2004-11-18 04:02:27 +03:00
/*
Unix SMB / CIFS implementation .
test security descriptor operations
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2004-11-18 04:02:27 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-11-18 04:02:27 +03:00
*/
# include "includes.h"
2006-01-03 16:41:17 +03:00
# include "torture/torture.h"
2004-11-18 04:02:27 +03:00
# include "libcli/raw/libcliraw.h"
2006-01-03 18:40:05 +03:00
# include "libcli/libcli.h"
2006-03-14 18:02:05 +03:00
# include "librpc/gen_ndr/lsa.h"
2006-03-07 17:34:32 +03:00
# include "libcli/util/clilsa.h"
2006-04-02 16:02:01 +04:00
# include "libcli/security/security.h"
2006-03-17 20:59:58 +03:00
# include "torture/util.h"
2006-04-29 21:34:49 +04:00
# include "librpc/gen_ndr/ndr_security.h"
2004-11-18 04:02:27 +03:00
# define BASEDIR "\\testsd"
# define CHECK_STATUS(status, correct) do { \
if ( ! NT_STATUS_EQUAL ( status , correct ) ) { \
printf ( " (%s) Incorrect status %s - should be %s \n " , \
__location__ , nt_errstr ( status ) , nt_errstr ( correct ) ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-11-18 04:02:27 +03:00
goto done ; \
} } while ( 0 )
2007-08-29 04:56:13 +04:00
static bool test_sd ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-11-18 04:02:27 +03:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ sd.txt " ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-12-02 07:51:56 +03:00
int fnum = - 1 ;
2004-11-18 04:41:43 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2004-11-18 04:02:27 +03:00
struct security_ace ace ;
struct security_descriptor * sd ;
struct dom_sid * test_sid ;
printf ( " TESTING SETFILEINFO EA_SET \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-11-18 04:02:27 +03:00
io . ntcreatex . in . flags = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-18 04:02:27 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-11-18 04:41:43 +03:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags =
2004-11-30 07:33:27 +03:00
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
sd = q . query_secdesc . out . sd ;
2004-11-18 04:02:27 +03:00
printf ( " add a new ACE to the DACL \n " ) ;
2007-08-29 04:56:13 +04:00
test_sid = dom_sid_parse_talloc ( tctx , " S-1-5-32-1234-5432 " ) ;
2004-11-18 04:02:27 +03:00
ace . type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
ace . flags = 0 ;
2004-11-30 07:33:27 +03:00
ace . access_mask = SEC_STD_ALL ;
2004-11-18 04:02:27 +03:00
ace . trustee = * test_sid ;
status = security_descriptor_dacl_add ( sd , & ace ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
set . set_secdesc . in . secinfo_flags = q . query_secdesc . in . secinfo_flags ;
2004-11-18 04:41:43 +03:00
set . set_secdesc . in . sd = sd ;
2004-11-18 04:02:27 +03:00
2004-11-18 04:41:43 +03:00
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2005-01-07 04:56:19 +03:00
if ( ! security_acl_equal ( q . query_secdesc . out . sd - > dacl , sd - > dacl ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-11-18 04:02:27 +03:00
printf ( " got: \n " ) ;
2004-11-18 04:41:43 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2004-11-18 04:02:27 +03:00
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-18 04:02:27 +03:00
}
printf ( " remove it again \n " ) ;
status = security_descriptor_dacl_del ( sd , test_sid ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 04:41:43 +03:00
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 04:02:27 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2005-01-07 04:56:19 +03:00
if ( ! security_acl_equal ( q . query_secdesc . out . sd - > dacl , sd - > dacl ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-11-18 04:02:27 +03:00
printf ( " got: \n " ) ;
2004-11-18 04:41:43 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2004-11-18 04:02:27 +03:00
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-08-29 04:56:13 +04:00
ret = false ;
2004-11-18 04:02:27 +03:00
}
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-11-18 06:59:24 +03:00
/*
2007-08-29 04:56:13 +04:00
test using nttrans create to create a file with an initial acl set
2004-11-18 06:59:24 +03:00
*/
2007-08-29 04:56:13 +04:00
static bool test_nttrans_create ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-11-18 06:59:24 +03:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ acl2.txt " ;
2007-08-29 04:56:13 +04:00
bool ret = true ;
2004-11-18 06:59:24 +03:00
int fnum = - 1 ;
union smb_fileinfo q ;
struct security_ace ace ;
struct security_descriptor * sd ;
struct dom_sid * test_sid ;
2007-08-29 04:56:13 +04:00
printf ( " testing nttrans create with sec_desc \n " ) ;
2004-11-18 06:59:24 +03:00
io . generic . level = RAW_OPEN_NTTRANS_CREATE ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-11-18 06:59:24 +03:00
io . ntcreatex . in . flags = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-18 06:59:24 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = NULL ;
io . ntcreatex . in . ea_list = NULL ;
printf ( " creating normal file \n " ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-11-18 06:59:24 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-11-18 06:59:24 +03:00
printf ( " querying ACL \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags =
2004-11-30 07:33:27 +03:00
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 06:59:24 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd = q . query_secdesc . out . sd ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
printf ( " adding a new ACE \n " ) ;
2007-08-29 04:56:13 +04:00
test_sid = dom_sid_parse_talloc ( tctx , " S-1-5-32-1234-54321 " ) ;
2004-11-18 06:59:24 +03:00
ace . type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
ace . flags = 0 ;
2004-11-30 07:33:27 +03:00
ace . access_mask = SEC_STD_ALL ;
2004-11-18 06:59:24 +03:00
ace . trustee = * test_sid ;
status = security_descriptor_dacl_add ( sd , & ace ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " creating a file with an initial ACL \n " ) ;
