/* Unix SMB/CIFS implementation. test security descriptor operations for SMB2 Copyright (C) Zack Kirsch 2009 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "libcli/smb2/smb2.h" #include "libcli/smb2/smb2_calls.h" #include "torture/torture.h" #include "torture/util.h" #include "torture/smb2/proto.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_security.h" #define CHECK_STATUS(status, correct) do { \ if (!NT_STATUS_EQUAL(status, correct)) { \ torture_result(tctx, TORTURE_FAIL, "(%s) Incorrect status %s - should be %s\n", \ __location__, nt_errstr(status), nt_errstr(correct)); \ ret = false; \ goto done; \ }} while (0) #define BASEDIR "smb2-testsd" #define CHECK_ACCESS_IGNORE SEC_STD_SYNCHRONIZE #define CHECK_ACCESS_FLAGS(_fh, flags) do { \ union smb_fileinfo _q; \ _q.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION; \ _q.access_information.in.file.handle = (_fh); \ status = smb2_getinfo_file(tree, tctx, &_q); \ CHECK_STATUS(status, NT_STATUS_OK); \ /* Handle a Vista bug where SEC_STD_SYNCHRONIZE doesn't come back. */ \ if ((((flags) & CHECK_ACCESS_IGNORE) == CHECK_ACCESS_IGNORE) && \ ((_q.access_information.out.access_flags & CHECK_ACCESS_IGNORE) != CHECK_ACCESS_IGNORE)) { \ torture_comment(tctx, "SKIPPING (Vista bug): (%s) Incorrect access_flags 0x%08x - should be 0x%08x\n", \ __location__, _q.access_information.out.access_flags, (flags)); \ } \ if ((_q.access_information.out.access_flags & ~CHECK_ACCESS_IGNORE) != \ (((flags) & ~CHECK_ACCESS_IGNORE))) { \ torture_result(tctx, TORTURE_FAIL, "(%s) Incorrect access_flags 0x%08x - should be 0x%08x\n", \ __location__, _q.access_information.out.access_flags, (flags)); \ ret = false; \ goto done; \ } \ } while (0) #define FAIL_UNLESS(__cond) \ do { \ if (__cond) {} else { \ torture_result(tctx, TORTURE_FAIL, "%s) condition violated: %s\n", \ __location__, #__cond); \ ret = false; goto done; \ } \ } while(0) #define CHECK_SECURITY_DESCRIPTOR(_sd1, _sd2) do { \ if (!security_descriptor_equal(_sd1, _sd2)) { \ torture_warning(tctx, "%s: security descriptors don't match!\n", __location__); \ torture_warning(tctx, "got:\n"); \ NDR_PRINT_DEBUG(security_descriptor, _sd1); \ torture_warning(tctx, "expected:\n"); \ NDR_PRINT_DEBUG(security_descriptor, _sd2); \ ret = false; \ } \ } while (0) /* test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic mapping bits Note: This test was copied from raw/acls.c. */ static bool test_creator_sid(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; struct smb2_create io; const char *fname = BASEDIR "\\creator.txt"; bool ret = true; struct smb2_handle handle; union smb_fileinfo q; union smb_setfileinfo set; struct security_descriptor *sd, *sd_orig, *sd2; const char *owner_sid; if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; torture_comment(tctx, "TESTING SID_CREATOR_OWNER\n"); ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER; io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; io.in.share_access = NTCREATEX_SHARE_ACCESS_DELETE | NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = fname; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "get the original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); torture_comment(tctx, "set a sec desc allowing no write by CREATOR_OWNER\n"); sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, SID_CREATOR_OWNER, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_STD_ALL, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); torture_comment(tctx, "try open for write\n"); io.in.desired_access = SEC_FILE_WRITE_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for read\n"); io.in.desired_access = SEC_FILE_READ_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for generic write\n"); io.in.desired_access = SEC_GENERIC_WRITE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for generic read\n"); io.in.desired_access = SEC_GENERIC_READ; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "set a sec desc allowing no write by owner\n"); sd = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_STD_ALL, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); torture_comment(tctx, "check that sd has been mapped correctly\n"); status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd); torture_comment(tctx, "try open for write\n"); io.in.desired_access = SEC_FILE_WRITE_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for read\n"); io.in.desired_access = SEC_FILE_READ_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, SEC_FILE_READ_DATA); smb2_util_close(tree, io.out.file.handle); torture_comment(tctx, "try open for generic write\n"); io.in.desired_access = SEC_GENERIC_WRITE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for generic read\n"); io.in.desired_access = SEC_GENERIC_READ; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, SEC_RIGHTS_FILE_READ); smb2_util_close(tree, io.out.file.handle); torture_comment(tctx, "set a sec desc allowing generic read by owner\n"); sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_GENERIC_READ | SEC_STD_ALL, 0, NULL); set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); torture_comment(tctx, "check that generic read has been mapped correctly\n"); sd2 = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_STD_ALL, 