2004-11-18 04:02:27 +03:00
/*
Unix SMB / CIFS implementation .
test security descriptor operations
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2006-01-03 16:41:17 +03:00
# include "torture/torture.h"
2004-11-18 04:02:27 +03:00
# include "libcli/raw/libcliraw.h"
2006-01-03 18:40:05 +03:00
# include "libcli/libcli.h"
2006-03-07 14:07:23 +03:00
# include "libcli/security/proto.h"
2004-11-18 04:02:27 +03:00
# define BASEDIR "\\testsd"
# define CHECK_STATUS(status, correct) do { \
if ( ! NT_STATUS_EQUAL ( status , correct ) ) { \
printf ( " (%s) Incorrect status %s - should be %s \n " , \
__location__ , nt_errstr ( status ) , nt_errstr ( correct ) ) ; \
ret = False ; \
goto done ; \
} } while ( 0 )
static BOOL test_sd ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ sd.txt " ;
BOOL ret = True ;
2004-12-02 07:51:56 +03:00
int fnum = - 1 ;
2004-11-18 04:41:43 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2004-11-18 04:02:27 +03:00
struct security_ace ace ;
struct security_descriptor * sd ;
struct dom_sid * test_sid ;
printf ( " TESTING SETFILEINFO EA_SET \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-18 04:02:27 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
2004-11-18 04:41:43 +03:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags =
2004-11-30 07:33:27 +03:00
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2004-11-18 04:41:43 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
sd = q . query_secdesc . out . sd ;
2004-11-18 04:02:27 +03:00
printf ( " add a new ACE to the DACL \n " ) ;
test_sid = dom_sid_parse_talloc ( mem_ctx , " S-1-5-32-1234-5432 " ) ;
ace . type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
ace . flags = 0 ;
2004-11-30 07:33:27 +03:00
ace . access_mask = SEC_STD_ALL ;
2004-11-18 04:02:27 +03:00
ace . trustee = * test_sid ;
status = security_descriptor_dacl_add ( sd , & ace ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
2005-04-14 17:19:40 +04:00
set . set_secdesc . in . secinfo_flags = q . query_secdesc . secinfo_flags ;
2004-11-18 04:41:43 +03:00
set . set_secdesc . in . sd = sd ;
2004-11-18 04:02:27 +03:00
2004-11-18 04:41:43 +03:00
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2005-01-07 04:56:19 +03:00
if ( ! security_acl_equal ( q . query_secdesc . out . sd - > dacl , sd - > dacl ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-11-18 04:02:27 +03:00
printf ( " got: \n " ) ;
2004-11-18 04:41:43 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2004-11-18 04:02:27 +03:00
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-11-18 04:02:27 +03:00
}
printf ( " remove it again \n " ) ;
status = security_descriptor_dacl_del ( sd , test_sid ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2005-01-07 04:56:19 +03:00
if ( ! security_acl_equal ( q . query_secdesc . out . sd - > dacl , sd - > dacl ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-11-18 04:02:27 +03:00
printf ( " got: \n " ) ;
2004-11-18 04:41:43 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2004-11-18 04:02:27 +03:00
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-11-18 04:02:27 +03:00
}
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-11-18 06:59:24 +03:00
/*
test using NTTRANS CREATE to create a file with an initial ACL set
*/
static BOOL test_nttrans_create ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ acl2.txt " ;
BOOL ret = True ;
int fnum = - 1 ;
union smb_fileinfo q ;
struct security_ace ace ;
struct security_descriptor * sd ;
struct dom_sid * test_sid ;
printf ( " TESTING NTTRANS CREATE WITH SEC_DESC \n " ) ;
io . generic . level = RAW_OPEN_NTTRANS_CREATE ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-18 06:59:24 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = NULL ;
io . ntcreatex . in . ea_list = NULL ;
printf ( " creating normal file \n " ) ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " querying ACL \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags =
2004-11-30 07:33:27 +03:00
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2004-11-18 06:59:24 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd = q . query_secdesc . out . sd ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
printf ( " adding a new ACE \n " ) ;
test_sid = dom_sid_parse_talloc ( mem_ctx , " S-1-5-32-1234-54321 " ) ;
ace . type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
