From f717a79eff334835eb33783adcbb261e126185d6 Mon Sep 17 00:00:00 2001
From: Tim Prouty <tprouty@samba.org>
Date: Fri, 4 Dec 2009 16:07:35 -0800
Subject: s4 torture: Add a new torture:hide_on_access_denied parameter

It appears some newer versions of windows return
NT_STATUS_OBJECT_NAME_NOT_FOUND on a createfile when access is denied
rather than NT_STATUS_ACCESS_DENIED.  I'm not sure how this translates
to directory enumeration yet, but for now make this a parameter that
can be checked in the various torture tests.

This also gets RAW-ACLS and SMB2-CREATE passing against win7.
---
 source4/torture/raw/acls.c    | 29 ++++++++++++++++++++++-------
 source4/torture/smb2/acls.c   |  9 +++++----
 source4/torture/smb2/create.c | 24 ++++++++++++++++++++----
 source4/torture/smbtorture.c  |  3 +++
 source4/torture/smbtorture.h  |  6 ++++++
 source4/torture/util.h        |  1 +
 6 files changed, 57 insertions(+), 15 deletions(-)

(limited to 'source4')

diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 94274237af..e34a901ebc 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -1768,20 +1768,32 @@ static bool test_inheritance(struct torture_context *tctx,
 		CHECK_ACCESS_FLAGS(fnum2, SEC_RIGHTS_FILE_ALL);
 		smbcli_close(cli->tree, fnum2);
 	} else {
-		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+		if (TARGET_IS_WIN7(tctx)) {
+			CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+		} else {
+			CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+		}
 	}
 
 	torture_comment(tctx, "trying without execute\n");
 	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
 	io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL & ~SEC_FILE_EXECUTE;
 	status = smb_raw_open(cli->tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (TARGET_IS_WIN7(tctx)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	torture_comment(tctx, "and with full permissions again\n");
 	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
 	io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
 	status = smb_raw_open(cli->tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (TARGET_IS_WIN7(tctx)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
 	status = smb_raw_open(cli->tree, tctx, &io);
@@ -1802,7 +1814,11 @@ static bool test_inheritance(struct torture_context *tctx,
 
 	io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
 	status = smb_raw_open(cli->tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (TARGET_IS_WIN7(tctx)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
 	status = smb_raw_open(cli->tree, tctx, &io);
@@ -1811,9 +1827,6 @@ static bool test_inheritance(struct torture_context *tctx,
 	CHECK_ACCESS_FLAGS(fnum2, SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE);
 	smbcli_close(cli->tree, fnum2);
 
-	smbcli_unlink(cli->tree, fname1);
-	smbcli_rmdir(cli->tree, dname);
-
 done:
 	if (sd_orig != NULL) {
 		set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
@@ -1824,6 +1837,8 @@ done:
 	}
 
 	smbcli_close(cli->tree, fnum);
+	smbcli_unlink(cli->tree, fname1);
+	smbcli_rmdir(cli->tree, dname);
 	smb_raw_exit(cli->session);
 	smbcli_deltree(cli->tree, BASEDIR);
 	return ret;
diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
index b565a5bce9..c746d96110 100644
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@@ -1186,7 +1186,8 @@ static bool test_inheritance(struct torture_context *tctx, struct smb2_tree *tre
 		CHECK_ACCESS_FLAGS(handle2, SEC_RIGHTS_FILE_ALL);
 		smb2_util_close(tree, handle2);
 	} else {
-		if (TARGET_IS_WIN7(tctx)) {
+		if (torture_setting_bool(tctx, "hide_on_access_denied",
+					 false)) {
 			CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
 		} else {
 			CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
@@ -1197,7 +1198,7 @@ static bool test_inheritance(struct torture_context *tctx, struct smb2_tree *tre
 	io.in.create_disposition = NTCREATEX_DISP_OPEN;
 	io.in.desired_access = SEC_RIGHTS_FILE_ALL & ~SEC_FILE_EXECUTE;
 	status = smb2_create(tree, tctx, &io);
-	if (TARGET_IS_WIN7(tctx)) {
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
 		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
 	} else {
 		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
@@ -1207,7 +1208,7 @@ static bool test_inheritance(struct torture_context *tctx, struct smb2_tree *tre
 	io.in.create_disposition = NTCREATEX_DISP_OPEN;
 	io.in.desired_access = SEC_RIGHTS_FILE_ALL;
 	status = smb2_create(tree, tctx, &io);
-	if (TARGET_IS_WIN7(tctx)) {
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
 		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
 	} else {
 		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
@@ -1232,7 +1233,7 @@ static bool test_inheritance(struct torture_context *tctx, struct smb2_tree *tre
 
