2004-11-18 01:02:27 +00:00
/*
Unix SMB / CIFS implementation .
test security descriptor operations
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2004-11-18 01:02:27 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-11-18 01:02:27 +00:00
*/
# include "includes.h"
2006-01-03 13:41:17 +00:00
# include "torture/torture.h"
2004-11-18 01:02:27 +00:00
# include "libcli/raw/libcliraw.h"
2006-01-03 15:40:05 +00:00
# include "libcli/libcli.h"
2006-03-14 15:02:05 +00:00
# include "librpc/gen_ndr/lsa.h"
2006-03-07 14:34:32 +00:00
# include "libcli/util/clilsa.h"
2006-04-02 12:02:01 +00:00
# include "libcli/security/security.h"
2006-03-17 17:59:58 +00:00
# include "torture/util.h"
2006-04-29 17:34:49 +00:00
# include "librpc/gen_ndr/ndr_security.h"
2011-03-19 00:42:42 +01:00
# include "torture/raw/proto.h"
2004-11-18 01:02:27 +00:00
# define BASEDIR "\\testsd"
# define CHECK_STATUS(status, correct) do { \
if ( ! NT_STATUS_EQUAL ( status , correct ) ) { \
2007-10-06 22:28:14 +00:00
ret = false ; \
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " (%s) Incorrect status %s - should be %s \n " , \
__location__ , nt_errstr ( status ) , nt_errstr ( correct ) ) ; \
2004-11-18 01:02:27 +00:00
goto done ; \
} } while ( 0 )
2009-07-02 14:08:41 -07:00
# define FAIL_UNLESS(__cond) \
do { \
if ( __cond ) { } else { \
ret = false ; \
torture_result ( tctx , TORTURE_FAIL , " %s) condition violated: %s \n " , \
__location__ , # __cond ) ; \
goto done ; \
} \
} while ( 0 )
# define CHECK_SECURITY_DESCRIPTOR(_sd1, _sd2) do { \
if ( ! security_descriptor_equal ( _sd1 , _sd2 ) ) { \
torture_warning ( tctx , " %s: security descriptors don't match! \n " , __location__ ) ; \
torture_warning ( tctx , " got: \n " ) ; \
NDR_PRINT_DEBUG ( security_descriptor , _sd1 ) ; \
torture_warning ( tctx , " expected: \n " ) ; \
NDR_PRINT_DEBUG ( security_descriptor , _sd2 ) ; \
ret = false ; \
} \
} while ( 0 )
2004-11-18 01:02:27 +00:00
2009-07-02 14:08:41 -07:00
/*
* Helper function to verify a security descriptor , by querying
* and comparing against the passed in sd .
* Copied to smb2_util_verify_sd ( ) for SMB2 .
*/
static bool verify_sd ( TALLOC_CTX * tctx , struct smbcli_state * cli ,
int fnum , struct security_descriptor * sd )
{
NTSTATUS status ;
bool ret = true ;
union smb_fileinfo q = { } ;
if ( sd ) {
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-12-07 17:19:30 -08:00
/* More work is needed if we're going to check this bit. */
sd - > type & = ~ SEC_DESC_DACL_AUTO_INHERITED ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd ) ;
}
done :
return ret ;
}
/*
* Helper function to verify attributes , by querying
* and comparing against the passed attrib .
* Copied to smb2_util_verify_attrib ( ) for SMB2 .
*/
static bool verify_attrib ( TALLOC_CTX * tctx , struct smbcli_state * cli ,
int fnum , uint32_t attrib )
{
NTSTATUS status ;
bool ret = true ;
union smb_fileinfo q2 = { } ;
if ( attrib ) {
q2 . standard . level = RAW_FILEINFO_STANDARD ;
q2 . standard . in . file . fnum = fnum ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q2 ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
q2 . standard . out . attrib & = ~ FILE_ATTRIBUTE_ARCHIVE ;
if ( q2 . standard . out . attrib ! = attrib ) {
torture_warning ( tctx , " %s: attributes don't match! "
" got %x, expected %x \n " , __location__ ,
( uint32_t ) q2 . standard . out . attrib ,
( uint32_t ) attrib ) ;
ret = false ;
}
}
done :
return ret ;
}
/**
* Test setting and removing a DACL .
* Test copied to torture_smb2_setinfo ( ) for SMB2 .
*/
static bool test_sd ( struct torture_context * tctx , struct smbcli_state * cli )
2004-11-18 01:02:27 +00:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ sd.txt " ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2004-12-02 04:51:56 +00:00
int fnum = - 1 ;
2004-11-18 01:41:43 +00:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2004-11-18 01:02:27 +00:00
struct security_ace ace ;
struct security_descriptor * sd ;
struct dom_sid * test_sid ;
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING SETFILEINFO EA_SET \n " ) ;
2004-11-18 01:02:27 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-11-18 01:02:27 +00:00
io . ntcreatex . in . flags = 0 ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-11-18 01:02:27 +00:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-11-18 01:02:27 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-11-18 01:41:43 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags =
2004-11-30 04:33:27 +00:00
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 01:02:27 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 01:41:43 +00:00
sd = q . query_secdesc . out . sd ;
2004-11-18 01:02:27 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " add a new ACE to the DACL \n " ) ;
2004-11-18 01:02:27 +00:00
2009-07-02 14:08:41 -07:00
test_sid = dom_sid_parse_talloc ( tctx , SID_NT_AUTHENTICATED_USERS ) ;
2004-11-18 01:02:27 +00:00
ace . type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
ace . flags = 0 ;
2004-11-30 04:33:27 +00:00
ace . access_mask = SEC_STD_ALL ;
2004-11-18 01:02:27 +00:00
ace . trustee = * test_sid ;
status = security_descriptor_dacl_add ( sd , & ace ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 01:41:43 +00:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
set . set_secdesc . in . secinfo_flags = q . query_secdesc . in . secinfo_flags ;
2004-11-18 01:41:43 +00:00
set . set_secdesc . in . sd = sd ;
2004-11-18 01:02:27 +00:00
2004-11-18 01:41:43 +00:00
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-11-18 01:02:27 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
FAIL_UNLESS ( verify_sd ( tctx , cli , fnum , sd ) ) ;
2004-11-18 01:02:27 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " remove it again \n " ) ;
2004-11-18 01:02:27 +00:00
status = security_descriptor_dacl_del ( sd , test_sid ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 01:41:43 +00:00
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
2004-11-18 01:02:27 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
FAIL_UNLESS ( verify_sd ( tctx , cli , fnum , sd ) ) ;
2004-11-18 01:02:27 +00:00
done :
smbcli_close ( cli - > tree , fnum ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2004-11-18 01:02:27 +00:00
return ret ;
}
2004-11-18 03:59:24 +00:00
/*
2007-08-29 00:56:13 +00:00
test using nttrans create to create a file with an initial acl set
2009-07-02 14:08:41 -07:00
Test copied to test_create_acl ( ) for SMB2 .