io . ntcreatex . in . sec_desc = sd ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-11-18 06:59:24 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-11-18 06:59:24 +03:00
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 06:59:24 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2005-01-07 04:56:19 +03:00
if ( ! security_acl_equal ( q . query_secdesc . out . sd - > dacl , sd - > dacl ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-11-18 06:59:24 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-11-18 06:59:24 +03:00
}
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-12-02 07:38:41 +03:00
# define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
union smb_fileinfo _q ; \
_q . access_information . level = RAW_FILEINFO_ACCESS_INFORMATION ; \
2006-03-13 01:48:25 +03:00
_q . access_information . in . file . fnum = ( _fnum ) ; \
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & _q ) ; \
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ; \
if ( _q . access_information . out . access_flags ! = ( flags ) ) { \
printf ( " (%s) Incorrect access_flags 0x%08x - should be 0x%08x \n " , \
__location__ , _q . access_information . out . access_flags , ( flags ) ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2004-12-02 07:38:41 +03:00
goto done ; \
} \
} while ( 0 )
2008-10-28 19:14:53 +03:00
/*
test using NTTRANS CREATE to create a file with a null ACL set
*/
static bool test_nttrans_create_null_dacl ( struct torture_context * tctx ,
struct smbcli_state * cli )
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ acl3.txt " ;
bool ret = true ;
int fnum = - 1 ;
union smb_fileinfo q ;
union smb_setfileinfo s ;
struct security_descriptor * sd = security_descriptor_initialise ( tctx ) ;
struct security_acl dacl ;
printf ( " TESTING SEC_DESC WITH A NULL DACL \n " ) ;
io . generic . level = RAW_OPEN_NTTRANS_CREATE ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2008-10-28 19:14:53 +03:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC
| SEC_STD_WRITE_OWNER ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = sd ;
io . ntcreatex . in . ea_list = NULL ;
printf ( " creating a file with a empty sd \n " ) ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/*
* Testing the created DACL ,
* the server should add the inherited DACL
* when SEC_DESC_DACL_PRESENT isn ' t specified
*/
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
printf ( " DACL_PRESENT flag not set by the server! \n " ) ;
ret = false ;
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl = = NULL ) {
printf ( " no DACL has been created on the server! \n " ) ;
ret = false ;
goto done ;
}
printf ( " set NULL DACL \n " ) ;
sd - > type | = SEC_DESC_DACL_PRESENT ;
s . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
s . set_secdesc . in . file . fnum = fnum ;
s . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
s . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & s ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " get the sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Testing the modified DACL */
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
printf ( " DACL_PRESENT flag not set by the server! \n " ) ;
ret = false ;
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl ! = NULL ) {
printf ( " DACL has been created on the server! \n " ) ;
ret = false ;
goto done ;
}
printf ( " try open for read control \n " ) ;
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_FILE_READ_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_RIGHTS_FILE_WRITE | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_RIGHTS_FILE_READ | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
printf ( " set DACL with 0 aces \n " ) ;
ZERO_STRUCT ( dacl ) ;
dacl . revision = SECURITY_ACL_REVISION_NT4 ;
dacl . num_aces = 0 ;
sd - > dacl = & dacl ;
s . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
s . set_secdesc . in . file . fnum = fnum ;
s . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
s . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & s ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " get the sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Testing the modified DACL */
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
printf ( " DACL_PRESENT flag not set by the server! \n " ) ;
ret = false ;
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl = = NULL ) {
printf ( " no DACL has been created on the server! \n " ) ;
ret = false ;
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl - > num_aces ! = 0 ) {
printf ( " DACL has %u aces! \n " ,
q . query_secdesc . out . sd - > dacl - > num_aces ) ;
ret = false ;
goto done ;
}
printf ( " try open for read control \n " ) ;
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
printf ( " try open for write => access_denied \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read => access_denied \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic write => access_denied \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read => access_denied \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " set empty sd \n " ) ;
sd - > type & = ~ SEC_DESC_DACL_PRESENT ;
sd - > dacl = NULL ;
s . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
s . set_secdesc . in . file . fnum = fnum ;
s . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
s . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & s ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " get the sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Testing the modified DACL */
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
printf ( " DACL_PRESENT flag not set by the server! \n " ) ;
ret = false ;
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl ! = NULL ) {
printf ( " DACL has been created on the server! \n " ) ;
ret = false ;
goto done ;
}