ace . flags = 0 ;
2004-11-30 07:33:27 +03:00
ace . access_mask = SEC_STD_ALL ;
2004-11-18 06:59:24 +03:00
ace . trustee = * test_sid ;
status = security_descriptor_dacl_add ( sd , & ace ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " creating a file with an initial ACL \n " ) ;
io . ntcreatex . in . sec_desc = sd ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
q . query_secdesc . in . fnum = fnum ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2005-01-07 04:56:19 +03:00
if ( ! security_acl_equal ( q . query_secdesc . out . sd - > dacl , sd - > dacl ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-11-18 06:59:24 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-11-18 06:59:24 +03:00
}
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-12-02 07:38:41 +03:00
# define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
union smb_fileinfo _q ; \
_q . access_information . level = RAW_FILEINFO_ACCESS_INFORMATION ; \
_q . access_information . in . fnum = ( _fnum ) ; \
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & _q ) ; \
CHECK_STATUS ( status , NT_STATUS_OK ) ; \
if ( _q . access_information . out . access_flags ! = ( flags ) ) { \
printf ( " (%s) Incorrect access_flags 0x%08x - should be 0x%08x \n " , \
__location__ , _q . access_information . out . access_flags , ( flags ) ) ; \
ret = False ; \
goto done ; \
} \
} while ( 0 )
/*
test the behaviour of the well known SID_CREATOR_OWNER sid , and some generic
mapping bits
*/
static BOOL test_creator_sid ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ creator.txt " ;
BOOL ret = True ;
2004-12-02 07:51:56 +03:00
int fnum = - 1 ;
2004-12-02 07:38:41 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig , * sd2 ;
const char * owner_sid ;
printf ( " TESTING SID_CREATOR_OWNER \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
2004-12-04 13:16:47 +03:00
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 07:38:41 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( mem_ctx , sd_orig - > owner_sid ) ;
printf ( " set a sec desc allowing no write by CREATOR_OWNER \n " ) ;
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
SID_CREATOR_OWNER ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " set a sec desc allowing no write by owner \n " ) ;
sd = security_descriptor_create ( mem_ctx ,
2004-12-02 07:51:56 +03:00
owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
2004-12-04 13:16:47 +03:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
2004-12-02 07:38:41 +03:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-12-03 09:25:56 +03:00
printf ( " check that sd has been mapped correctly \n " ) ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-03 09:25:56 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-12-03 09:25:56 +03:00
}
2004-12-02 07:38:41 +03:00
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum ,
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum ,
SEC_RIGHTS_FILE_READ ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
printf ( " set a sec desc allowing generic read by owner \n " ) ;
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_GENERIC_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " check that generic read has been mapped correctly \n " ) ;
sd2 = security_descriptor_create ( mem_ctx ,
owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-02 07:38:41 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-12-02 07:38:41 +03:00
}
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum ,
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum , SEC_RIGHTS_FILE_READ ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
/*
test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
SEC_FILE_xx bits
*/
static BOOL test_generic_bits ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ generic.txt " ;
BOOL ret = True ;
2004-12-02 07:51:56 +03:00
int fnum = - 1 , i ;
2004-12-02 07:38:41 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig , * sd2 ;
const char * owner_sid ;
const struct {
uint32_t gen_bits ;
uint32_t specific_bits ;
} file_mappings [ ] = {
2004-12-03 09:25:56 +03:00
{ 0 , 0 } ,
{ SEC_GENERIC_READ , SEC_RIGHTS_FILE_READ } ,
{ SEC_GENERIC_WRITE , SEC_RIGHTS_FILE_WRITE } ,
{ SEC_GENERIC_EXECUTE , SEC_RIGHTS_FILE_EXECUTE } ,
{ SEC_GENERIC_ALL , SEC_RIGHTS_FILE_ALL } ,
