ANONYMOUS, NULL,
 						owner_sid,
 						SEC_ACE_TYPE_ACCESS_ALLOWED,
 						file_mappings[i].gen_bits,
@@ -582,7 +606,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 		CHECK_STATUS(status, NT_STATUS_OK);
 
 		sd2 = security_descriptor_create(mem_ctx,
-						 SID_ANONYMOUS, NULL,
+						 SID_NT_ANONYMOUS, NULL,
 						 owner_sid,
 						 SEC_ACE_TYPE_ACCESS_ALLOWED,
 						 file_mappings[i].specific_bits,
@@ -602,9 +626,7 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 		status = smb_raw_open(cli->tree, mem_ctx, &io);
 		CHECK_STATUS(status, NT_STATUS_OK);
 		CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, 
-				   SEC_STD_DELETE | 
-				   SEC_FILE_READ_ATTRIBUTE |
-				   file_mappings[i].specific_bits);
+				   expected_mask_anon | file_mappings[i].specific_bits);
 		smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 	}
 
@@ -649,6 +671,11 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 
 
 	for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
+		uint32_t expected_mask = 
+			SEC_STD_WRITE_DAC | 
+			SEC_STD_READ_CONTROL | 
+			SEC_FILE_READ_ATTRIBUTE |
+			SEC_STD_DELETE;
 
 		printf("testing generic bits 0x%08x\n", 
 		       file_mappings[i].gen_bits);
@@ -688,14 +715,10 @@ static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 		status = smb_raw_open(cli->tree, mem_ctx, &io);
 		CHECK_STATUS(status, NT_STATUS_OK);
 		CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, 
-				   SEC_STD_WRITE_DAC | 
-				   SEC_STD_READ_CONTROL | 
-				   SEC_STD_DELETE | 
-				   SEC_FILE_READ_ATTRIBUTE |
-				   dir_mappings[i].specific_bits);
+				   expected_mask | dir_mappings[i].specific_bits);
 		smbcli_close(cli->tree, io.ntcreatex.out.fnum);
-
 	}
+
 	printf("put back original sd\n");
 	set.set_secdesc.in.sd = sd_orig;
 	status = smb_raw_setfileinfo(cli->tree, &set);
-- 
cgit