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-12-02 07:38:41 +03:00
/*
test the behaviour of the well known SID_CREATOR_OWNER sid , and some generic
mapping bits
*/
2007-08-29 04:56:13 +04:00
static bool test_creator_sid ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-12-02 07:38:41 +03:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ creator.txt " ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-12-02 07:51:56 +03:00
int fnum = - 1 ;
2004-12-02 07:38:41 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig , * sd2 ;
const char * owner_sid ;
printf ( " TESTING SID_CREATOR_OWNER \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . flags = 0 ;
2004-12-04 13:16:47 +03:00
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-02 07:38:41 +03:00
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 04:56:13 +04:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-02 07:38:41 +03:00
printf ( " set a sec desc allowing no write by CREATOR_OWNER \n " ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2004-12-02 07:38:41 +03:00
SID_CREATOR_OWNER ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-02 07:38:41 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " set a sec desc allowing no write by owner \n " ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
2004-12-04 13:16:47 +03:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-04 13:16:47 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
2004-12-02 07:38:41 +03:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-12-03 09:25:56 +03:00
printf ( " check that sd has been mapped correctly \n " ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-03 09:25:56 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-03 09:25:56 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-03 09:25:56 +03:00
}
2004-12-02 07:38:41 +03:00
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-02 07:38:41 +03:00
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE ) ;
2006-03-13 01:48:25 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-02 07:38:41 +03:00
SEC_RIGHTS_FILE_READ ) ;
2006-03-13 01:48:25 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
printf ( " set a sec desc allowing generic read by owner \n " ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_GENERIC_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " check that generic read has been mapped correctly \n " ) ;
2007-11-02 14:54:19 +03:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-02 07:38:41 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-02 07:38:41 +03:00
}
printf ( " try open for write \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for read \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-02 07:38:41 +03:00
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE ) ;
2006-03-13 01:48:25 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
printf ( " try open for generic write \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " try open for generic read \n " ) ;
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum , SEC_RIGHTS_FILE_READ ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
/*
test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
SEC_FILE_xx bits
*/
2007-08-29 04:56:13 +04:00
static bool test_generic_bits ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-12-02 07:38:41 +03:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ generic.txt " ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2004-12-02 07:51:56 +03:00
int fnum = - 1 , i ;
2004-12-02 07:38:41 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig , * sd2 ;
const char * owner_sid ;
const struct {
uint32_t gen_bits ;
uint32_t specific_bits ;
} file_mappings [ ] = {
2004-12-03 09:25:56 +03:00
{ 0 , 0 } ,
{ SEC_GENERIC_READ , SEC_RIGHTS_FILE_READ } ,
{ SEC_GENERIC_WRITE , SEC_RIGHTS_FILE_WRITE } ,
{ SEC_GENERIC_EXECUTE , SEC_RIGHTS_FILE_EXECUTE } ,
{ SEC_GENERIC_ALL , SEC_RIGHTS_FILE_ALL } ,
{ SEC_FILE_READ_DATA , SEC_FILE_READ_DATA } ,
{ SEC_FILE_READ_ATTRIBUTE , SEC_FILE_READ_ATTRIBUTE }
2004-12-02 07:38:41 +03:00
} ;
const struct {
uint32_t gen_bits ;
uint32_t specific_bits ;
} dir_mappings [ ] = {
{ 0 , 0 } ,
{ SEC_GENERIC_READ , SEC_RIGHTS_DIR_READ } ,
{ SEC_GENERIC_WRITE , SEC_RIGHTS_DIR_WRITE } ,
{ SEC_GENERIC_EXECUTE , SEC_RIGHTS_DIR_EXECUTE } ,
{ SEC_GENERIC_ALL , SEC_RIGHTS_DIR_ALL }
} ;
2007-10-07 02:28:14 +04:00
bool has_restore_privilege ;
bool has_take_ownership_privilege ;
2004-12-02 07:38:41 +03:00
printf ( " TESTING FILE GENERIC BITS \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . flags = 0 ;
2004-12-04 13:16:47 +03:00
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-02 07:38:41 +03:00
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 04:56:13 +04:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-02 07:38:41 +03:00
2009-10-16 11:23:42 +04:00
status = torture_check_privilege ( cli ,
2004-12-11 08:41:19 +03:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
2004-12-06 10:13:50 +03:00
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-16 11:23:42 +04:00
printf ( " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2004-12-06 10:13:50 +03:00
}
printf ( " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2009-10-16 11:23:42 +04:00
status = torture_check_privilege ( cli ,
2004-12-11 08:41:19 +03:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
2004-12-06 10:13:50 +03:00
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-16 11:23:42 +04:00
printf ( " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2004-12-06 10:13:50 +03:00
}
2005-08-04 08:23:08 +04:00
printf ( " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2004-12-02 07:38:41 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( file_mappings ) ; i + + ) {
2004-12-06 10:13:50 +03:00
uint32_t expected_mask =
SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_STD_DELETE ;
uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE ;