2004-11-18 03:59:24 +00:00
*/
2009-07-02 14:08:41 -07:00
static bool test_nttrans_create_ext ( struct torture_context * tctx ,
struct smbcli_state * cli , bool test_dir )
2004-11-18 03:59:24 +00:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ acl2.txt " ;
2007-08-29 00:56:13 +00:00
bool ret = true ;
2004-11-18 03:59:24 +00:00
int fnum = - 1 ;
2009-07-02 14:08:41 -07:00
union smb_fileinfo q = { } ;
2004-11-18 03:59:24 +00:00
struct security_ace ace ;
struct security_descriptor * sd ;
struct dom_sid * test_sid ;
2009-07-02 14:08:41 -07:00
uint32_t attrib =
FILE_ATTRIBUTE_HIDDEN |
FILE_ATTRIBUTE_SYSTEM |
( test_dir ? FILE_ATTRIBUTE_DIRECTORY : 0 ) ;
NTSTATUS ( * delete_func ) ( struct smbcli_tree * , const char * ) =
test_dir ? smbcli_rmdir : smbcli_unlink ;
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
2004-11-18 03:59:24 +00:00
io . generic . level = RAW_OPEN_NTTRANS_CREATE ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-11-18 03:59:24 +00:00
io . ntcreatex . in . flags = 0 ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2009-07-02 14:08:41 -07:00
io . ntcreatex . in . create_options =
test_dir ? NTCREATEX_OPTIONS_DIRECTORY : 0 ;
2004-11-18 03:59:24 +00:00
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = NULL ;
io . ntcreatex . in . ea_list = NULL ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " basic create \n " ) ;
2004-11-18 03:59:24 +00:00
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-11-18 03:59:24 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-11-18 03:59:24 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " querying ACL \n " ) ;
2004-11-18 03:59:24 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags =
2004-11-30 04:33:27 +00:00
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-11-18 03:59:24 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd = q . query_secdesc . out . sd ;
2009-07-02 14:08:41 -07:00
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2004-11-18 03:59:24 +00:00
2009-07-02 14:08:41 -07:00
status = delete_func ( cli - > tree , fname ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
torture_comment ( tctx , " adding a new ACE \n " ) ;
test_sid = dom_sid_parse_talloc ( tctx , SID_NT_AUTHENTICATED_USERS ) ;
2004-11-18 03:59:24 +00:00
ace . type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
ace . flags = 0 ;
2004-11-30 04:33:27 +00:00
ace . access_mask = SEC_STD_ALL ;
2004-11-18 03:59:24 +00:00
ace . trustee = * test_sid ;
status = security_descriptor_dacl_add ( sd , & ace ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " creating with an initial ACL \n " ) ;
2004-11-18 03:59:24 +00:00
io . ntcreatex . in . sec_desc = sd ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-11-18 03:59:24 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-11-18 03:59:24 +00:00
2009-07-02 14:08:41 -07:00
FAIL_UNLESS ( verify_sd ( tctx , cli , fnum , sd ) ) ;
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
status = delete_func ( cli - > tree , fname ) ;
2004-11-18 03:59:24 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " creating with attributes \n " ) ;
2004-11-18 03:59:24 +00:00
2009-07-02 14:08:41 -07:00
io . ntcreatex . in . sec_desc = NULL ;
io . ntcreatex . in . file_attr = attrib ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
FAIL_UNLESS ( verify_attrib ( tctx , cli , fnum , attrib ) ) ;
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
status = delete_func ( cli - > tree , fname ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
torture_comment ( tctx , " creating with attributes and ACL \n " ) ;
io . ntcreatex . in . sec_desc = sd ;
io . ntcreatex . in . file_attr = attrib ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
FAIL_UNLESS ( verify_sd ( tctx , cli , fnum , sd ) ) ;
FAIL_UNLESS ( verify_attrib ( tctx , cli , fnum , attrib ) ) ;
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
status = delete_func ( cli - > tree , fname ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
torture_comment ( tctx , " creating with attributes, ACL and owner \n " ) ;
sd = security_descriptor_dacl_create ( tctx ,
0 , SID_WORLD , SID_BUILTIN_USERS ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
0 ,
NULL ) ;
io . ntcreatex . in . sec_desc = sd ;
io . ntcreatex . in . file_attr = attrib ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
FAIL_UNLESS ( verify_sd ( tctx , cli , fnum , sd ) ) ;
FAIL_UNLESS ( verify_attrib ( tctx , cli , fnum , attrib ) ) ;
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
status = delete_func ( cli - > tree , fname ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
2004-11-18 03:59:24 +00:00
smbcli_close ( cli - > tree , fnum ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2004-11-18 03:59:24 +00:00
return ret ;
}
2009-07-02 14:08:41 -07:00
static bool test_nttrans_create_file ( struct torture_context * tctx ,
struct smbcli_state * cli )
{
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing nttrans create with sec_desc on files \n " ) ;
2009-07-02 14:08:41 -07:00
return test_nttrans_create_ext ( tctx , cli , false ) ;
}
static bool test_nttrans_create_dir ( struct torture_context * tctx ,
struct smbcli_state * cli )
{
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing nttrans create with sec_desc on directories \n " ) ;
2009-07-02 14:08:41 -07:00
return test_nttrans_create_ext ( tctx , cli , true ) ;
}
2004-12-02 04:38:41 +00:00
# define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
union smb_fileinfo _q ; \
_q . access_information . level = RAW_FILEINFO_ACCESS_INFORMATION ; \
2006-03-12 22:48:25 +00:00
_q . access_information . in . file . fnum = ( _fnum ) ; \
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & _q ) ; \
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ; \
if ( _q . access_information . out . access_flags ! = ( flags ) ) { \
2007-10-06 22:28:14 +00:00
ret = false ; \
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " (%s) Incorrect access_flags 0x%08x - should be 0x%08x \n " , \
__location__ , _q . access_information . out . access_flags , ( flags ) ) ; \
2004-12-02 04:38:41 +00:00
goto done ; \
} \
} while ( 0 )
2008-10-28 17:14:53 +01:00
/*
test using NTTRANS CREATE to create a file with a null ACL set
2009-07-02 14:08:41 -07:00
Test copied to test_create_null_dacl ( ) for SMB2 .
2008-10-28 17:14:53 +01:00
*/
static bool test_nttrans_create_null_dacl ( struct torture_context * tctx ,
struct smbcli_state * cli )
{
NTSTATUS status ;
union smb_open io ;
2009-07-02 14:08:41 -07:00
const char * fname = BASEDIR " \\ nulldacl.txt " ;
2008-10-28 17:14:53 +01:00
bool ret = true ;
int fnum = - 1 ;
union smb_fileinfo q ;
union smb_setfileinfo s ;
struct security_descriptor * sd = security_descriptor_initialise ( tctx ) ;
struct security_acl dacl ;
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING SEC_DESC WITH A NULL DACL \n " ) ;
2008-10-28 17:14:53 +01:00
io . generic . level = RAW_OPEN_NTTRANS_CREATE ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC
| SEC_STD_WRITE_OWNER ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = sd ;
io . ntcreatex . in . ea_list = NULL ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " creating a file with a empty sd \n " ) ;
2008-10-28 17:14:53 +01:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2008-10-28 17:14:53 +01:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/*
* Testing the created DACL ,
* the server should add the inherited DACL
* when SEC_DESC_DACL_PRESENT isn ' t specified
*/
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL_PRESENT flag not set by the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl = = NULL ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " no DACL has been created on the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " set NULL DACL \n " ) ;
2008-10-28 17:14:53 +01:00
sd - > type | = SEC_DESC_DACL_PRESENT ;
s . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
s . set_secdesc . in . file . fnum = fnum ;
s . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
s . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & s ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the sd \n " ) ;
2008-10-28 17:14:53 +01:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Testing the modified DACL */
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL_PRESENT flag not set by the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl ! = NULL ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL has been created on the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read control \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for write \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_FILE_READ_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic write \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_RIGHTS_FILE_WRITE | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic read \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_RIGHTS_FILE_READ | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " set DACL with 0 aces \n " ) ;
2008-10-28 17:14:53 +01:00
ZERO_STRUCT ( dacl ) ;
dacl . revision = SECURITY_ACL_REVISION_NT4 ;
dacl . num_aces = 0 ;
sd - > dacl = & dacl ;
s . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
s . set_secdesc . in . file . fnum = fnum ;
s . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
s . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & s ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the sd \n " ) ;
2008-10-28 17:14:53 +01:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Testing the modified DACL */
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL_PRESENT flag not set by the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl = = NULL ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " no DACL has been created on the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl - > num_aces ! = 0 ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL has %u aces! \n " ,
q . query_secdesc . out . sd - > dacl - > num_aces ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read control \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
SEC_STD_READ_CONTROL | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for write => access_denied \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read => access_denied \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic write => access_denied \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic read => access_denied \n " ) ;
2008-10-28 17:14:53 +01:00
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " set empty sd \n " ) ;
2008-10-28 17:14:53 +01:00
sd - > type & = ~ SEC_DESC_DACL_PRESENT ;
sd - > dacl = NULL ;
s . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
s . set_secdesc . in . file . fnum = fnum ;
s . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
s . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & s ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the sd \n " ) ;
2008-10-28 17:14:53 +01:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Testing the modified DACL */
if ( ! ( q . query_secdesc . out . sd - > type & SEC_DESC_DACL_PRESENT ) ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL_PRESENT flag not set by the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
if ( q . query_secdesc . out . sd - > dacl ! = NULL ) {
ret = false ;
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " DACL has been created on the server! \n " ) ;
2008-10-28 17:14:53 +01:00
goto done ;
}
done :
smbcli_close ( cli - > tree , fnum ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2008-10-28 17:14:53 +01:00
return ret ;
}
2004-12-02 04:38:41 +00:00
/*
test the behaviour of the well known SID_CREATOR_OWNER sid , and some generic
mapping bits
2009-07-02 14:08:41 -07:00
Test copied to smb2 / acls . c for SMB2 .