{ SEC_FILE_READ_DATA , SEC_FILE_READ_DATA } ,
{ SEC_FILE_READ_ATTRIBUTE , SEC_FILE_READ_ATTRIBUTE }
2004-12-02 07:38:41 +03:00
} ;
const struct {
uint32_t gen_bits ;
uint32_t specific_bits ;
} dir_mappings [ ] = {
{ 0 , 0 } ,
{ SEC_GENERIC_READ , SEC_RIGHTS_DIR_READ } ,
{ SEC_GENERIC_WRITE , SEC_RIGHTS_DIR_WRITE } ,
{ SEC_GENERIC_EXECUTE , SEC_RIGHTS_DIR_EXECUTE } ,
{ SEC_GENERIC_ALL , SEC_RIGHTS_DIR_ALL }
} ;
2004-12-06 10:13:50 +03:00
BOOL has_restore_privilege ;
BOOL has_take_ownership_privilege ;
2004-12-02 07:38:41 +03:00
printf ( " TESTING FILE GENERIC BITS \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
2004-12-04 13:16:47 +03:00
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 07:38:41 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( mem_ctx , sd_orig - > owner_sid ) ;
2004-12-11 08:41:19 +03:00
status = smblsa_sid_check_privilege ( cli ,
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
2004-12-06 10:13:50 +03:00
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " smblsa_sid_check_privilege - %s \n " , nt_errstr ( status ) ) ;
}
printf ( " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2004-12-11 08:41:19 +03:00
status = smblsa_sid_check_privilege ( cli ,
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
2004-12-06 10:13:50 +03:00
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " smblsa_sid_check_privilege - %s \n " , nt_errstr ( status ) ) ;
}
2005-08-04 08:23:08 +04:00
printf ( " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2004-12-02 07:38:41 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( file_mappings ) ; i + + ) {
2004-12-06 10:13:50 +03:00
uint32_t expected_mask =
SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_STD_DELETE ;
uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE ;
if ( has_restore_privilege ) {
expected_mask_anon | = SEC_STD_DELETE ;
}
2004-12-02 07:38:41 +03:00
printf ( " testing generic bits 0x%08x \n " ,
file_mappings [ i ] . gen_bits ) ;
sd = security_descriptor_create ( mem_ctx ,
2004-12-04 13:16:47 +03:00
owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
2004-12-04 13:16:47 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 07:38:41 +03:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd2 = security_descriptor_create ( mem_ctx ,
owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-02 07:38:41 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-12-02 07:38:41 +03:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum ,
2004-12-06 10:13:50 +03:00
expected_mask | file_mappings [ i ] . specific_bits ) ;
2004-12-02 07:38:41 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
2004-12-06 10:13:50 +03:00
if ( ! has_take_ownership_privilege ) {
continue ;
}
2004-12-04 13:16:47 +03:00
printf ( " testing generic bits 0x%08x (anonymous) \n " ,
file_mappings [ i ] . gen_bits ) ;
sd = security_descriptor_create ( mem_ctx ,
2004-12-06 10:13:50 +03:00
SID_NT_ANONYMOUS , NULL ,
2004-12-04 13:16:47 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-04 13:16:47 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd2 = security_descriptor_create ( mem_ctx ,
2004-12-06 10:13:50 +03:00
SID_NT_ANONYMOUS , NULL ,
2004-12-04 13:16:47 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-04 13:16:47 +03:00
NULL ) ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-04 13:16:47 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-12-04 13:16:47 +03:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum ,
2004-12-06 10:13:50 +03:00
expected_mask_anon | file_mappings [ i ] . specific_bits ) ;
2004-12-04 13:16:47 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
2004-12-02 07:38:41 +03:00
}
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
printf ( " TESTING DIR GENERIC BITS \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 07:38:41 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( mem_ctx , sd_orig - > owner_sid ) ;
2004-12-03 09:25:56 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( dir_mappings ) ; i + + ) {
2004-12-06 10:13:50 +03:00
uint32_t expected_mask =
SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_STD_DELETE ;
2004-12-02 07:38:41 +03:00
printf ( " testing generic bits 0x%08x \n " ,
file_mappings [ i ] . gen_bits ) ;
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