if ( has_restore_privilege ) {
expected_mask_anon | = SEC_STD_DELETE ;
}
2004-12-02 07:38:41 +03:00
printf ( " testing generic bits 0x%08x \n " ,
file_mappings [ i ] . gen_bits ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-04 13:16:47 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 07:38:41 +03:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 14:54:19 +03:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-02 07:38:41 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-02 07:38:41 +03:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-06 10:13:50 +03:00
expected_mask | file_mappings [ i ] . specific_bits ) ;
2006-03-13 01:48:25 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
2004-12-06 10:13:50 +03:00
if ( ! has_take_ownership_privilege ) {
continue ;
}
2004-12-04 13:16:47 +03:00
printf ( " testing generic bits 0x%08x (anonymous) \n " ,
file_mappings [ i ] . gen_bits ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , SID_NT_ANONYMOUS , NULL ,
2004-12-04 13:16:47 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-04 13:16:47 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-04 13:16:47 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 14:54:19 +03:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , SID_NT_ANONYMOUS , NULL ,
2004-12-04 13:16:47 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-04 13:16:47 +03:00
NULL ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-04 13:16:47 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-04 13:16:47 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-04 13:16:47 +03:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-04 13:16:47 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-06 10:13:50 +03:00
expected_mask_anon | file_mappings [ i ] . specific_bits ) ;
2006-03-13 01:48:25 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
}
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
printf ( " TESTING DIR GENERIC BITS \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . flags = 0 ;
2006-04-13 13:00:38 +04:00
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
2004-12-02 07:38:41 +03:00
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-02 07:38:41 +03:00
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 04:56:13 +04:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-02 07:38:41 +03:00
2009-10-16 11:23:42 +04:00
status = torture_check_privilege ( cli ,
2006-04-13 13:00:38 +04:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-16 11:23:42 +04:00
printf ( " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2006-04-13 13:00:38 +04:00
}
printf ( " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2009-10-16 11:23:42 +04:00
status = torture_check_privilege ( cli ,
2006-04-13 13:00:38 +04:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-16 11:23:42 +04:00
printf ( " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2006-04-13 13:00:38 +04:00
}
printf ( " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2004-12-02 07:38:41 +03:00
2004-12-03 09:25:56 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( dir_mappings ) ; i + + ) {
2004-12-06 10:13:50 +03:00
uint32_t expected_mask =
SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_STD_DELETE ;
2006-04-13 13:00:38 +04:00
uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE ;
if ( has_restore_privilege ) {
expected_mask_anon | = SEC_STD_DELETE ;
}
2004-12-02 07:38:41 +03:00
printf ( " testing generic bits 0x%08x \n " ,
file_mappings [ i ] . gen_bits ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
dir_mappings [ i ] . gen_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2006-04-13 13:00:38 +04:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 07:38:41 +03:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 14:54:19 +03:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-02 07:38:41 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
dir_mappings [ i ] . specific_bits ,
2004-12-29 09:53:15 +03:00
0 ,
2004-12-02 07:38:41 +03:00
NULL ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
2005-01-07 04:56:19 +03:00
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
2004-12-02 07:38:41 +03:00
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-02 07:38:41 +03:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 07:38:41 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-06 10:13:50 +03:00
expected_mask | dir_mappings [ i ] . specific_bits ) ;
2006-03-13 01:48:25 +03:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2006-04-13 13:00:38 +04:00
if ( ! has_take_ownership_privilege ) {
continue ;
}
printf ( " testing generic bits 0x%08x (anonymous) \n " ,
file_mappings [ i ] . gen_bits ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , SID_NT_ANONYMOUS , NULL ,
2006-04-13 13:00:38 +04:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . in . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 14:54:19 +03:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , SID_NT_ANONYMOUS , NULL ,
2006-04-13 13:00:38 +04:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
0 ,
NULL ) ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2006-04-13 13:00:38 +04:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2006-04-13 13:00:38 +04:00
}
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2006-04-13 13:00:38 +04:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
expected_mask_anon | dir_mappings [ i ] . specific_bits ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 07:38:41 +03:00
}
2004-12-06 10:13:50 +03:00
2004-12-02 07:38:41 +03:00
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2004-11-18 06:59:24 +03:00
2005-01-07 04:56:19 +03:00
/*
see what access bits the owner of a file always gets
*/
2007-08-29 04:56:13 +04:00
static bool test_owner_bits ( struct torture_context * tctx ,
struct smbcli_state * cli )
2005-01-07 04:56:19 +03:00
{
NTSTATUS status ;