2004-12-02 04:38:41 +00:00
*/
2007-08-29 00:56:13 +00:00
static bool test_creator_sid ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-12-02 04:38:41 +00:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ creator.txt " ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2004-12-02 04:51:56 +00:00
int fnum = - 1 ;
2004-12-02 04:38:41 +00:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig , * sd2 ;
const char * owner_sid ;
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING SID_CREATOR_OWNER \n " ) ;
2004-12-02 04:38:41 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . flags = 0 ;
2004-12-04 10:16:47 +00:00
io . ntcreatex . in . access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2004-12-02 04:38:41 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 00:56:13 +00:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " set a sec desc allowing no write by CREATOR_OWNER \n " ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2004-12-02 04:38:41 +00:00
SID_CREATOR_OWNER ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for write \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic write \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic read \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " set a sec desc allowing no write by owner \n " ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
2004-12-04 10:16:47 +00:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-04 10:16:47 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " check that sd has been mapped correctly \n " ) ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-03 06:25:56 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd ) ;
2004-12-03 06:25:56 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for write \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-02 04:38:41 +00:00
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE ) ;
2006-03-12 22:48:25 +00:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic write \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic read \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-02 04:38:41 +00:00
SEC_RIGHTS_FILE_READ ) ;
2006-03-12 22:48:25 +00:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " set a sec desc allowing generic read by owner \n " ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_GENERIC_READ | SEC_STD_ALL ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " check that generic read has been mapped correctly \n " ) ;
2007-11-02 12:54:19 +01:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for write \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for read \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_READ_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-02 04:38:41 +00:00
SEC_FILE_READ_DATA |
SEC_FILE_READ_ATTRIBUTE ) ;
2006-03-12 22:48:25 +00:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic write \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_GENERIC_WRITE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try open for generic read \n " ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_GENERIC_READ ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum , SEC_RIGHTS_FILE_READ ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " put back original sd \n " ) ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2004-12-02 04:38:41 +00:00
return ret ;
}
/*
test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
SEC_FILE_xx bits
2009-07-02 14:08:41 -07:00
Test copied to smb2 / acls . c for SMB2 .
2004-12-02 04:38:41 +00:00
*/
2007-08-29 00:56:13 +00:00
static bool test_generic_bits ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-12-02 04:38:41 +00:00
{
NTSTATUS status ;
union smb_open io ;
const char * fname = BASEDIR " \\ generic.txt " ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2004-12-02 04:51:56 +00:00
int fnum = - 1 , i ;
2004-12-02 04:38:41 +00:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig , * sd2 ;
const char * owner_sid ;
const struct {
uint32_t gen_bits ;
uint32_t specific_bits ;
} file_mappings [ ] = {
2004-12-03 06:25:56 +00:00
{ 0 , 0 } ,
{ SEC_GENERIC_READ , SEC_RIGHTS_FILE_READ } ,
{ SEC_GENERIC_WRITE , SEC_RIGHTS_FILE_WRITE } ,
{ SEC_GENERIC_EXECUTE , SEC_RIGHTS_FILE_EXECUTE } ,
{ SEC_GENERIC_ALL , SEC_RIGHTS_FILE_ALL } ,
{ SEC_FILE_READ_DATA , SEC_FILE_READ_DATA } ,
{ SEC_FILE_READ_ATTRIBUTE , SEC_FILE_READ_ATTRIBUTE }
2004-12-02 04:38:41 +00:00
} ;
const struct {
uint32_t gen_bits ;
uint32_t specific_bits ;
} dir_mappings [ ] = {
{ 0 , 0 } ,
{ SEC_GENERIC_READ , SEC_RIGHTS_DIR_READ } ,
{ SEC_GENERIC_WRITE , SEC_RIGHTS_DIR_WRITE } ,
{ SEC_GENERIC_EXECUTE , SEC_RIGHTS_DIR_EXECUTE } ,
{ SEC_GENERIC_ALL , SEC_RIGHTS_DIR_ALL }
} ;
2007-10-06 22:28:14 +00:00
bool has_restore_privilege ;
bool has_take_ownership_privilege ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING FILE GENERIC BITS \n " ) ;
2004-12-02 04:38:41 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . flags = 0 ;
2004-12-04 10:16:47 +00:00
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2004-12-02 04:38:41 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 00:56:13 +00:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-02 04:38:41 +00:00
2009-10-16 18:23:42 +11:00
status = torture_check_privilege ( cli ,
2004-12-11 05:41:19 +00:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
2004-12-06 07:13:50 +00:00
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " torture_check_privilege - %s \n " ,
nt_errstr ( status ) ) ;
2004-12-06 07:13:50 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2004-12-06 07:13:50 +00:00
2009-10-16 18:23:42 +11:00
status = torture_check_privilege ( cli ,
2004-12-11 05:41:19 +00:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
2004-12-06 07:13:50 +00:00
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " torture_check_privilege - %s \n " ,
nt_errstr ( status ) ) ;
2004-12-06 07:13:50 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2004-12-02 04:38:41 +00:00
for ( i = 0 ; i < ARRAY_SIZE ( file_mappings ) ; i + + ) {
2004-12-06 07:13:50 +00:00
uint32_t expected_mask =
SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_STD_DELETE ;
uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE ;
if ( has_restore_privilege ) {
expected_mask_anon | = SEC_STD_DELETE ;
}
2004-12-02 04:38:41 +00:00
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing generic bits 0x%08x \n " ,
2004-12-02 04:38:41 +00:00
file_mappings [ i ] . gen_bits ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-04 10:16:47 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 12:54:19 +01:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-06 07:13:50 +00:00
expected_mask | file_mappings [ i ] . specific_bits ) ;
2006-03-12 22:48:25 +00:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
2004-12-06 07:13:50 +00:00
if ( ! has_take_ownership_privilege ) {
continue ;
}
2004-12-04 10:16:47 +00:00
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing generic bits 0x%08x (anonymous) \n " ,
2004-12-04 10:16:47 +00:00
file_mappings [ i ] . gen_bits ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , SID_NT_ANONYMOUS , NULL ,
2004-12-04 10:16:47 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-04 10:16:47 +00:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-04 10:16:47 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 12:54:19 +01:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , SID_NT_ANONYMOUS , NULL ,
2004-12-04 10:16:47 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-04 10:16:47 +00:00
NULL ) ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-04 10:16:47 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
2004-12-04 10:16:47 +00:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-04 10:16:47 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-06 07:13:50 +00:00
expected_mask_anon | file_mappings [ i ] . specific_bits ) ;