 	io.in.desired_access = SEC_RIGHTS_FILE_ALL;
 	status = smb2_create(tree, tctx, &io);
-	if (TARGET_IS_WIN7(tctx)) {
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
 		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
 	} else {
 		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c
index 5a29c2603d..b89b14af27 100644
--- a/source4/torture/smb2/create.c
+++ b/source4/torture/smb2/create.c
@@ -1302,22 +1302,38 @@ static bool test_create_null_dacl(struct torture_context *tctx,
 	torture_comment(tctx, "try open for write => access_denied\n");
 	io.in.desired_access = SEC_FILE_WRITE_DATA;
 	status = smb2_create(tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	torture_comment(tctx, "try open for read => access_denied\n");
 	io.in.desired_access = SEC_FILE_READ_DATA;
 	status = smb2_create(tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	torture_comment(tctx, "try open for generic write => access_denied\n");
 	io.in.desired_access = SEC_GENERIC_WRITE;
 	status = smb2_create(tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	torture_comment(tctx, "try open for generic read => access_denied\n");
 	io.in.desired_access = SEC_GENERIC_READ;
 	status = smb2_create(tree, tctx, &io);
-	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	if (torture_setting_bool(tctx, "hide_on_access_denied", false)) {
+		CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND);
+	} else {
+		CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+	}
 
 	torture_comment(tctx, "set empty sd\n");
 	sd->type &= ~SEC_DESC_DACL_PRESENT;
diff --git a/source4/torture/smbtorture.c b/source4/torture/smbtorture.c
index cb080dfded..8e0a25b032 100644
--- a/source4/torture/smbtorture.c
+++ b/source4/torture/smbtorture.c
@@ -543,6 +543,9 @@ int main(int argc,char *argv[])
 
 		/* RAW-SEARCH for fails for inexplicable reasons against win7 */
 		lp_set_cmdline(cmdline_lp_ctx, "torture:search_ea_support", "false");
+
+		lp_set_cmdline(cmdline_lp_ctx, "torture:hide_on_access_denied",
+		    "true");
 	} else if (strcmp(target, "onefs") == 0) {
 		lp_set_cmdline(cmdline_lp_ctx, "torture:onefs", "true");
 		lp_set_cmdline(cmdline_lp_ctx, "torture:openx_deny_dos_support",
diff --git a/source4/torture/smbtorture.h b/source4/torture/smbtorture.h
index a4f25958a6..38969f1bcc 100644
--- a/source4/torture/smbtorture.h
+++ b/source4/torture/smbtorture.h
@@ -113,4 +113,10 @@ bool torture_register_suite(struct torture_suite *suite);
  * the appropriate test.
  */
 
+/* torture:hide_on_acess_denied
+ *
+ * Some servers (win7) choose to hide files when certain access has been
+ * denied.  When true, torture will expect NT_STATUS_OBJECT_NAME_NOT_FOUND
+ * rather than NT_STATUS_ACCESS_DENIED when trying to open one of these files.
+ */
 #endif /* __SMBTORTURE_H__ */
diff --git a/source4/torture/util.h b/source4/torture/util.h
index 0dadc89be6..3721273915 100644
--- a/source4/torture/util.h
+++ b/source4/torture/util.h
@@ -107,4 +107,5 @@ NTSTATUS torture_check_privilege(struct smbcli_state *cli,
 				 const char *sid_str,
 				 const char *privilege);
 
+
 #endif /* _TORTURE_UTIL_H_ */
-- 
cgit