0, NULL); status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); torture_comment(tctx, "try open for write\n"); io.in.desired_access = SEC_FILE_WRITE_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for read\n"); io.in.desired_access = SEC_FILE_READ_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, SEC_FILE_READ_DATA); smb2_util_close(tree, io.out.file.handle); torture_comment(tctx, "try open for generic write\n"); io.in.desired_access = SEC_GENERIC_WRITE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "try open for generic read\n"); io.in.desired_access = SEC_GENERIC_READ; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, SEC_RIGHTS_FILE_READ); smb2_util_close(tree, io.out.file.handle); torture_comment(tctx, "put back original sd\n"); set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); done: smb2_util_close(tree, handle); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } /* test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and SEC_FILE_xx bits Note: This test was copied from raw/acls.c. */ static bool test_generic_bits(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; struct smb2_create io; const char *fname = BASEDIR "\\generic.txt"; bool ret = true; struct smb2_handle handle; int i; union smb_fileinfo q; union smb_setfileinfo set; struct security_descriptor *sd, *sd_orig, *sd2; const char *owner_sid; const struct { uint32_t gen_bits; uint32_t specific_bits; } file_mappings[] = { { 0, 0 }, { SEC_GENERIC_READ, SEC_RIGHTS_FILE_READ }, { SEC_GENERIC_WRITE, SEC_RIGHTS_FILE_WRITE }, { SEC_GENERIC_EXECUTE, SEC_RIGHTS_FILE_EXECUTE }, { SEC_GENERIC_ALL, SEC_RIGHTS_FILE_ALL }, { SEC_FILE_READ_DATA, SEC_FILE_READ_DATA }, { SEC_FILE_READ_ATTRIBUTE, SEC_FILE_READ_ATTRIBUTE } }; const struct { uint32_t gen_bits; uint32_t specific_bits; } dir_mappings[] = { { 0, 0 }, { SEC_GENERIC_READ, SEC_RIGHTS_DIR_READ }, { SEC_GENERIC_WRITE, SEC_RIGHTS_DIR_WRITE }, { SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE }, { SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL } }; bool has_restore_privilege = false; bool has_take_ownership_privilege = false; if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; torture_comment(tctx, "TESTING FILE GENERIC BITS\n"); ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER; io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = fname; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "get the original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); /* * XXX: The smblsa calls use SMB as their transport - need to get rid of * dependency. */ /* status = smblsa_sid_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } torture_comment(tctx, "SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); status = smblsa_sid_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } torture_comment(tctx, "SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); */ for (i=0;i<ARRAY_SIZE(file_mappings);i++) { uint32_t expected_mask = SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE | SEC_STD_DELETE; uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE; if (has_restore_privilege) { expected_mask_anon |= SEC_STD_DELETE; } torture_comment(tctx, "Testing generic bits 0x%08x\n", file_mappings[i].gen_bits); sd = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, 0, NULL); status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, expected_mask | file_mappings[i].specific_bits); smb2_util_close(tree, io.out.file.handle); if (!has_take_ownership_privilege) { continue; } torture_comment(tctx, "Testing generic bits 0x%08x (anonymous)\n", file_mappings[i].gen_bits); sd = security_descriptor_dacl_create(tctx, 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_dacl_create(tctx, 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, 0, NULL); status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, expected_mask_anon | file_mappings[i].specific_bits); smb2_util_close(tree, io.out.file.handle); } torture_comment(tctx, "put back original sd\n"); set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); smb2_util_close(tree, handle); smb2_util_unlink(tree, fname); torture_comment(tctx, "TESTING DIR GENERIC BITS\n"); ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER; io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = fname; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "get the original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); /* * XXX: The smblsa calls use SMB as their transport - need to get rid of * dependency. */ /* status = smblsa_sid_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } torture_comment(tctx, "SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); status = smblsa_sid_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } torture_comment(tctx, "SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); */ for (i=0;i<ARRAY_SIZE(dir_mappings);i++) { uint32_t expected_mask = SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE | SEC_STD_DELETE; uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE; if (has_restore_privilege) { expected_mask_anon |= SEC_STD_DELETE; } torture_comment(tctx, "Testing generic bits 0x%08x\n", file_mappings[i].gen_bits); sd = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, dir_mappings[i].gen_bits, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, dir_mappings[i].specific_bits, 0, NULL); status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, expected_mask | dir_mappings[i].specific_bits); smb2_util_close(tree, io.out.file.handle); if (!has_take_ownership_privilege) { continue; } torture_comment(tctx, "Testing generic bits 0x%08x (anonymous)\n", file_mappings[i].gen_bits); sd = security_descriptor_dacl_create(tctx, 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].gen_bits, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); sd2 = security_descriptor_dacl_create(tctx, 0, SID_NT_ANONYMOUS, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, file_mappings[i].specific_bits, 0, NULL); status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, expected_mask_anon | dir_mappings[i].specific_bits); smb2_util_close(tree, io.out.file.handle); } torture_comment(tctx, "put back original sd\n"); set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); smb2_util_close(tree, handle); smb2_util_unlink(tree, fname); done: smb2_util_close(tree, handle); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } /* see what access bits the owner of a file always gets Note: This test was copied from raw/acls.c. */ static bool test_owner_bits(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; struct smb2_create io; const char *fname = BASEDIR "\\test_owner_bits.txt"; bool ret = true; struct smb2_handle handle; int i; union smb_fileinfo q; union smb_setfileinfo set; struct security_descriptor *sd, *sd_orig; const char *owner_sid; uint32_t expected_bits; if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; torture_comment(tctx, "TESTING FILE OWNER BITS\n"); ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER; io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_OPEN_IF; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = fname; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "get the original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); /* * XXX: The smblsa calls use SMB as their transport - need to get rid of * dependency. */ /* status = smblsa_sid_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_RESTORE)); has_restore_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } torture_comment(tctx, "SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No"); status = smblsa_sid_check_privilege(cli, owner_sid, sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP)); has_take_ownership_privilege = NT_STATUS_IS_OK(status); if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "smblsa_sid_check_privilege - %s\n", nt_errstr(status)); } torture_comment(tctx, "SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No"); */ sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); expected_bits = SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE; for (i=0;i<16;i++) { uint32_t bit = (1<<i); io.in.desired_access = bit; status = smb2_create(tree, tctx, &io); if (expected_bits & bit) { if (!NT_STATUS_IS_OK(status)) { torture_warning(tctx, "failed with access mask 0x%08x of expected 0x%08x\n", bit, expected_bits); } CHECK_STATUS(status, NT_STATUS_OK); CHECK_ACCESS_FLAGS(io.out.file.handle, bit); smb2_util_close(tree, io.out.file.handle); } else { if (NT_STATUS_IS_OK(status)) { torture_warning(tctx, "open succeeded with access mask 0x%08x of " "expected 0x%08x - should fail\n", bit, expected_bits); } CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); } } torture_comment(tctx, "put back original sd\n"); set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); done: smb2_util_close(tree, handle); smb2_util_unlink(tree, fname); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } /* test the inheritance of ACL flags onto new files and directories Note: This test was copied from raw/acls.c. */ static bool test_inheritance(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; struct smb2_create io; const char *dname = BASEDIR "\\inheritance"; const char *fname1 = BASEDIR "\\inheritance\\testfile"; const char *fname2 = BASEDIR "\\inheritance\\testdir"; bool ret = true; struct smb2_handle handle, handle2; int i; union smb_fileinfo q; union smb_setfileinfo set; struct security_descriptor *sd, *sd2, *sd_orig=NULL, *sd_def1, *sd_def2; const char *owner_sid; const struct dom_sid *creator_owner; const struct { uint32_t parent_flags; uint32_t file_flags; uint32_t dir_flags; } test_flags[] = { { 0, 0, 0 }, { SEC_ACE_FLAG_OBJECT_INHERIT, 0, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY, }, { SEC_ACE_FLAG_CONTAINER_INHERIT, 0, SEC_ACE_FLAG_CONTAINER_INHERIT, }, { SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT, 0, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT, }, { SEC_ACE_FLAG_NO_PROPAGATE_INHERIT, 0, 0, }, { SEC_ACE_FLAG_NO_PROPAGATE_INHERIT | SEC_ACE_FLAG_OBJECT_INHERIT, 0, 0, }, { SEC_ACE_FLAG_NO_PROPAGATE_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT, 0, 0, }, { SEC_ACE_FLAG_NO_PROPAGATE_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT | SEC_ACE_FLAG_OBJECT_INHERIT, 0, 0, }, { SEC_ACE_FLAG_INHERIT_ONLY, 0, 0, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_OBJECT_INHERIT, 0, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_CONTAINER_INHERIT, 