2006-03-12 22:48:25 +00:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " put back original sd \n " ) ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " TESTING DIR GENERIC BITS \n " ) ;
2004-12-02 04:38:41 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . flags = 0 ;
2006-04-13 09:00:38 +00:00
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-02 04:38:41 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2004-12-02 04:38:41 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 00:56:13 +00:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2004-12-02 04:38:41 +00:00
2009-10-16 18:23:42 +11:00
status = torture_check_privilege ( cli ,
2006-04-13 09:00:38 +00:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " torture_check_privilege - %s \n " ,
nt_errstr ( status ) ) ;
2006-04-13 09:00:38 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2006-04-13 09:00:38 +00:00
2009-10-16 18:23:42 +11:00
status = torture_check_privilege ( cli ,
2006-04-13 09:00:38 +00:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " torture_check_privilege - %s \n " ,
nt_errstr ( status ) ) ;
2006-04-13 09:00:38 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2004-12-02 04:38:41 +00:00
2004-12-03 06:25:56 +00:00
for ( i = 0 ; i < ARRAY_SIZE ( dir_mappings ) ; i + + ) {
2004-12-06 07:13:50 +00:00
uint32_t expected_mask =
SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL |
SEC_FILE_READ_ATTRIBUTE |
SEC_STD_DELETE ;
2006-04-13 09:00:38 +00:00
uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE ;
if ( has_restore_privilege ) {
expected_mask_anon | = SEC_STD_DELETE ;
}
2004-12-02 04:38:41 +00:00
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing generic bits 0x%08x \n " ,
2004-12-02 04:38:41 +00:00
file_mappings [ i ] . gen_bits ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
dir_mappings [ i ] . gen_bits ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2006-04-13 09:00:38 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 12:54:19 +01:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2004-12-02 04:38:41 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
dir_mappings [ i ] . specific_bits ,
2004-12-29 06:53:15 +00:00
0 ,
2004-12-02 04:38:41 +00:00
NULL ) ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
2004-12-02 04:38:41 +00:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-02 04:38:41 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
2004-12-06 07:13:50 +00:00
expected_mask | dir_mappings [ i ] . specific_bits ) ;
2006-03-12 22:48:25 +00:00
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2006-04-13 09:00:38 +00:00
if ( ! has_take_ownership_privilege ) {
continue ;
}
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing generic bits 0x%08x (anonymous) \n " ,
2006-04-13 09:00:38 +00:00
file_mappings [ i ] . gen_bits ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , SID_NT_ANONYMOUS , NULL ,
2006-04-13 09:00:38 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . gen_bits ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . in . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2007-11-02 12:54:19 +01:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , SID_NT_ANONYMOUS , NULL ,
2006-04-13 09:00:38 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
file_mappings [ i ] . specific_bits ,
0 ,
NULL ) ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2006-04-13 09:00:38 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
2006-04-13 09:00:38 +00:00
io . ntcreatex . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2006-04-13 09:00:38 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum ,
expected_mask_anon | dir_mappings [ i ] . specific_bits ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2004-12-02 04:38:41 +00:00
}
2004-12-06 07:13:50 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " put back original sd \n " ) ;
2004-12-02 04:38:41 +00:00
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2004-12-02 04:38:41 +00:00
return ret ;
}
2004-11-18 03:59:24 +00:00
2005-01-07 01:56:19 +00:00
/*
see what access bits the owner of a file always gets
2009-07-02 14:08:41 -07:00
Test copied to smb2 / acls . c for SMB2 .
2005-01-07 01:56:19 +00:00
*/
2007-08-29 00:56:13 +00:00
static bool test_owner_bits ( struct torture_context * tctx ,
struct smbcli_state * cli )
2005-01-07 01:56:19 +00:00
{
NTSTATUS status ;
union smb_open io ;
2008-11-04 01:34:08 -08:00
const char * fname = BASEDIR " \\ test_owner_bits.txt " ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2005-01-07 01:56:19 +00:00
int fnum = - 1 , i ;
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd_orig ;
const char * owner_sid ;
2007-10-06 22:28:14 +00:00
bool has_restore_privilege ;
bool has_take_ownership_privilege ;
2005-01-07 01:56:19 +00:00
uint32_t expected_bits ;
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING FILE OWNER BITS \n " ) ;
2005-01-07 01:56:19 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask =
SEC_STD_READ_CONTROL |
SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access =
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2005-01-07 01:56:19 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2005-01-07 01:56:19 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 00:56:13 +00:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2005-01-07 01:56:19 +00:00
2009-10-16 18:23:42 +11:00
status = torture_check_privilege ( cli ,
2005-01-07 01:56:19 +00:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_RESTORE ) ) ;
has_restore_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2005-01-07 01:56:19 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " SEC_PRIV_RESTORE - %s \n " , has_restore_privilege ? " Yes " : " No " ) ;
2005-01-07 01:56:19 +00:00
2009-10-16 18:23:42 +11:00
status = torture_check_privilege ( cli ,
2005-01-07 01:56:19 +00:00
owner_sid ,
sec_privilege_name ( SEC_PRIV_TAKE_OWNERSHIP ) ) ;
has_take_ownership_privilege = NT_STATUS_IS_OK ( status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " torture_check_privilege - %s \n " , nt_errstr ( status ) ) ;
2005-01-07 01:56:19 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " SEC_PRIV_TAKE_OWNERSHIP - %s \n " , has_take_ownership_privilege ? " Yes " : " No " ) ;
2005-01-07 01:56:19 +00:00
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2005-01-07 01:56:19 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 01:56:19 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
expected_bits = SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ;
for ( i = 0 ; i < 16 ; i + + ) {
2005-02-10 05:09:35 +00:00
uint32_t bit = ( 1 < < i ) ;
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . access_mask = bit ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 01:56:19 +00:00
if ( expected_bits & bit ) {
2005-01-07 02:13:07 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " failed with access mask 0x%08x of expected 0x%08x \n " ,
2005-01-07 02:13:07 +00:00
bit , expected_bits ) ;
}
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
CHECK_ACCESS_FLAGS ( io . ntcreatex . out . file . fnum , bit | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , io . ntcreatex . out . file . fnum ) ;
2005-01-07 01:56:19 +00:00
} else {
2008-11-03 23:54:05 -08:00
if ( NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " open succeeded with access mask 0x%08x of "
2008-11-03 23:54:05 -08:00
" expected 0x%08x - should fail \n " ,
bit , expected_bits ) ;
}
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " put back original sd \n " ) ;
2005-01-07 01:56:19 +00:00
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
done :
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2005-01-07 01:56:19 +00:00
return ret ;
}
2004-12-29 06:53:15 +00:00
/*
test the inheritance of ACL flags onto new files and directories
2009-07-02 14:08:41 -07:00
Test copied to smb2 / acls . c for SMB2 .