union smb_open io ;
2008-11-04 12:34:08 +03:00
const char * fname = BASEDIR " \\ test_owner_bits.txt " ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2005-01-07 04:56:19 +03:00
int fnum = - 1 , i ;
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig ;
const char * owner_sid ;
2007-10-07 02:28:14 +04:00
bool has_restore_privilege ;
bool has_take_ownership_privilege ;
2005-01-07 04:56:19 +03:00
uint32_t expected_bits ;
printf ( " TESTING FILE OWNER BITS \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2005-01-07 04:56:19 +03:00
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 04:56:13 +04:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2005-01-07 04:56:19 +03:00
2009-10-16 11:23:42 +04:00
status = torture_check_privilege ( cli ,
2005-01-07 04:56:19 +03:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-16 11:23:42 +04:00
printf ( " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2005-01-07 04:56:19 +03:00
}
printf ( " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2009-10-16 11:23:42 +04:00
status = torture_check_privilege ( cli ,
2005-01-07 04:56:19 +03:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-16 11:23:42 +04:00
printf ( " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2005-01-07 04:56:19 +03:00
}
2005-08-04 08:23:08 +04:00
printf ( " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2005-01-07 04:56:19 +03:00
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2005-01-07 04:56:19 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 04:56:19 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
expected_bits = SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ;
for ( i = 0 ; i < 16 ; i + + ) {
2005-02-10 08:09:35 +03:00
uint32_t bit = ( 1 < < i ) ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . access_mask = bit ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
if ( expected_bits & bit ) {
2005-01-07 05:13:07 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " failed with access mask 0x%08x of expected 0x%08x \n " ,
bit , expected_bits ) ;
}
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum , bit | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2005-01-07 04:56:19 +03:00
} else {
2008-11-04 10:54:05 +03:00
if ( NT_STATUS_IS_OK ( status ) ) {
printf ( " open succeeded with access mask 0x%08x of "
" expected 0x%08x - should fail \n " ,
bit , expected_bits ) ;
}
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
}
printf ( " put back original sd \n " ) ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
return ret ;
}
2004-12-29 09:53:15 +03:00
/*
test the inheritance of ACL flags onto new files and directories
*/
2007-08-29 04:56:13 +04:00
static bool test_inheritance ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-12-29 09:53:15 +03:00
{
NTSTATUS status ;
union smb_open io ;
const char * dname = BASEDIR " \\ inheritance " ;
const char * fname1 = BASEDIR " \\ inheritance \\ testfile " ;
const char * fname2 = BASEDIR " \\ inheritance \\ testdir " ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2006-09-09 14:05:58 +04:00
int fnum = 0 , fnum2 , i ;
2004-12-29 09:53:15 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2006-09-09 14:05:58 +04:00
struct security_descriptor * sd , * sd2 , * sd_orig = NULL , * sd_def ;
2004-12-29 09:53:15 +03:00
const char * owner_sid ;
2005-01-01 06:46:55 +03:00
const struct dom_sid * creator_owner ;
2004-12-29 09:53:15 +03:00
const struct {
uint32_t parent_flags ;
uint32_t file_flags ;
uint32_t dir_flags ;
} test_flags [ ] = {
{
0 ,
0 ,
0
} ,
{
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ,
} ,
{
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
}
} ;
2005-01-07 09:59:53 +03:00
smbcli_rmdir ( cli - > tree , dname ) ;
2004-12-29 09:53:15 +03:00
printf ( " TESTING ACL INHERITANCE \n " ) ;
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-29 09:53:15 +03:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = 0 ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-29 09:53:15 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-29 09:53:15 +03:00
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-29 09:53:15 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 04:56:13 +04:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-29 09:53:15 +03:00
2005-01-01 06:46:55 +03:00
printf ( " owner_sid is %s \n " , owner_sid ) ;
2007-11-02 14:54:19 +03:00
sd_def = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2004-12-29 10:28:03 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
SID_NT_SYSTEM ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
NULL ) ;
2007-08-29 04:56:13 +04:00
creator_owner = dom_sid_parse_talloc ( tctx , SID_CREATOR_OWNER ) ;
2005-01-01 06:46:55 +03:00
2004-12-29 09:53:15 +03:00
for ( i = 0 ; i < ARRAY_SIZE ( test_flags ) ; i + + ) {
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2005-01-01 06:46:55 +03:00
SID_CREATOR_OWNER ,
2004-12-29 09:53:15 +03:00
SEC_ACE_TYPE_ACCESS_ALLOWED ,
2004-12-29 10:28:03 +03:00
SEC_FILE_WRITE_DATA ,
2004-12-29 09:53:15 +03:00
test_flags [ i ] . parent_flags ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-29 09:53:15 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-29 09:53:15 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2004-12-29 09:53:15 +03:00
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum2 ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-29 09:53:15 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
2004-12-29 10:28:03 +03:00
if ( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT ) ) {
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def ) ) {
2008-11-06 12:58:56 +03:00
printf ( " Expected default sd: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd_def ) ;
printf ( " at %d - got: \n " , i ) ;
2004-12-29 10:28:03 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
}
goto check_dir ;
}
2004-12-29 09:53:15 +03:00