0, SEC_ACE_FLAG_CONTAINER_INHERIT, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_CONTAINER_INHERIT | SEC_ACE_FLAG_OBJECT_INHERIT, 0, SEC_ACE_FLAG_CONTAINER_INHERIT | SEC_ACE_FLAG_OBJECT_INHERIT, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_NO_PROPAGATE_INHERIT, 0, 0, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_NO_PROPAGATE_INHERIT | SEC_ACE_FLAG_OBJECT_INHERIT, 0, 0, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_NO_PROPAGATE_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT, 0, 0, }, { SEC_ACE_FLAG_INHERIT_ONLY | SEC_ACE_FLAG_NO_PROPAGATE_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT | SEC_ACE_FLAG_OBJECT_INHERIT, 0, 0, } }; if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; torture_comment(tctx, "TESTING ACL INHERITANCE\n"); ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_RIGHTS_FILE_ALL; io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; io.in.share_access = 0; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_CREATE; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = dname; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "get the original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); torture_comment(tctx, "owner_sid is %s\n", owner_sid); /* * The Windows Default ACL for a new file, when there is no ACL to be * inherited: FullControl for the owner and SYSTEM. */ sd_def1 = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, NULL); /* * Use this in the case the system being tested does not add an ACE for * the SYSTEM SID. */ sd_def2 = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, NULL); creator_owner = dom_sid_parse_talloc(tctx, SID_CREATOR_OWNER); for (i=0;i<ARRAY_SIZE(test_flags);i++) { sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, SID_CREATOR_OWNER, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA, test_flags[i].parent_flags, SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_ALL | SEC_STD_ALL, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); io.in.fname = fname1; io.in.create_options = 0; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; q.query_secdesc.in.file.handle = handle2; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); smb2_util_close(tree, handle2); smb2_util_unlink(tree, fname1); if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def1) && !security_descriptor_equal(q.query_secdesc.out.sd, sd_def2)) { torture_warning(tctx, "Expected default sd:\n"); NDR_PRINT_DEBUG(security_descriptor, sd_def1); torture_warning(tctx, "at %d - got:\n", i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); } goto check_dir; } if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces != 1 || q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid)) { torture_warning(tctx, "Bad sd in child file at %d\n", i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = false; goto check_dir; } if (q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].file_flags) { torture_warning(tctx, "incorrect file_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d)\n", q.query_secdesc.out.sd->dacl->aces[0].flags, test_flags[i].file_flags, test_flags[i].parent_flags, i); ret = false; } check_dir: io.in.fname = fname2; io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; q.query_secdesc.in.file.handle = handle2; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); smb2_util_close(tree, handle2); smb2_util_rmdir(tree, fname2); if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) && (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) || (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) { if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def1) && !security_descriptor_equal(q.query_secdesc.out.sd, sd_def2)) { torture_warning(tctx, "Expected default sd for dir at %d:\n", i); NDR_PRINT_DEBUG(security_descriptor, sd_def1); torture_warning(tctx, "got:\n"); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); } continue; } if ((test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) && (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) { if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces != 1 || q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid) || q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) { torture_warning(tctx, "(CI & NP) Bad sd in child dir - expected 0x%x for parent 0x%x (i=%d)\n", test_flags[i].dir_flags, test_flags[i].parent_flags, i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); torture_warning(tctx, "FYI, here is the parent sd:\n"); NDR_PRINT_DEBUG(security_descriptor, sd); ret = false; continue; } } else if (test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) { if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces != 2 || q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid) || q.query_secdesc.out.sd->dacl->aces[1].