2004-12-29 06:53:15 +00:00
*/
2007-08-29 00:56:13 +00:00
static bool test_inheritance ( struct torture_context * tctx ,
struct smbcli_state * cli )
2004-12-29 06:53:15 +00:00
{
NTSTATUS status ;
union smb_open io ;
const char * dname = BASEDIR " \\ inheritance " ;
const char * fname1 = BASEDIR " \\ inheritance \\ testfile " ;
const char * fname2 = BASEDIR " \\ inheritance \\ testdir " ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2006-09-09 10:05:58 +00:00
int fnum = 0 , fnum2 , i ;
2004-12-29 06:53:15 +00:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2009-07-02 14:08:41 -07:00
struct security_descriptor * sd , * sd2 , * sd_orig = NULL , * sd_def1 , * sd_def2 ;
2009-10-17 12:50:51 +11:00
const char * owner_sid , * group_sid ;
2005-01-01 03:46:55 +00:00
const struct dom_sid * creator_owner ;
2004-12-29 06:53:15 +00:00
const struct {
uint32_t parent_flags ;
uint32_t file_flags ;
uint32_t dir_flags ;
} test_flags [ ] = {
{
0 ,
0 ,
0
} ,
{
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ,
} ,
{
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ,
0 ,
0 ,
} ,
{
SEC_ACE_FLAG_INHERIT_ONLY |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT ,
0 ,
0 ,
}
} ;
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
2005-01-07 06:59:53 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " TESTING ACL INHERITANCE \n " ) ;
2004-12-29 06:53:15 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2004-12-29 06:53:15 +00:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = 0 ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-29 06:53:15 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2004-12-29 06:53:15 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2004-12-29 06:53:15 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2009-10-17 12:50:51 +11:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER | SECINFO_GROUP ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-29 06:53:15 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 00:56:13 +00:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2009-10-17 12:50:51 +11:00
group_sid = dom_sid_string ( tctx , sd_orig - > group_sid ) ;
2004-12-29 06:53:15 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " owner_sid is %s \n " , owner_sid ) ;
torture_comment ( tctx , " group_sid is %s \n " , group_sid ) ;
2005-01-01 03:46:55 +00:00
2009-10-17 12:50:51 +11:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
if ( torture_setting_bool ( tctx , " samba4 " , false ) ) {
/* the default ACL in Samba4 includes the group and
other permissions */
2009-07-02 14:08:41 -07:00
sd_def1 = security_descriptor_dacl_create ( tctx ,
2009-10-17 12:50:51 +11:00
0 , owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
group_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE ,
0 ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE ,
0 ,
SID_NT_SYSTEM ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
NULL ) ;
} else {
2009-07-02 14:08:41 -07:00
/*
* The Windows Default ACL for a new file , when there is no ACL to be
* inherited : FullControl for the owner and SYSTEM .
*/
sd_def1 = security_descriptor_dacl_create ( tctx ,
2009-10-17 12:50:51 +11:00
0 , owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
SID_NT_SYSTEM ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
NULL ) ;
}
2004-12-29 07:28:03 +00:00
2009-07-02 14:08:41 -07:00
/*
* Use this in the case the system being tested does not add an ACE for
* the SYSTEM SID .
*/
sd_def2 = security_descriptor_dacl_create ( tctx ,
0 , owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_RIGHTS_FILE_ALL ,
0 ,
NULL ) ;
2007-08-29 00:56:13 +00:00
creator_owner = dom_sid_parse_talloc ( tctx , SID_CREATOR_OWNER ) ;
2005-01-01 03:46:55 +00:00
2004-12-29 06:53:15 +00:00
for ( i = 0 ; i < ARRAY_SIZE ( test_flags ) ; i + + ) {
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2005-01-01 03:46:55 +00:00
SID_CREATOR_OWNER ,
2004-12-29 06:53:15 +00:00
SEC_ACE_TYPE_ACCESS_ALLOWED ,
2004-12-29 07:28:03 +00:00
SEC_FILE_WRITE_DATA ,
2004-12-29 06:53:15 +00:00
test_flags [ i ] . parent_flags ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-29 06:53:15 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-29 06:53:15 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2004-12-29 06:53:15 +00:00
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum2 ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-29 06:53:15 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
2004-12-29 07:28:03 +00:00
if ( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT ) ) {
2009-07-02 14:08:41 -07:00
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def1 ) & &
! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def2 ) ) {
torture_warning ( tctx , " Expected default sd "
" for i=%d: \n " , i ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd_def1 ) ;
torture_warning ( tctx , " at %d - got: \n " , i ) ;
2004-12-29 07:28:03 +00:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
}
goto check_dir ;
}
2004-12-29 06:53:15 +00:00
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
2004-12-30 02:22:03 +00:00
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
2004-12-29 07:28:03 +00:00
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
2004-12-29 06:53:15 +00:00
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) ) {
2007-10-06 22:28:14 +00:00
ret = false ;
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " Bad sd in child file at %d \n " , i ) ;
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2004-12-29 07:28:03 +00:00
goto check_dir ;
2004-12-29 06:53:15 +00:00
}
if ( q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! =
test_flags [ i ] . file_flags ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " incorrect file_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d) \n " ,
2004-12-29 06:53:15 +00:00
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ,
test_flags [ i ] . file_flags ,
test_flags [ i ] . parent_flags ,
i ) ;
2007-10-06 22:28:14 +00:00
ret = false ;
2004-12-29 06:53:15 +00:00
}
2004-12-29 07:28:03 +00:00
check_dir :
2004-12-29 06:53:15 +00:00
io . ntcreatex . in . fname = fname2 ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2004-12-29 06:53:15 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2004-12-29 06:53:15 +00:00
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum2 ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2004-12-29 06:53:15 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_rmdir ( cli - > tree , fname2 ) ;
2004-12-29 07:28:03 +00:00
if ( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) & &
( ! ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT ) | |
( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ) ) ) {
2009-07-02 14:08:41 -07:00
if ( ! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def1 ) & &
! security_descriptor_equal ( q . query_secdesc . out . sd , sd_def2 ) ) {
torture_warning ( tctx , " Expected default sd for dir at %d: \n " , i ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd_def1 ) ;
torture_warning ( tctx , " got: \n " ) ;
2004-12-29 07:28:03 +00:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
}
continue ;
}
2005-01-01 03:46:55 +00:00
if ( ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) & &
( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ) ) {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = test_flags [ i ] . dir_flags ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " (CI & NP) Bad sd in child dir - expected 0x%x for parent 0x%x (i=%d) \n " ,
test_flags [ i ] . dir_flags ,
test_flags [ i ] . parent_flags , i ) ;
2005-01-01 03:46:55 +00:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " FYI, here is the parent sd: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-10-06 22:28:14 +00:00
ret = false ;
2005-01-01 03:46:55 +00:00
continue ;
}
} else if ( test_flags [ i ] . parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT ) {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 2 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
sd_orig - > owner_sid ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . trustee ,
creator_owner ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = 0 | |
q . query_secdesc . out . sd - > dacl - > aces [ 1 ] . flags ! =
( test_flags [ i ] . dir_flags | SEC_ACE_FLAG_INHERIT_ONLY ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " (CI) Bad sd in child dir - expected 0x%x for parent 0x%x (i=%d) \n " ,
test_flags [ i ] . dir_flags ,
test_flags [ i ] . parent_flags , i ) ;