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
2004-12-30 05:22:03 +03:00
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
2004-12-29 10:28:03 +03:00
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
2004-12-29 09:53:15 +03:00
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) ) {
2004-12-29 10:28:03 +03:00
printf ( " Bad sd in child file at %d \n " , i ) ;
2004-12-29 09:53:15 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-29 10:28:03 +03:00
goto check_dir ;
2004-12-29 09:53:15 +03:00
}
if ( q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! =
test_flags [ i ] . file_flags ) {
printf ( " incorrect file_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d) \n " ,
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ,
test_flags [ i ] . file_flags ,
test_flags [ i ] . parent_flags ,
i ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2004-12-29 09:53:15 +03:00
}
2004-12-29 10:28:03 +03:00
check_dir :
2004-12-29 09:53:15 +03:00
io . ntcreatex . in . fname = fname2 ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-29 09:53:15 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2004-12-29 09:53:15 +03:00
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum2 ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-29 09:53:15 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_rmdir ( cli - > tree , fname2 ) ;
2004-12-29 10:28:03 +03:00
if ( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) & &
( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT ) | |
( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ) ) ) {
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def ) ) {
2008-11-09 09:57:57 +03:00
printf ( " Expected default sd for dir at %d: \n " , i ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd_def ) ;
printf ( " got: \n " ) ;
2004-12-29 10:28:03 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
}
continue ;
}
2005-01-01 06:46:55 +03:00
if ( ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) & &
( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ) ) {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = test_flags [ i ] . dir_flags ) {
2008-11-09 09:57:57 +03:00
printf ( " (CI & NP) Bad sd in child dir at %d (parent 0x%x) \n " ,
2005-01-01 06:46:55 +03:00
i , test_flags [ i ] . parent_flags ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-01 06:46:55 +03:00
continue ;
}
} else if ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 2 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . trustee ,
creator_owner ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = 0 | |
q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . flags ! =
( test_flags [ i ] . dir_flags | SEC_ACE_FLAG_INHERIT_ONLY ) ) {
2008-11-09 09:57:57 +03:00
printf ( " (CI) Bad sd in child dir at %d (parent 0x%x) \n " ,
2005-01-01 06:46:55 +03:00
i , test_flags [ i ] . parent_flags ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-01 06:46:55 +03:00
continue ;
}
} else {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
creator_owner ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = test_flags [ i ] . dir_flags ) {
2008-11-09 10:06:21 +03:00
printf ( " (0) Bad sd in child dir at %d (parent 0x%x) \n " ,
i , test_flags [ i ] . parent_flags ) ;
2005-01-01 06:46:55 +03:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2005-01-01 06:46:55 +03:00
continue ;
}
2004-12-29 09:53:15 +03:00
}
}
2005-01-07 04:56:19 +03:00
printf ( " testing access checks on inherited create with %s \n " , fname1 ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2005-01-07 04:56:19 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 04:56:19 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 04:56:19 +03:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_RIGHTS_FILE_ALL ) ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum2 ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2007-11-02 14:54:19 +03:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , owner_sid , NULL ,
2006-04-13 13:00:38 +04:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
0 ,
NULL ) ;
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd2 ) ) {
printf ( " %s: security descriptors don't match! \n " , __location__ ) ;
printf ( " got: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
printf ( " expected: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd2 ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2006-04-13 13:00:38 +04:00
}
2005-01-09 07:31:32 +03:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-09 07:31:32 +03:00
if ( NT_STATUS_IS_OK ( status ) ) {
printf ( " failed: w2k3 ACL bug (allowed open when ACL should deny) \n " ) ;
2007-10-07 02:28:14 +04:00
ret = false ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2006-04-13 13:00:38 +04:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_RIGHTS_FILE_ALL ) ;
2005-01-09 07:31:32 +03:00
smbcli_close ( cli - > tree , fnum2 ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
printf ( " trying without execute \n " ) ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL & ~ SEC_FILE_EXECUTE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-09 07:31:32 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " and with full permissions again \n " ) ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 04:56:19 +03:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2004-12-29 09:53:15 +03:00
printf ( " put back original sd \n " ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-29 09:53:15 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
2005-01-07 04:56:19 +03:00
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 04:56:19 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 04:56:19 +03:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
smbcli_rmdir ( cli - > tree , dname ) ;
2004-12-29 09:53:15 +03:00
done :