dir_mappings [ i ] . gen_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd2 = security_descriptor_create ( mem_ctx ,
owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
dir_mappings [ i ] . specific_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-02 07:38:41 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2005-01-07 04:56:19 +03:00
ret = False ;
2004-12-02 07:38:41 +03:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum ,
2004-12-06 10:13:50 +03:00
expected_mask | dir_mappings [ i ] . specific_bits ) ;
2004-12-02 07:38:41 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
}
2004-12-06 10:13:50 +03:00
2004-12-02 07:38:41 +03:00
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-11-18 06:59:24 +03:00
2005-01-07 04:56:19 +03:00
/*
see what access bits the owner of a file always gets
*/
static BOOL test_owner_bits ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ generic.txt " ;
BOOL ret = True ;
int fnum = - 1 , i ;
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig ;
const char * owner_sid ;
BOOL has_restore_privilege ;
BOOL has_take_ownership_privilege ;
uint32_t expected_bits ;
printf ( " TESTING FILE OWNER BITS \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2005-01-07 04:56:19 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( mem_ctx , sd_orig - > owner_sid ) ;
status = smblsa_sid_check_privilege ( cli ,
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " smblsa_sid_check_privilege - %s \n " , nt_errstr ( status ) ) ;
}
printf ( " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
status = smblsa_sid_check_privilege ( cli ,
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " smblsa_sid_check_privilege - %s \n " , nt_errstr ( status ) ) ;
}
2005-08-04 08:23:08 +04:00
printf ( " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2005-01-07 04:56:19 +03:00
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
expected_bits = SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ;
for ( i = 0 ; i < 16 ; i + + ) {
2005-02-10 08:09:35 +03:00
uint32_t bit = ( 1 < < i ) ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . access_mask = bit ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
if ( expected_bits & bit ) {
2005-01-07 05:13:07 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " failed with access mask 0x%08x of expected 0x%08x \n " ,
bit , expected_bits ) ;
}
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . fnum , bit | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . fnum ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
}
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
return ret ;
}
2004-12-29 09:53:15 +03:00
/*
test the inheritance of ACL flags onto new files and directories
*/
static BOOL test_inheritance ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * dname = BASEDIR " \\ inheritance " ;
const char * fname1 = BASEDIR " \\ inheritance \\ testfile " ;
const char * fname2 = BASEDIR " \\ inheritance \\ testdir " ;
BOOL ret = True ;
int fnum , fnum2 , i ;
union smb_fileinfo q ;
union smb_setfileinfo set ;
2004-12-29 10:28:03 +03:00
struct security_descriptor * sd , * sd_orig , * sd_def ;
2004-12-29 09:53:15 +03:00
const char * owner_sid ;
2005-01-01 06:46:55 +03:00
const struct dom_sid * creator_owner ;
2004-12-29 09:53:15 +03:00
const struct {
uint32_t parent_flags ;
uint32_t file_flags ;
uint32_t dir_flags ;
} test_flags [ ] = {
{
0 ,
0 ,
0
} ,
{
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ,
} ,
{
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
}
} ;
2005-01-07 09:59:53 +03:00
smbcli_rmdir ( cli - > tree , dname ) ;
2004-12-29 09:53:15 +03:00
printf ( " TESTING ACL INHERITANCE \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = 0 ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-29 09:53:15 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( mem_ctx , sd_orig - > owner_sid ) ;
2005-01-01 06:46:55 +03:00
printf ( " owner_sid is %s \n " , owner_sid ) ;
2004-12-29 10:28:03 +03:00
sd_def = security_descriptor_create ( mem_ctx ,
owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
SID_NT_SYSTEM ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
NULL ) ;
2005-01-01 06:46:55 +03:00
creator_owner = dom_sid_parse_talloc ( mem_ctx , SID_CREATOR_OWNER ) ;
2004-12-29 09:53:15 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( test_flags ) ; i + + ) {