2005-01-01 03:46:55 +00:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " FYI, here is the parent sd: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-10-06 22:28:14 +00:00
ret = false ;
2005-01-01 03:46:55 +00:00
continue ;
}
} else {
if ( q . query_secdesc . out . sd - > dacl = = NULL | |
q . query_secdesc . out . sd - > dacl - > num_aces ! = 1 | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . access_mask ! = SEC_FILE_WRITE_DATA | |
! dom_sid_equal ( & q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . trustee ,
creator_owner ) | |
q . query_secdesc . out . sd - > dacl - > aces [ 0 ] . flags ! = test_flags [ i ] . dir_flags ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " (0) Bad sd in child dir - expected 0x%x for parent 0x%x (i=%d) \n " ,
test_flags [ i ] . dir_flags ,
test_flags [ i ] . parent_flags , i ) ;
2005-01-01 03:46:55 +00:00
NDR_PRINT_DEBUG ( security_descriptor , q . query_secdesc . out . sd ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " FYI, here is the parent sd: \n " ) ;
NDR_PRINT_DEBUG ( security_descriptor , sd ) ;
2007-10-06 22:28:14 +00:00
ret = false ;
2005-01-01 03:46:55 +00:00
continue ;
}
2004-12-29 06:53:15 +00:00
}
}
2010-04-11 01:39:06 +02:00
torture_comment ( tctx , " Testing access checks on inherited create with %s \n " , fname1 ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2005-01-07 01:56:19 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 01:56:19 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
/* Check DACL we just set. */
torture_comment ( tctx , " checking new sd \n " ) ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags = SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd ) ;
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 01:56:19 +00:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_RIGHTS_FILE_ALL ) ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum2 ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2007-11-02 12:54:19 +01:00
sd2 = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , owner_sid , NULL ,
2006-04-13 09:00:38 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
0 ,
NULL ) ;
2009-07-02 14:08:41 -07:00
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
2006-04-13 09:00:38 +00:00
2005-01-09 04:31:32 +00:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-09 04:31:32 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
2009-07-02 14:08:41 -07:00
torture_warning ( tctx , " failed: w2k3 ACL bug (allowed open when ACL should deny) \n " ) ;
2007-10-06 22:28:14 +00:00
ret = false ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2006-04-13 09:00:38 +00:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_RIGHTS_FILE_ALL ) ;
2005-01-09 04:31:32 +00:00
smbcli_close ( cli - > tree , fnum2 ) ;
} else {
2009-12-04 16:07:35 -08:00
if ( TARGET_IS_WIN7 ( tctx ) ) {
CHECK_STATUS ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
2005-01-09 04:31:32 +00:00
}
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " trying without execute \n " ) ;
2005-01-09 04:31:32 +00:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL & ~ SEC_FILE_EXECUTE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2009-12-04 16:07:35 -08:00
if ( TARGET_IS_WIN7 ( tctx ) ) {
CHECK_STATUS ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
2005-01-09 04:31:32 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " and with full permissions again \n " ) ;
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2009-12-04 16:07:35 -08:00
if ( TARGET_IS_WIN7 ( tctx ) ) {
CHECK_STATUS ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 01:56:19 +00:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " put back original sd \n " ) ;
2004-12-29 06:53:15 +00:00
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2004-12-29 06:53:15 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
smbcli_close ( cli - > tree , fnum ) ;
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2009-12-04 16:07:35 -08:00
if ( TARGET_IS_WIN7 ( tctx ) ) {
CHECK_STATUS ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ;
} else {
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
}
2005-01-07 01:56:19 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 01:56:19 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 01:56:19 +00:00
CHECK_ACCESS_FLAGS ( fnum2 , SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE ) ;
smbcli_close ( cli - > tree , fnum2 ) ;
2004-12-29 06:53:15 +00:00
done :
2009-07-02 14:08:41 -07:00
if ( sd_orig ! = NULL ) {
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . in . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
}
2005-01-07 06:59:53 +00:00
2004-12-29 06:53:15 +00:00
smbcli_close ( cli - > tree , fnum ) ;
2009-12-04 16:07:35 -08:00
smbcli_unlink ( cli - > tree , fname1 ) ;
smbcli_rmdir ( cli - > tree , dname ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2013-04-18 14:12:34 +02:00
if ( ! ret ) {
torture_result ( tctx ,
TORTURE_FAIL , " (%s) test_inheritance \n " ,
__location__ ) ;
}
2004-12-29 06:53:15 +00:00
return ret ;
}
2009-07-02 14:08:41 -07:00
static bool test_inheritance_flags ( struct torture_context * tctx ,
struct smbcli_state * cli )
{
NTSTATUS status ;
union smb_open io ;
const char * dname = BASEDIR " \\ inheritance " ;
const char * fname1 = BASEDIR " \\ inheritance \\ testfile " ;
bool ret = true ;
int fnum = 0 , fnum2 , i , j ;
union smb_fileinfo q ;
union smb_setfileinfo set ;
struct security_descriptor * sd , * sd2 , * sd_orig = NULL ;
const char * owner_sid ;
struct {
uint32_t parent_set_sd_type ; /* 3 options */
uint32_t parent_set_ace_inherit ; /* 1 option */
uint32_t parent_get_sd_type ;
uint32_t parent_get_ace_inherit ;
uint32_t child_get_sd_type ;
uint32_t child_get_ace_inherit ;
2012-08-29 15:18:19 -07:00
} tflags [ 16 ] = { { 0 } } ; /* 2^4 */
2009-07-02 14:08:41 -07:00
for ( i = 0 ; i < 15 ; i + + ) {
torture_comment ( tctx , " i=%d: " , i ) ;
ZERO_STRUCT ( tflags [ i ] ) ;
if ( i & 1 ) {
tflags [ i ] . parent_set_sd_type | =
SEC_DESC_DACL_AUTO_INHERITED ;
torture_comment ( tctx , " AUTO_INHERITED, " ) ;
}
if ( i & 2 ) {
tflags [ i ] . parent_set_sd_type | =
SEC_DESC_DACL_AUTO_INHERIT_REQ ;
torture_comment ( tctx , " AUTO_INHERIT_REQ, " ) ;
}
if ( i & 4 ) {
tflags [ i ] . parent_set_sd_type | =
SEC_DESC_DACL_PROTECTED ;
tflags [ i ] . parent_get_sd_type | =
SEC_DESC_DACL_PROTECTED ;
torture_comment ( tctx , " PROTECTED, " ) ;
}
if ( i & 8 ) {
tflags [ i ] . parent_set_ace_inherit | =
SEC_ACE_FLAG_INHERITED_ACE ;
tflags [ i ] . parent_get_ace_inherit | =
SEC_ACE_FLAG_INHERITED_ACE ;
torture_comment ( tctx , " INHERITED, " ) ;
}
if ( ( tflags [ i ] . parent_set_sd_type &
( SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ) ) = =
( SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ) ) {
tflags [ i ] . parent_get_sd_type | =
SEC_DESC_DACL_AUTO_INHERITED ;
tflags [ i ] . child_get_sd_type | =
SEC_DESC_DACL_AUTO_INHERITED ;
tflags [ i ] . child_get_ace_inherit | =
SEC_ACE_FLAG_INHERITED_ACE ;
torture_comment ( tctx , " ... parent is AUTO INHERITED " ) ;
}
if ( tflags [ i ] . parent_set_ace_inherit &
SEC_ACE_FLAG_INHERITED_ACE ) {
tflags [ i ] . parent_get_ace_inherit =
SEC_ACE_FLAG_INHERITED_ACE ;
torture_comment ( tctx , " ... parent ACE is INHERITED " ) ;
}
torture_comment ( tctx , " \n " ) ;
}
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING ACL INHERITANCE FLAGS \n " ) ;
2012-08-29 15:18:19 -07:00
ZERO_STRUCT ( io ) ;
2009-07-02 14:08:41 -07:00
io . generic . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . root_fid . fnum = 0 ;
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = NTCREATEX_SHARE_ACCESS_MASK ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
torture_comment ( tctx , " creating initial directory %s \n " , dname ) ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
torture_comment ( tctx , " getting original sd \n " ) ;
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
torture_comment ( tctx , " owner_sid is %s \n " , owner_sid ) ;
for ( i = 0 ; i < ARRAY_SIZE ( tflags ) ; i + + ) {
torture_comment ( tctx , " setting a new sd on directory, pass #%d \n " , i ) ;
sd = security_descriptor_dacl_create ( tctx ,
tflags [ i ] . parent_set_sd_type ,
NULL , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
tflags [ i ] . parent_set_ace_inherit ,
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_ALL | SEC_STD_ALL ,
0 ,
NULL ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . in . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/*
* Check DACL we just set , except change the bits to what they
* should be .