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[1].trustee, creator_owner) || q.query_secdesc.out.sd->dacl->aces[0].flags != 0 || q.query_secdesc.out.sd->dacl->aces[1].flags != (test_flags[i].dir_flags | SEC_ACE_FLAG_INHERIT_ONLY)) { torture_warning(tctx, "(CI) Bad sd in child dir - expected 0x%x for parent 0x%x (i=%d)\n", test_flags[i].dir_flags, test_flags[i].parent_flags, i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); torture_warning(tctx, "FYI, here is the parent sd:\n"); NDR_PRINT_DEBUG(security_descriptor, sd); ret = false; continue; } } else { if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces != 1 || q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, creator_owner) || q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) { torture_warning(tctx, "(0) Bad sd in child dir - expected 0x%x for parent 0x%x (i=%d)\n", test_flags[i].dir_flags, test_flags[i].parent_flags, i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); torture_warning(tctx, "FYI, here is the parent sd:\n"); NDR_PRINT_DEBUG(security_descriptor, sd); ret = false; continue; } } } torture_comment(tctx, "Testing access checks on inherited create with %s\n", fname1); sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC, SEC_ACE_FLAG_OBJECT_INHERIT, SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_ALL | SEC_STD_ALL, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); /* Check DACL we just set. */ torture_comment(tctx, "checking new sd\n"); q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd); io.in.fname = fname1; io.in.create_options = 0; io.in.desired_access = SEC_RIGHTS_FILE_ALL; io.in.create_disposition = NTCREATEX_DISP_CREATE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; CHECK_ACCESS_FLAGS(handle2, SEC_RIGHTS_FILE_ALL); q.query_secdesc.in.file.handle = handle2; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); smb2_util_close(tree, handle2); sd2 = security_descriptor_dacl_create(tctx, 0, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC, 0, NULL); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); io.in.create_disposition = NTCREATEX_DISP_OPEN; io.in.desired_access = SEC_RIGHTS_FILE_ALL; status = smb2_create(tree, tctx, &io); if (NT_STATUS_IS_OK(status)) { torture_warning(tctx, "failed: w2k3 ACL bug (allowed open when ACL should deny)\n"); ret = false; handle2 = io.out.file.handle; CHECK_ACCESS_FLAGS(handle2, SEC_RIGHTS_FILE_ALL); smb2_util_close(tree, handle2); } else { if (torture_setting_bool(tctx, "hide_on_access_denied", false)) { CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND); } else { CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); } } torture_comment(tctx, "trying without execute\n"); io.in.create_disposition = NTCREATEX_DISP_OPEN; io.in.desired_access = SEC_RIGHTS_FILE_ALL & ~SEC_FILE_EXECUTE; status = smb2_create(tree, tctx, &io); if (torture_setting_bool(tctx, "hide_on_access_denied", false)) { CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND); } else { CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); } torture_comment(tctx, "and with full permissions again\n"); io.in.create_disposition = NTCREATEX_DISP_OPEN; io.in.desired_access = SEC_RIGHTS_FILE_ALL; status = smb2_create(tree, tctx, &io); if (torture_setting_bool(tctx, "hide_on_access_denied", false)) { CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND); } else { CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); } io.in.desired_access = SEC_FILE_WRITE_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; CHECK_ACCESS_FLAGS(handle2, SEC_FILE_WRITE_DATA); smb2_util_close(tree, handle2); torture_comment(tctx, "put back original sd\n"); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); smb2_util_close(tree, handle); io.in.desired_access = SEC_RIGHTS_FILE_ALL; status = smb2_create(tree, tctx, &io); if (torture_setting_bool(tctx, "hide_on_access_denied", false)) { CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_NOT_FOUND); } else { CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); } io.in.desired_access = SEC_FILE_WRITE_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; CHECK_ACCESS_FLAGS(handle2, SEC_FILE_WRITE_DATA); smb2_util_close(tree, handle2); smb2_util_unlink(tree, fname1); smb2_util_rmdir(tree, dname); done: if (sd_orig != NULL) { set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); } smb2_util_close(tree, handle); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } static bool test_inheritance_flags(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; struct smb2_create io; const char *dname = BASEDIR "\\inheritance"; const char *fname1 = BASEDIR "\\inheritance\\testfile"; bool ret = true; struct smb2_handle handle, handle2; int i, j; union smb_fileinfo q; union smb_setfileinfo set; struct security_descriptor *sd, *sd2, *sd_orig=NULL; const char *owner_sid; struct { uint32_t parent_set_sd_type; /* 3 options */ uint32_t parent_set_ace_inherit; /* 1 option */ uint32_t parent_get_sd_type; uint32_t parent_get_ace_inherit; uint32_t child_get_sd_type; uint32_t child_get_ace_inherit; } tflags[16] = {{0}}; /* 2^4 */ for (i = 0; i < 15; i++) { torture_comment(tctx, "i=%d:", i); if (i & 1) { tflags[i].parent_set_sd_type |= SEC_DESC_DACL_AUTO_INHERITED; torture_comment(tctx, "AUTO_INHERITED, "); } if (i & 2) { tflags[i].parent_set_sd_type |= SEC_DESC_DACL_AUTO_INHERIT_REQ; torture_comment(tctx, "AUTO_INHERIT_REQ, "); } if (i & 4) { tflags[i].parent_set_sd_type |= SEC_DESC_DACL_PROTECTED; torture_comment(tctx, "PROTECTED, "); tflags[i].parent_get_sd_type |= SEC_DESC_DACL_PROTECTED; } if (i & 8) { tflags[i].parent_set_ace_inherit |= SEC_ACE_FLAG_INHERITED_ACE; torture_comment(tctx, "INHERITED, "); tflags[i].parent_get_ace_inherit |= SEC_ACE_FLAG_INHERITED_ACE; } if ((tflags[i].parent_set_sd_type & (SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ)) == (SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ)) { tflags[i].parent_get_sd_type |= SEC_DESC_DACL_AUTO_INHERITED; tflags[i].child_get_sd_type |= SEC_DESC_DACL_AUTO_INHERITED; tflags[i].child_get_ace_inherit |= SEC_ACE_FLAG_INHERITED_ACE; torture_comment(tctx, " ... parent is AUTO INHERITED"); } if (tflags[i].parent_set_ace_inherit & SEC_ACE_FLAG_INHERITED_ACE) { tflags[i].parent_get_ace_inherit = SEC_ACE_FLAG_INHERITED_ACE; torture_comment(tctx, " ... parent ACE is INHERITED"); } torture_comment(tctx, "\n"); } if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; torture_comment(tctx, "TESTING ACL INHERITANCE FLAGS\n"); ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_RIGHTS_FILE_ALL; io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; io.in.share_access = NTCREATEX_SHARE_ACCESS_MASK; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_CREATE; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = dname; torture_comment(tctx, "creating initial directory %s\n", dname); status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "getting original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); torture_comment(tctx, "owner_sid is %s\n", owner_sid); for (i=0; i < ARRAY_SIZE(tflags); i++) { torture_comment(tctx, "setting a new sd on directory, pass #%d\n", i); sd = security_descriptor_dacl_create(tctx, tflags[i].parent_set_sd_type, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT | tflags[i].parent_set_ace_inherit, SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_ALL | SEC_STD_ALL, 0, NULL); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); /* * Check DACL we just set, except change the bits to what they * should be. */ torture_comment(tctx, " checking new sd\n"); /* REQ bit should always be false. */ sd->type &= ~SEC_DESC_DACL_AUTO_INHERIT_REQ; if ((tflags[i].parent_get_sd_type & SEC_DESC_DACL_AUTO_INHERITED) == 0) sd->type &= ~SEC_DESC_DACL_AUTO_INHERITED; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd); /* Create file. */ torture_comment(tctx, " creating file %s\n", fname1); io.in.fname = fname1; io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; io.in.desired_access = SEC_RIGHTS_FILE_ALL; io.in.create_disposition = NTCREATEX_DISP_CREATE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; CHECK_ACCESS_FLAGS(handle2, SEC_RIGHTS_FILE_ALL); q.query_secdesc.in.file.handle = handle2; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); torture_comment(tctx, " checking sd on file %s\n", fname1); sd2 = security_descriptor_dacl_create(tctx, tflags[i].child_get_sd_type, owner_sid, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC, tflags[i].child_get_ace_inherit, NULL); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); /* * Set new sd on file ... prove that the bits have nothing to * do with the parents bits when manually setting an ACL. The * _AUTO_INHERITED bit comes directly from the ACL set. */ for (j = 0; j < ARRAY_SIZE(tflags); j++) { torture_comment(tctx, " setting new file sd, pass #%d\n", j); /* Change sd type. */ sd2->type &= ~(SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ | SEC_DESC_DACL_PROTECTED); sd2->type |= tflags[j].parent_set_sd_type; sd2->dacl->aces[0].flags &= ~SEC_ACE_FLAG_INHERITED_ACE; sd2->dacl->aces[0].flags |= tflags[j].parent_set_ace_inherit; set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle2; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd2; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); /* Check DACL we just set. */ sd2->type &= ~SEC_DESC_DACL_AUTO_INHERIT_REQ; if ((tflags[j].parent_get_sd_type & SEC_DESC_DACL_AUTO_INHERITED) == 0) sd2->type &= ~SEC_DESC_DACL_AUTO_INHERITED; q.query_secdesc.in.file.handle = handle2; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); CHECK_SECURITY_DESCRIPTOR(q.query_secdesc.out.sd, sd2); } smb2_util_close(tree, handle2); smb2_util_unlink(tree, fname1); } done: smb2_util_close(tree, handle); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } /* test dynamic acl inheritance Note: This test was copied from raw/acls.c. */ static bool test_inheritance_dynamic(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; struct smb2_create io; const char *dname = BASEDIR "\\inheritance"; const char *fname1 = BASEDIR "\\inheritance\\testfile"; bool ret = true; struct smb2_handle handle, handle2; union smb_fileinfo q; union smb_setfileinfo set; struct security_descriptor *sd, *sd_orig=NULL; const char *owner_sid; torture_comment(tctx, "TESTING DYNAMIC ACL INHERITANCE\n"); if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_RIGHTS_FILE_ALL; io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY; io.in.share_access = 0; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_CREATE; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = dname; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; torture_comment(tctx, "get the original sd\n"); q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; q.query_secdesc.in.file.handle = handle; q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &q); CHECK_STATUS(status, NT_STATUS_OK); sd_orig = q.query_secdesc.out.sd; owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); torture_comment(tctx, "owner_sid is %s\n", owner_sid); sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE, SEC_ACE_FLAG_OBJECT_INHERIT, NULL); sd->type |= SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ; set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); torture_comment(tctx, "create a file with an inherited acl\n"); io.in.fname = fname1; io.in.create_options = 0; io.in.desired_access = SEC_FILE_READ_ATTRIBUTE; io.in.create_disposition = NTCREATEX_DISP_CREATE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; smb2_util_close(tree, handle2); torture_comment(tctx, "try and access file with base rights - should be OK\n"); io.in.desired_access = SEC_FILE_WRITE_DATA; io.in.create_disposition = NTCREATEX_DISP_OPEN; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; smb2_util_close(tree, handle2); torture_comment(tctx, "try and access file with extra rights - should be denied\n"); io.in.desired_access = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); torture_comment(tctx, "update parent sd\n"); sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE, SEC_ACE_FLAG_OBJECT_INHERIT, NULL); sd->type |= SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ; set.set_secdesc.in.sd = sd; status = smb2_setinfo_file(tree, &set); CHECK_STATUS(status, NT_STATUS_OK); torture_comment(tctx, "try and access file with base rights - should be OK\n"); io.in.desired_access = SEC_FILE_WRITE_DATA; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle2 = io.out.file.handle; smb2_util_close(tree, handle2); torture_comment(tctx, "try and access now - should be OK if dynamic inheritance works\n"); io.in.desired_access = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE; status = smb2_create(tree, tctx, &io); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { torture_comment(tctx, "Server does not have dynamic inheritance\n"); } if (NT_STATUS_EQUAL(status, NT_STATUS_OK)) { torture_comment(tctx, "Server does have dynamic inheritance\n"); } CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); smb2_util_unlink(tree, fname1); done: torture_comment(tctx, "put back original sd\n"); set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; set.set_secdesc.in.file.handle = handle; set.set_secdesc.in.secinfo_flags = SECINFO_DACL; set.set_secdesc.in.sd = sd_orig; status = smb2_setinfo_file(tree, &set); smb2_util_close(tree, handle); smb2_util_rmdir(tree, dname); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } #define CHECK_STATUS_FOR_BIT_ACTION(status, bits, action) do { \ if (!(bits & desired_64)) {\ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); \ action; \ } else { \ CHECK_STATUS(status, NT_STATUS_OK); \ } \ } while (0) #define CHECK_STATUS_FOR_BIT(status, bits, access) do { \ if (NT_STATUS_IS_OK(status)) { \ if (!(granted & access)) {\ ret = false; \ torture_result(tctx, TORTURE_FAIL, "(%s) %s but flags 0x%08X are not granted! granted[0x%08X] desired[0x%08X]\n", \ __location__, nt_errstr(status), access, granted, desired); \ goto done; \ } \ } else { \ if (granted & access) {\ ret = false; \ torture_result(tctx, TORTURE_FAIL, "(%s) %s but flags 0x%08X are granted! granted[0x%08X] desired[0x%08X]\n", \ __location__, nt_errstr(status), access, granted, desired); \ goto done; \ } \ } \ CHECK_STATUS_FOR_BIT_ACTION(status, bits, do {} while (0)); \ } while (0) /* test what access mask is needed for getting and setting security_descriptors */ /* Note: This test was copied from raw/acls.c. */ static bool test_sd_get_set(struct torture_context *tctx, struct smb2_tree *tree) { NTSTATUS status; bool ret = true; struct smb2_create io; union smb_fileinfo fi; union smb_setfileinfo si; struct security_descriptor *sd; struct security_descriptor *sd_owner = NULL; struct security_descriptor *sd_group = NULL; struct security_descriptor *sd_dacl = NULL; struct security_descriptor *sd_sacl = NULL; struct smb2_handle handle; const char *fname = BASEDIR "\\sd_get_set.txt"; uint64_t desired_64; uint32_t desired = 0, granted; int i = 0; #define NO_BITS_HACK (((uint64_t)1)<<32) uint64_t open_bits = SEC_MASK_GENERIC | SEC_FLAG_SYSTEM_SECURITY | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_ALL | SEC_FILE_ALL | NO_BITS_HACK; uint64_t get_owner_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL; uint64_t set_owner_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER; uint64_t get_group_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL; uint64_t set_group_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER; uint64_t get_dacl_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL; uint64_t set_dacl_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_DAC; uint64_t get_sacl_bits = SEC_FLAG_SYSTEM_SECURITY; uint64_t set_sacl_bits = SEC_FLAG_SYSTEM_SECURITY; if (!smb2_util_setup_dir(tctx, tree, BASEDIR)) return false; torture_comment(tctx, "TESTING ACCESS MASKS FOR SD GET/SET\n"); /* first create a file with full access for everyone */ sd = security_descriptor_dacl_create(tctx, 0, SID_NT_ANONYMOUS, SID_BUILTIN_USERS, SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_GENERIC_ALL, 0, NULL); sd->type |= SEC_DESC_SACL_PRESENT; sd->sacl = NULL; ZERO_STRUCT(io); io.level = RAW_OPEN_SMB2; io.in.create_flags = 0; io.in.desired_access = SEC_GENERIC_ALL; io.in.create_options = 0; io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; io.in.alloc_size = 0; io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF; io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; io.in.security_flags = 0; io.in.fname = fname; io.in.sec_desc = sd; status = smb2_create(tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); handle = io.out.file.handle; status = smb2_util_close(tree, handle); CHECK_STATUS(status, NT_STATUS_OK); /* * now try each access_mask bit and no bit at all in a loop * and see what's allowed * NOTE: if i == 32 it means access_mask = 0 (see NO_BITS_HACK above) */ for (i=0; i <= 32; i++) { desired_64 = ((uint64_t)1) << i; desired = (uint32_t)desired_64; /* first open the file with the desired access */ io.level = RAW_OPEN_SMB2; io.in.desired_access = desired; io.in.create_disposition = NTCREATEX_DISP_OPEN; status = smb2_create(tree, tctx, &io); CHECK_STATUS_FOR_BIT_ACTION(status, open_bits, goto next); handle = io.out.file.handle; /* then check what access was granted */ fi.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION; fi.access_information.in.file.handle = handle; status = smb2_getinfo_file(tree, tctx, &fi); CHECK_STATUS(status, NT_STATUS_OK); granted = fi.access_information.out.access_flags; /* test the owner */ ZERO_STRUCT(fi); fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC; fi.query_secdesc.in.file.handle = handle; fi.query_secdesc.in.secinfo_flags = SECINFO_OWNER; status = smb2_getinfo_file(tree, tctx, &fi); CHECK_STATUS_FOR_BIT(status, get_owner_bits, SEC_STD_READ_CONTROL); if (fi.query_secdesc.out.sd) { sd_owner = fi.query_secdesc.out.sd; } else if (!sd_owner) { sd_owner = sd; } si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; si.set_secdesc.in.file.handle = handle; si.set_secdesc.in.secinfo_flags = SECINFO_OWNER; si.set_secdesc.in.sd = sd_owner; status = smb2_setinfo_file(tree, &si); CHECK_STATUS_FOR_BIT(status, set_owner_bits, SEC_STD_WRITE_OWNER); /* test the group */ ZERO_STRUCT(fi); fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC; fi.query_secdesc.in.file.handle = handle; fi.query_secdesc.in.secinfo_flags = SECINFO_GROUP; status = smb2_getinfo_file(tree, tctx, &fi); CHECK_STATUS_FOR_BIT(status, get_group_bits, SEC_STD_READ_CONTROL); if (fi.query_secdesc.out.sd) { sd_group = fi.query_secdesc.out.sd; } else if (!sd_group) { sd_group = sd; } si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; si.set_secdesc.in.file.handle = handle; si.set_secdesc.in.secinfo_flags = SECINFO_GROUP; si.set_secdesc.in.sd = sd_group; status = smb2_setinfo_file(tree, &si); CHECK_STATUS_FOR_BIT(status, set_group_bits, SEC_STD_WRITE_OWNER); /* test the DACL */ ZERO_STRUCT(fi); fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC; fi.query_secdesc.in.file.handle = handle; fi.query_secdesc.in.secinfo_flags = SECINFO_DACL; status = smb2_getinfo_file(tree, tctx, &fi); CHECK_STATUS_FOR_BIT(status, get_dacl_bits, SEC_STD_READ_CONTROL); if (fi.query_secdesc.out.sd) { sd_dacl = fi.query_secdesc.out.sd; } else if (!sd_dacl) { sd_dacl = sd; } si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; si.set_secdesc.in.file.handle = handle; si.set_secdesc.in.secinfo_flags = SECINFO_DACL; si.set_secdesc.in.sd = sd_dacl; status = smb2_setinfo_file(tree, &si); CHECK_STATUS_FOR_BIT(status, set_dacl_bits, SEC_STD_WRITE_DAC); /* test the SACL */ ZERO_STRUCT(fi); fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC; fi.query_secdesc.in.file.handle = handle; fi.query_secdesc.in.secinfo_flags = SECINFO_SACL; status = smb2_getinfo_file(tree, tctx, &fi); CHECK_STATUS_FOR_BIT(status, get_sacl_bits, SEC_FLAG_SYSTEM_SECURITY); if (fi.query_secdesc.out.sd) { sd_sacl = fi.query_secdesc.out.sd; } else if (!sd_sacl) { sd_sacl = sd; } si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; si.set_secdesc.in.file.handle = handle; si.set_secdesc.in.secinfo_flags = SECINFO_SACL; si.set_secdesc.in.sd = sd_sacl; status = smb2_setinfo_file(tree, &si); CHECK_STATUS_FOR_BIT(status, set_sacl_bits, SEC_FLAG_SYSTEM_SECURITY); /* close the handle */ status = smb2_util_close(tree, handle); CHECK_STATUS(status, NT_STATUS_OK); next: continue; } done: smb2_util_close(tree, handle); smb2_util_unlink(tree, fname); smb2_deltree(tree, BASEDIR); smb2_tdis(tree); smb2_logoff(tree->session); return ret; } /* basic testing of SMB2 ACLs */ struct torture_suite *torture_smb2_acls_init(void) { struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "acls"); torture_suite_add_1smb2_test(suite, "CREATOR", test_creator_sid); torture_suite_add_1smb2_test(suite, "GENERIC", test_generic_bits); torture_suite_add_1smb2_test(suite, "OWNER", test_owner_bits); torture_suite_add_1smb2_test(suite, "INHERITANCE", test_inheritance); torture_suite_add_1smb2_test(suite, "INHERITFLAGS", test_inheritance_flags); torture_suite_add_1smb2_test(suite, "DYNAMIC", test_inheritance_dynamic); /* XXX This test does not work against XP or Vista. torture_suite_add_1smb2_test(suite, "GETSET", test_sd_get_set); */ suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); return suite; }