From bbf009b46f75f292a625b853b9331b5d5e0da7c2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Nov 2004 01:02:27 +0000 Subject: r3829: added a RAW-ACLS test suite that tests query/set of ACLs on a file (This used to be commit 2ff9816ae0ae41e0e63e4276a70d292888346dc7) --- source4/torture/config.mk | 1 + source4/torture/raw/acls.c | 162 +++++++++++++++++++++++++++++++++++++++++++++ source4/torture/torture.c | 1 + 3 files changed, 164 insertions(+) create mode 100644 source4/torture/raw/acls.c (limited to 'source4/torture') diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 5aa621bdb5..d7e99db0d0 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -48,6 +48,7 @@ ADD_OBJ_FILES = \ torture/raw/rename.o \ torture/raw/eas.o \ torture/raw/streams.o \ + torture/raw/acls.o \ torture/raw/seek.o REQUIRED_SUBSYSTEMS = \ LIBSMB diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c new file mode 100644 index 0000000000..1562af55ca --- /dev/null +++ b/source4/torture/raw/acls.c @@ -0,0 +1,162 @@ +/* + Unix SMB/CIFS implementation. + + test security descriptor operations + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" + +#define BASEDIR "\\testsd" + +#define CHECK_STATUS(status, correct) do { \ + if (!NT_STATUS_EQUAL(status, correct)) { \ + printf("(%s) Incorrect status %s - should be %s\n", \ + __location__, nt_errstr(status), nt_errstr(correct)); \ + ret = False; \ + goto done; \ + }} while (0) + + +static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) +{ + NTSTATUS status; + union smb_open io; + const char *fname = BASEDIR "\\sd.txt"; + BOOL ret = True; + int fnum; + struct smb_query_secdesc q; + struct smb_set_secdesc set; + struct security_ace ace; + struct security_descriptor *sd; + struct dom_sid *test_sid; + + printf("TESTING SETFILEINFO EA_SET\n"); + + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.root_fid = 0; + io.ntcreatex.in.flags = 0; + io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = + NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; + io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.fname = fname; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum = io.ntcreatex.out.fnum; + + q.in.fnum = fnum; + q.in.secinfo_flags = + OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION; + status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + CHECK_STATUS(status, NT_STATUS_OK); + sd = q.out.sd; + + printf("add a new ACE to the DACL\n"); + + test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432"); + + ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; + ace.flags = 0; + ace.access_mask = STD_RIGHT_ALL_ACCESS; + ace.trustee = *test_sid; + + status = security_descriptor_dacl_add(sd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + + set.in.fnum = fnum; + set.in.secinfo_flags = q.in.secinfo_flags; + set.in.sd = sd; + + status = smb_raw_set_secdesc(cli->tree, &set); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + CHECK_STATUS(status, NT_STATUS_OK); + + if (!security_descriptor_equal(q.out.sd, sd)) { + printf("security descriptors don't match!\n"); + printf("got:\n"); + NDR_PRINT_DEBUG(security_descriptor, q.out.sd); + printf("expected:\n"); + NDR_PRINT_DEBUG(security_descriptor, sd); + } + + printf("remove it again\n"); + + status = security_descriptor_dacl_del(sd, test_sid); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb_raw_set_secdesc(cli->tree, &set); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + CHECK_STATUS(status, NT_STATUS_OK); + + if (!security_descriptor_equal(q.out.sd, sd)) { + printf("security descriptors don't match!\n"); + printf("got:\n"); + NDR_PRINT_DEBUG(security_descriptor, q.out.sd); + printf("expected:\n"); + NDR_PRINT_DEBUG(security_descriptor, sd); + } + +done: + smbcli_close(cli->tree, fnum); + return ret; +} + + +/* + basic testing of security descriptor calls +*/ +BOOL torture_raw_acls(void) +{ + struct smbcli_state *cli; + BOOL ret = True; + TALLOC_CTX *mem_ctx; + + if (!torture_open_connection(&cli)) { + return False; + } + + mem_ctx = talloc_init("torture_raw_acls"); + + if (!torture_setup_dir(cli, BASEDIR)) { + return False; + } + + ret &= test_sd(cli, mem_ctx); + + smb_raw_exit(cli->session); + smbcli_deltree(cli->tree, BASEDIR); + + torture_close_connection(cli); + talloc_destroy(mem_ctx); + return ret; +} diff --git a/source4/torture/torture.c b/source4/torture/torture.c index bc3b5f545f..09f7c65f04 100644 --- a/source4/torture/torture.c +++ b/source4/torture/torture.c @@ -2421,6 +2421,7 @@ static struct { {"RAW-SEEK", torture_raw_seek, 0}, {"RAW-EAS", torture_raw_eas, 0}, {"RAW-STREAMS", torture_raw_streams, 0}, + {"RAW-ACLS", torture_raw_acls, 0}, {"RAW-RAP", torture_raw_rap, 0}, /* protocol scanners */ -- cgit