*/
torture_comment ( tctx , " checking new sd \n " ) ;
/* REQ bit should always be false. */
sd - > type & = ~ SEC_DESC_DACL_AUTO_INHERIT_REQ ;
if ( ( tflags [ i ] . parent_get_sd_type & SEC_DESC_DACL_AUTO_INHERITED ) = = 0 )
sd - > type & = ~ SEC_DESC_DACL_AUTO_INHERITED ;
q . query_secdesc . in . file . fnum = fnum ;
q . query_secdesc . in . secinfo_flags = SECINFO_DACL ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd ) ;
/* Create file. */
torture_comment ( tctx , " creating file %s \n " , fname1 ) ;
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum2 = io . ntcreatex . out . file . fnum ;
CHECK_ACCESS_FLAGS ( fnum2 , SEC_RIGHTS_FILE_ALL ) ;
q . query_secdesc . in . file . fnum = fnum2 ;
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
torture_comment ( tctx , " checking sd on file %s \n " , fname1 ) ;
sd2 = security_descriptor_dacl_create ( tctx ,
tflags [ i ] . child_get_sd_type ,
owner_sid , NULL ,
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC ,
tflags [ i ] . child_get_ace_inherit ,
NULL ) ;
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
/*
* Set new sd on file . . . prove that the bits have nothing to
* do with the parents bits when manually setting an ACL . The
* _AUTO_INHERITED bit comes directly from the ACL set .
*/
for ( j = 0 ; j < ARRAY_SIZE ( tflags ) ; j + + ) {
torture_comment ( tctx , " setting new file sd, pass #%d \n " , j ) ;
/* Change sd type. */
sd2 - > type & = ~ ( SEC_DESC_DACL_AUTO_INHERITED |
SEC_DESC_DACL_AUTO_INHERIT_REQ |
SEC_DESC_DACL_PROTECTED ) ;
sd2 - > type | = tflags [ j ] . parent_set_sd_type ;
sd2 - > dacl - > aces [ 0 ] . flags & =
~ SEC_ACE_FLAG_INHERITED_ACE ;
sd2 - > dacl - > aces [ 0 ] . flags | =
tflags [ j ] . parent_set_ace_inherit ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . in . file . fnum = fnum2 ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd2 ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/* Check DACL we just set. */
sd2 - > type & = ~ SEC_DESC_DACL_AUTO_INHERIT_REQ ;
if ( ( tflags [ j ] . parent_get_sd_type & SEC_DESC_DACL_AUTO_INHERITED ) = = 0 )
sd2 - > type & = ~ SEC_DESC_DACL_AUTO_INHERITED ;
q . query_secdesc . in . file . fnum = fnum2 ;
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
CHECK_SECURITY_DESCRIPTOR ( q . query_secdesc . out . sd , sd2 ) ;
}
smbcli_close ( cli - > tree , fnum2 ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
}
done :
smbcli_close ( cli - > tree , fnum ) ;
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2012-08-29 15:18:19 -07:00
if ( ! ret ) {
torture_result ( tctx ,
TORTURE_FAIL , " (%s) test_inheritance_flags \n " ,
__location__ ) ;
}
2009-07-02 14:08:41 -07:00
return ret ;
}
2004-12-29 06:53:15 +00:00
2005-01-07 06:59:53 +00:00
/*
test dynamic acl inheritance
2009-07-02 14:08:41 -07:00
Test copied to smb2 / acls . c for SMB2 .
2005-01-07 06:59:53 +00:00
*/
2007-10-06 22:28:14 +00:00
static bool test_inheritance_dynamic ( struct torture_context * tctx ,
2007-08-29 00:56:13 +00:00
struct smbcli_state * cli )
2005-01-07 06:59:53 +00:00
{
NTSTATUS status ;
union smb_open io ;
2009-10-17 10:54:46 +11:00
const char * dname = BASEDIR " \\ inheritance2 " ;
const char * fname1 = BASEDIR " \\ inheritance2 \\ testfile " ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2006-09-09 10:05:58 +00:00
int fnum = 0 , fnum2 ;
2005-01-07 06:59:53 +00:00
union smb_fileinfo q ;
union smb_setfileinfo set ;
2006-09-09 10:05:58 +00:00
struct security_descriptor * sd , * sd_orig = NULL ;
2005-01-07 06:59:53 +00:00
const char * owner_sid ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " TESTING DYNAMIC ACL INHERITANCE \n " ) ;
2005-01-07 06:59:53 +00:00
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
2007-10-06 22:28:14 +00:00
return false ;
2005-01-07 06:59:53 +00:00
io . generic . level = RAW_OPEN_NTCREATEX ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2005-01-07 06:59:53 +00:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_RIGHTS_FILE_ALL ;
io . ntcreatex . in . create_options = NTCREATEX_OPTIONS_DIRECTORY ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_DIRECTORY ;
io . ntcreatex . in . share_access = 0 ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = dname ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 06:59:53 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum = io . ntcreatex . out . file . fnum ;
2005-01-07 06:59:53 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " get the original sd \n " ) ;
2005-01-07 06:59:53 +00:00
q . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
q . query_secdesc . in . file . fnum = fnum ;
2006-03-10 20:49:20 +00:00
q . query_secdesc . in . secinfo_flags = SECINFO_DACL | SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & q ) ;
2005-01-07 06:59:53 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
sd_orig = q . query_secdesc . out . sd ;
2007-08-29 00:56:13 +00:00
owner_sid = dom_sid_string ( tctx , sd_orig - > owner_sid ) ;
2005-01-07 06:59:53 +00:00
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " owner_sid is %s \n " , owner_sid ) ;
2005-01-07 06:59:53 +00:00
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2005-01-07 06:59:53 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
NULL ) ;
sd - > type | = SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
2006-03-12 22:48:25 +00:00
set . set_secdesc . in . file . fnum = fnum ;
2005-01-07 06:59:53 +00:00
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " create a file with an inherited acl \n " ) ;
2005-01-07 06:59:53 +00:00
io . ntcreatex . in . fname = fname1 ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . access_mask = SEC_FILE_READ_ATTRIBUTE ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_CREATE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 06:59:53 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 06:59:53 +00:00
smbcli_close ( cli - > tree , fnum2 ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try and access file with base rights - should be OK \n " ) ;
2005-01-07 06:59:53 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 06:59:53 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 06:59:53 +00:00
smbcli_close ( cli - > tree , fnum2 ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try and access file with extra rights - should be denied \n " ) ;
2005-01-07 06:59:53 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 06:59:53 +00:00
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " update parent sd \n " ) ;
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , NULL , NULL ,
2005-01-07 06:59:53 +00:00
owner_sid ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE ,
SEC_ACE_FLAG_OBJECT_INHERIT ,
NULL ) ;
sd - > type | = SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ ;
set . set_secdesc . in . sd = sd ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try and access file with base rights - should be OK \n " ) ;
2005-01-07 06:59:53 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 06:59:53 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
2006-03-12 22:48:25 +00:00
fnum2 = io . ntcreatex . out . file . fnum ;
2005-01-07 06:59:53 +00:00
smbcli_close ( cli - > tree , fnum2 ) ;
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " try and access now - should be OK if dynamic inheritance works \n " ) ;