2005-01-07 09:59:53 +03:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 09:59:53 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-12-29 09:53:15 +03:00
smbcli_close ( cli - > tree , fnum ) ;
return ret ;
}
2005-01-07 09:59:53 +03:00
/*
test dynamic acl inheritance
*/
2007-10-07 02:28:14 +04:00
static bool test_inheritance_dynamic ( struct torture_context * tctx ,
2007-08-29 04:56:13 +04:00
struct smbcli_state * cli )
2005-01-07 09:59:53 +03:00
{
NTSTATUS status ;
union smb_open io ;
const char * dname = BASEDIR " \\ inheritance " ;
const char * fname1 = BASEDIR " \\ inheritance \\ testfile " ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2006-09-09 14:05:58 +04:00
int fnum = 0 , fnum2 ;
2005-01-07 09:59:53 +03:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2006-09-09 14:05:58 +04:00
struct security_descriptor * sd , * sd_orig = NULL ;
2005-01-07 09:59:53 +03:00
const char * owner_sid ;
printf ( " TESTING DYNAMIC ACL INHERITANCE \n " ) ;
if ( ! torture_setup_dir ( cli , BASEDIR ) ) {
2007-10-07 02:28:14 +04:00
return false ;
2005-01-07 09:59:53 +03:00
}
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2005-01-07 09:59:53 +03:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = 0 ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 09:59:53 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum = io . ntcreatex . out . file . fnum ;
2005-01-07 09:59:53 +03:00
printf ( " get the original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 23:49:20 +03:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2005-01-07 09:59:53 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 04:56:13 +04:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2005-01-07 09:59:53 +03:00
printf ( " owner_sid is %s \n " , owner_sid ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2005-01-07 09:59:53 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
NULL ) ;
sd - > type | = SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 09:59:53 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " create a file with an inherited acl \n " ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_ATTRIBUTE ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 09:59:53 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 09:59:53 +03:00
smbcli_close ( cli - > tree , fnum2 ) ;
printf ( " try and access file with base rights - should be OK \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 09:59:53 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 09:59:53 +03:00
smbcli_close ( cli - > tree , fnum2 ) ;
printf ( " try and access file with extra rights - should be denied \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 09:59:53 +03:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
printf ( " update parent sd \n " ) ;
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , NULL , NULL ,
2005-01-07 09:59:53 +03:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
NULL ) ;
sd - > type | = SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
printf ( " try and access file with base rights - should be OK \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 09:59:53 +03:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-13 01:48:25 +03:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 09:59:53 +03:00
smbcli_close ( cli - > tree , fnum2 ) ;
printf ( " try and access now - should be OK if dynamic inheritance works \n " ) ;
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 09:59:53 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
printf ( " Server does not have dynamic inheritance \n " ) ;
}
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OK ) ) {
printf ( " Server does have dynamic inheritance \n " ) ;
}
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
done :
printf ( " put back original sd \n " ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-13 01:48:25 +03:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 09:59:53 +03:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_rmdir ( cli - > tree , dname ) ;
return ret ;
}
2006-04-13 15:37:44 +04:00
# define CHECK_STATUS_FOR_BIT_ACTION(status, bits, action) do { \
if ( ! ( bits & desired_64 ) ) { \
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ; \
action ; \
} else { \
CHECK_STATUS ( status , NT_STATUS_OK ) ; \
} \
} while ( 0 )
# define CHECK_STATUS_FOR_BIT(status, bits, access) do { \
if ( NT_STATUS_IS_OK ( status ) ) { \
if ( ! ( granted & access ) ) { \
printf ( " (%s) %s but flags 0x%08X are not granted! granted[0x%08X] desired[0x%08X] \n " , \
__location__ , nt_errstr ( status ) , access , granted , desired ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2006-04-13 15:37:44 +04:00
goto done ; \
} \
} else { \
if ( granted & access ) { \
printf ( " (%s) %s but flags 0x%08X are granted! granted[0x%08X] desired[0x%08X] \n " , \
__location__ , nt_errstr ( status ) , access , granted , desired ) ; \
2007-10-07 02:28:14 +04:00
ret = false ; \
2006-04-13 15:37:44 +04:00
goto done ; \
} \
} \
CHECK_STATUS_FOR_BIT_ACTION ( status , bits , do { } while ( 0 ) ) ; \
} while ( 0 )
/* test what access mask is needed for getting and setting security_descriptors */
2007-08-29 04:56:13 +04:00
static bool test_sd_get_set ( struct torture_context * tctx ,
struct smbcli_state * cli )
2006-04-13 15:37:44 +04:00
{
NTSTATUS status ;
2007-10-07 02:28:14 +04:00
bool ret = true ;
2006-04-13 15:37:44 +04:00
union smb_open io ;
union smb_fileinfo fi ;
union smb_setfileinfo si ;
struct security_descriptor * sd ;
struct security_descriptor * sd_owner = NULL ;
struct security_descriptor * sd_group = NULL ;
struct security_descriptor * sd_dacl = NULL ;
struct security_descriptor * sd_sacl = NULL ;
2006-09-09 14:05:58 +04:00
int fnum = 0 ;
2006-04-13 15:37:44 +04:00
const char * fname = BASEDIR " \\ sd_get_set.txt " ;
uint64_t desired_64 ;
uint32_t desired = 0 , granted ;
int i = 0 ;
2006-05-25 11:14:33 +04:00
# define NO_BITS_HACK (((uint64_t)1)<<32)
2006-04-13 15:37:44 +04:00