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
2005-01-01 06:46:55 +03:00
SID_CREATOR_OWNER ,
2004-12-29 09:53:15 +03:00
SEC_ACE_TYPE_ACCESS_ALLOWED ,
2004-12-29 10:28:03 +03:00
SEC_FILE_WRITE_DATA ,
2004-12-29 09:53:15 +03:00
test_flags [ i ] . parent_flags ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
q . query_secdesc . in . fnum = fnum2 ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
2004-12-29 10:28:03 +03:00
if ( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT ) ) {
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def ) ) {
printf ( " Expected default sd at %d - got: \n " , i ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
}
goto check_dir ;
}
2004-12-29 09:53:15 +03:00
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
2004-12-30 05:22:03 +03:00
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
2004-12-29 10:28:03 +03:00
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
2004-12-29 09:53:15 +03:00
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) ) {
2004-12-29 10:28:03 +03:00
printf ( " Bad sd in child file at %d \n " , i ) ;
2004-12-29 09:53:15 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
ret = False ;
2004-12-29 10:28:03 +03:00
goto check_dir ;
2004-12-29 09:53:15 +03:00
}
if ( q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! =
test_flags [ i ] . file_flags ) {
printf ( " incorrect file_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d) \n " ,
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ,
test_flags [ i ] . file_flags ,
test_flags [ i ] . parent_flags ,
i ) ;
ret = False ;
}
2004-12-29 10:28:03 +03:00
check_dir :
2004-12-29 09:53:15 +03:00
io . ntcreatex . in . fname = fname2 ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
q . query_secdesc . in . fnum = fnum2 ;
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_rmdir ( cli - > tree , fname2 ) ;
2004-12-29 10:28:03 +03:00
if ( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) & &
( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT ) | |
( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ) ) ) {
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def ) ) {
printf ( " Expected default sd for dir at %d - got: \n " , i ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
}
continue ;
}
2005-01-01 06:46:55 +03:00
if ( ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) & &
( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ) ) {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = test_flags [ i ] . dir_flags ) {
printf ( " Bad sd in child dir at %d (parent 0x%x) \n " ,
i , test_flags [ i ] . parent_flags ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
ret = False ;
continue ;
}
} else if ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 2 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . trustee ,
creator_owner ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = 0 | |
q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . flags ! =
( test_flags [ i ] . dir_flags | SEC_ACE_FLAG_INHERIT_ONLY ) ) {
printf ( " Bad sd in child dir at %d (parent 0x%x) \n " ,
i , test_flags [ i ] . parent_flags ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
ret = False ;
continue ;
}
} else {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
creator_owner ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = test_flags [ i ] . dir_flags ) {
printf ( " Bad sd in child dir at %d (parent 0x%x) \n " ,
i , test_flags [ i ] . parent_flags ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
ret = False ;
continue ;
}
2004-12-29 09:53:15 +03:00
}
}
2005-01-07 04:56:19 +03:00
printf ( " testing access checks on inherited create with %s \n " , fname1 ) ;
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
CHECK_ACCESS_FLAGS ( fnum2 , SEC_RIGHTS_FILE_ALL ) ;
q . query_secdesc . in . fnum = fnum2 ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2005-01-07 04:56:19 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2005-01-09 07:31:32 +03:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
printf ( " failed: w2k3 ACL bug (allowed open when ACL should deny) \n " ) ;
ret = False ;
fnum2 = io . ntcreatex . out . fnum ;
smbcli_close ( cli - > tree , fnum2 ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