uint64_t open_bits =
SEC_MASK_GENERIC |
SEC_FLAG_SYSTEM_SECURITY |
SEC_FLAG_MAXIMUM_ALLOWED |
SEC_STD_ALL |
2006-05-25 11:14:33 +04:00
SEC_FILE_ALL |
NO_BITS_HACK ;
2006-04-13 15:37:44 +04:00
uint64_t get_owner_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL ;
uint64_t set_owner_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER ;
uint64_t get_group_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL ;
uint64_t set_group_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER ;
uint64_t get_dacl_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL ;
uint64_t set_dacl_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_DAC ;
uint64_t get_sacl_bits = SEC_FLAG_SYSTEM_SECURITY ;
uint64_t set_sacl_bits = SEC_FLAG_SYSTEM_SECURITY ;
printf ( " TESTING ACCESS MASKS FOR SD GET/SET \n " ) ;
/* first create a file with full access for everyone */
2007-11-02 14:54:19 +03:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 15:12:53 +04:00
0 , SID_NT_ANONYMOUS , SID_BUILTIN_USERS ,
2006-04-13 15:37:44 +04:00
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_GENERIC_ALL ,
0 ,
NULL ) ;
sd - > type | = SEC_DESC_SACL_PRESENT ;
sd - > sacl = NULL ;
io . ntcreatex . level = RAW_OPEN_NTTRANS_CREATE ;
2009-10-15 11:26:19 +04:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2006-04-13 15:37:44 +04:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_GENERIC_ALL ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OVERWRITE_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = sd ;
io . ntcreatex . in . ea_list = NULL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/*
* now try each access_mask bit and no bit at all in a loop
* and see what ' s allowed
2006-05-25 11:14:33 +04:00
* NOTE : if i = = 32 it means access_mask = 0 ( see NO_BITS_HACK above )
2006-04-13 15:37:44 +04:00
*/
for ( i = 0 ; i < = 32 ; i + + ) {
2006-05-25 11:14:33 +04:00
desired_64 = ( ( uint64_t ) 1 ) < < i ;
2006-04-13 15:37:44 +04:00
desired = ( uint32_t ) desired_64 ;
/* first open the file with the desired access */
io . ntcreatex . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . access_mask = desired ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
2007-08-29 04:56:13 +04:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS_FOR_BIT_ACTION ( status , open_bits , goto next ) ;
fnum = io . ntcreatex . out . file . fnum ;
/* then check what access was granted */
fi . access_information . level = RAW_FILEINFO_ACCESS_INFORMATION ;
fi . access_information . in . file . fnum = fnum ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
granted = fi . access_information . out . access_flags ;
/* test the owner */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_OWNER ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS_FOR_BIT ( status , get_owner_bits , SEC_STD_READ_CONTROL ) ;
if ( fi . query_secdesc . out . sd ) {
sd_owner = fi . query_secdesc . out . sd ;
} else if ( ! sd_owner ) {
sd_owner = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_OWNER ;
si . set_secdesc . in . sd = sd_owner ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_owner_bits , SEC_STD_WRITE_OWNER ) ;
/* test the group */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_GROUP ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS_FOR_BIT ( status , get_group_bits , SEC_STD_READ_CONTROL ) ;
if ( fi . query_secdesc . out . sd ) {
sd_group = fi . query_secdesc . out . sd ;
} else if ( ! sd_group ) {
sd_group = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_GROUP ;
si . set_secdesc . in . sd = sd_group ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_group_bits , SEC_STD_WRITE_OWNER ) ;
/* test the DACL */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_DACL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS_FOR_BIT ( status , get_dacl_bits , SEC_STD_READ_CONTROL ) ;
if ( fi . query_secdesc . out . sd ) {
sd_dacl = fi . query_secdesc . out . sd ;
} else if ( ! sd_dacl ) {
sd_dacl = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
si . set_secdesc . in . sd = sd_dacl ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_dacl_bits , SEC_STD_WRITE_DAC ) ;
/* test the SACL */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_SACL ;
2007-08-29 04:56:13 +04:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 15:37:44 +04:00
CHECK_STATUS_FOR_BIT ( status , get_sacl_bits , SEC_FLAG_SYSTEM_SECURITY ) ;
if ( fi . query_secdesc . out . sd ) {
sd_sacl = fi . query_secdesc . out . sd ;
} else if ( ! sd_sacl ) {
sd_sacl = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_SACL ;
si . set_secdesc . in . sd = sd_sacl ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_sacl_bits , SEC_FLAG_SYSTEM_SECURITY ) ;
/* close the handle */
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
next :
continue ;
}
done :
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
return ret ;
}
2005-01-07 09:59:53 +03:00
2004-11-18 04:02:27 +03:00
/*
basic testing of security descriptor calls
*/
2007-08-28 16:54:27 +04:00
bool torture_raw_acls ( struct torture_context * tctx , struct smbcli_state * cli )
2004-11-18 04:02:27 +03:00
{
2007-09-08 20:46:30 +04:00
bool ret = true ;
2004-11-18 04:02:27 +03:00
if ( ! torture_setup_dir ( cli , BASEDIR ) ) {
2007-08-29 04:56:13 +04:00
return false ;
2004-11-18 04:02:27 +03:00
}
2007-08-29 04:56:13 +04:00
ret & = test_sd ( tctx , cli ) ;
ret & = test_nttrans_create ( tctx , cli ) ;
2008-10-28 19:14:53 +03:00
ret & = test_nttrans_create_null_dacl ( tctx , cli ) ;
2007-08-29 04:56:13 +04:00
ret & = test_creator_sid ( tctx , cli ) ;
ret & = test_generic_bits ( tctx , cli ) ;
ret & = test_owner_bits ( tctx , cli ) ;
ret & = test_inheritance ( tctx , cli ) ;
ret & = test_inheritance_dynamic ( tctx , cli ) ;
ret & = test_sd_get_set ( tctx , cli ) ;
2005-01-01 06:46:55 +03:00
2004-11-18 04:02:27 +03:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
return ret ;
}