printf ( " trying without execute \n " ) ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL & ~ SEC_FILE_EXECUTE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " and with full permissions again \n " ) ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
CHECK_ACCESS_FLAGS ( fnum2 , SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2004-12-29 09:53:15 +03:00
printf ( " put back original sd \n " ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
CHECK_ACCESS_FLAGS ( fnum2 , SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
smbcli_rmdir ( cli - > tree , dname ) ;
2004-12-29 09:53:15 +03:00
done :
2005-01-07 09:59:53 +03:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-12-29 09:53:15 +03:00
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2005-01-07 09:59:53 +03:00
/*
test dynamic acl inheritance
*/
static BOOL test_inheritance_dynamic ( struct smbcli_state * cli , TALLOC_CTX * mem_ctx )
{
NTSTATUS status ;
union smb_open io ;
const char * dname = BASEDIR " \\ inheritance " ;
const char * fname1 = BASEDIR " \\ inheritance \\ testfile " ;
BOOL ret = True ;
int fnum , fnum2 ;
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig ;
const char * owner_sid ;
printf ( " TESTING DYNAMIC ACL INHERITANCE \n " ) ;
if ( ! torture_setup_dir ( cli , BASEDIR ) ) {
return False ;
}
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid = 0 ;
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = 0 ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . fnum = fnum ;
2005-04-14 17:19:40 +04:00
q . query_secdesc . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2005-01-07 09:59:53 +03:00
status = smb_raw_fileinfo ( cli - > tree , mem_ctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( mem_ctx , sd_orig - > owner_sid ) ;
printf ( " owner_sid is %s \n " , owner_sid ) ;
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
NULL ) ;
sd - > type | = SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " create a file with an inherited acl \n " ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_ATTRIBUTE ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
smbcli_close ( cli - > tree , fnum2 ) ;
printf ( " try and access file with base rights - should be OK \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
smbcli_close ( cli - > tree , fnum2 ) ;
printf ( " try and access file with extra rights - should be denied \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " update parent sd \n " ) ;
sd = security_descriptor_create ( mem_ctx ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
NULL ) ;
sd - > type | = SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " try and access file with base rights - should be OK \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . fnum ;
smbcli_close ( cli - > tree , fnum2 ) ;
printf ( " try and access now - should be OK if dynamic inheritance works \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE ;
status = smb_raw_open ( cli - > tree , mem_ctx , & io ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
printf ( " Server does not have dynamic inheritance \n " ) ;
}
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OK ) ) {
printf ( " Server does have dynamic inheritance \n " ) ;
}
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
done :
printf ( " put back original sd \n " ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_rmdir ( cli - > tree , dname ) ;
return ret ;
}
2004-11-18 04:02:27 +03:00
/*
basic testing of security descriptor calls
*/
BOOL torture_raw_acls ( void )
{
struct smbcli_state * cli ;
BOOL ret = True ;
TALLOC_CTX * mem_ctx ;
if ( ! torture_open_connection ( & cli ) ) {
return False ;
}
mem_ctx = talloc_init ( " torture_raw_acls " ) ;
if ( ! torture_setup_dir ( cli , BASEDIR ) ) {
return False ;
}
ret & = test_sd ( cli , mem_ctx ) ;
2004-11-18 06:59:24 +03:00
ret & = test_nttrans_create ( cli , mem_ctx ) ;
2004-12-02 07:38:41 +03:00
ret & = test_creator_sid ( cli , mem_ctx ) ;
ret & = test_generic_bits ( cli , mem_ctx ) ;
2005-01-07 04:56:19 +03:00
ret & = test_owner_bits ( cli , mem_ctx ) ;
2004-12-29 09:53:15 +03:00
ret & = test_inheritance ( cli , mem_ctx ) ;
2005-01-01 06:46:55 +03:00
ret & = test_inheritance_dynamic ( cli , mem_ctx ) ;
2004-11-18 04:02:27 +03:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
torture_close_connection ( cli ) ;
2005-01-27 10:08:20 +03:00
talloc_free ( mem_ctx ) ;
2004-11-18 04:02:27 +03:00
return ret ;
}