2005-01-07 06:59:53 +00:00
io . ntcreatex . in . access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2005-01-07 06:59:53 +00:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " Server does not have dynamic inheritance \n " ) ;
2005-01-07 06:59:53 +00:00
}
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OK ) ) {
2009-07-02 14:08:41 -07:00
torture_comment ( tctx , " Server does have dynamic inheritance \n " ) ;
2005-01-07 06:59:53 +00:00
}
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ;
smbcli_unlink ( cli - > tree , fname1 ) ;
done :
2011-05-26 10:23:41 +02:00
if ( sd_orig ! = NULL ) {
torture_comment ( tctx , " put back original sd \n " ) ;
set . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
set . set_secdesc . in . file . fnum = fnum ;
set . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
set . set_secdesc . in . sd = sd_orig ;
status = smb_raw_setfileinfo ( cli - > tree , & set ) ;
}
2005-01-07 06:59:53 +00:00
smbcli_close ( cli - > tree , fnum ) ;
smbcli_rmdir ( cli - > tree , dname ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2005-01-07 06:59:53 +00:00
return ret ;
}
2006-04-13 11:37:44 +00:00
# define CHECK_STATUS_FOR_BIT_ACTION(status, bits, action) do { \
if ( ! ( bits & desired_64 ) ) { \
CHECK_STATUS ( status , NT_STATUS_ACCESS_DENIED ) ; \
action ; \
} else { \
CHECK_STATUS ( status , NT_STATUS_OK ) ; \
} \
} while ( 0 )
# define CHECK_STATUS_FOR_BIT(status, bits, access) do { \
if ( NT_STATUS_IS_OK ( status ) ) { \
if ( ! ( granted & access ) ) { \
2007-10-06 22:28:14 +00:00
ret = false ; \
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " (%s) %s but flags 0x%08X are not granted! granted[0x%08X] desired[0x%08X] \n " , \
__location__ , nt_errstr ( status ) , access , granted , desired ) ; \
2006-04-13 11:37:44 +00:00
goto done ; \
} \
} else { \
if ( granted & access ) { \
2007-10-06 22:28:14 +00:00
ret = false ; \
2009-07-02 14:08:41 -07:00
torture_result ( tctx , TORTURE_FAIL , " (%s) %s but flags 0x%08X are granted! granted[0x%08X] desired[0x%08X] \n " , \
__location__ , nt_errstr ( status ) , access , granted , desired ) ; \
2006-04-13 11:37:44 +00:00
goto done ; \
} \
} \
CHECK_STATUS_FOR_BIT_ACTION ( status , bits , do { } while ( 0 ) ) ; \
} while ( 0 )
2011-05-04 14:57:37 -07:00
#if 0
2009-07-02 14:08:41 -07:00
/* test what access mask is needed for getting and setting security_descriptors
Test copied to smb2 / acls . c for SMB2 . */
2007-08-29 00:56:13 +00:00
static bool test_sd_get_set ( struct torture_context * tctx ,
struct smbcli_state * cli )
2006-04-13 11:37:44 +00:00
{
NTSTATUS status ;
2007-10-06 22:28:14 +00:00
bool ret = true ;
2006-04-13 11:37:44 +00:00
union smb_open io ;
union smb_fileinfo fi ;
union smb_setfileinfo si ;
struct security_descriptor * sd ;
struct security_descriptor * sd_owner = NULL ;
struct security_descriptor * sd_group = NULL ;
struct security_descriptor * sd_dacl = NULL ;
struct security_descriptor * sd_sacl = NULL ;
2006-09-09 10:05:58 +00:00
int fnum = 0 ;
2006-04-13 11:37:44 +00:00
const char * fname = BASEDIR " \\ sd_get_set.txt " ;
uint64_t desired_64 ;
uint32_t desired = 0 , granted ;
int i = 0 ;
2006-05-25 07:14:33 +00:00
# define NO_BITS_HACK (((uint64_t)1)<<32)
2006-04-13 11:37:44 +00:00
uint64_t open_bits =
SEC_MASK_GENERIC |
SEC_FLAG_SYSTEM_SECURITY |
SEC_FLAG_MAXIMUM_ALLOWED |
SEC_STD_ALL |
2006-05-25 07:14:33 +00:00
SEC_FILE_ALL |
NO_BITS_HACK ;
2006-04-13 11:37:44 +00:00
uint64_t get_owner_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL ;
uint64_t set_owner_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER ;
uint64_t get_group_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL ;
uint64_t set_group_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER ;
uint64_t get_dacl_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL ;
uint64_t set_dacl_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_DAC ;
uint64_t get_sacl_bits = SEC_FLAG_SYSTEM_SECURITY ;
uint64_t set_sacl_bits = SEC_FLAG_SYSTEM_SECURITY ;
2009-07-02 14:08:41 -07:00
if ( ! torture_setup_dir ( cli , BASEDIR ) )
return false ;
torture_comment ( tctx , " TESTING ACCESS MASKS FOR SD GET/SET \n " ) ;
2006-04-13 11:37:44 +00:00
/* first create a file with full access for everyone */
2007-11-02 12:54:19 +01:00
sd = security_descriptor_dacl_create ( tctx ,
2007-10-10 13:12:53 +02:00
0 , SID_NT_ANONYMOUS , SID_BUILTIN_USERS ,
2006-04-13 11:37:44 +00:00
SID_WORLD ,
SEC_ACE_TYPE_ACCESS_ALLOWED ,
SEC_GENERIC_ALL ,
0 ,
NULL ) ;
sd - > type | = SEC_DESC_SACL_PRESENT ;
sd - > sacl = NULL ;
io . ntcreatex . level = RAW_OPEN_NTTRANS_CREATE ;
2009-10-15 18:26:19 +11:00
io . ntcreatex . in . root_fid . fnum = 0 ;
2006-04-13 11:37:44 +00:00
io . ntcreatex . in . flags = 0 ;
io . ntcreatex . in . access_mask = SEC_GENERIC_ALL ;
io . ntcreatex . in . create_options = 0 ;
io . ntcreatex . in . file_attr = FILE_ATTRIBUTE_NORMAL ;
io . ntcreatex . in . share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE ;
io . ntcreatex . in . alloc_size = 0 ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OVERWRITE_IF ;
io . ntcreatex . in . impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS ;
io . ntcreatex . in . security_flags = 0 ;
io . ntcreatex . in . fname = fname ;
io . ntcreatex . in . sec_desc = sd ;
io . ntcreatex . in . ea_list = NULL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
fnum = io . ntcreatex . out . file . fnum ;
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
/*
* now try each access_mask bit and no bit at all in a loop
* and see what ' s allowed
2006-05-25 07:14:33 +00:00
* NOTE : if i = = 32 it means access_mask = 0 ( see NO_BITS_HACK above )
2006-04-13 11:37:44 +00:00
*/
for ( i = 0 ; i < = 32 ; i + + ) {
2006-05-25 07:14:33 +00:00
desired_64 = ( ( uint64_t ) 1 ) < < i ;
2006-04-13 11:37:44 +00:00
desired = ( uint32_t ) desired_64 ;
/* first open the file with the desired access */
io . ntcreatex . level = RAW_OPEN_NTCREATEX ;
io . ntcreatex . in . access_mask = desired ;
io . ntcreatex . in . open_disposition = NTCREATEX_DISP_OPEN ;
2007-08-29 00:56:13 +00:00
status = smb_raw_open ( cli - > tree , tctx , & io ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS_FOR_BIT_ACTION ( status , open_bits , goto next ) ;
fnum = io . ntcreatex . out . file . fnum ;
/* then check what access was granted */
fi . access_information . level = RAW_FILEINFO_ACCESS_INFORMATION ;
fi . access_information . in . file . fnum = fnum ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS ( status , NT_STATUS_OK ) ;
granted = fi . access_information . out . access_flags ;
/* test the owner */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_OWNER ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS_FOR_BIT ( status , get_owner_bits , SEC_STD_READ_CONTROL ) ;
if ( fi . query_secdesc . out . sd ) {
sd_owner = fi . query_secdesc . out . sd ;
} else if ( ! sd_owner ) {
sd_owner = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_OWNER ;
si . set_secdesc . in . sd = sd_owner ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_owner_bits , SEC_STD_WRITE_OWNER ) ;
/* test the group */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_GROUP ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS_FOR_BIT ( status , get_group_bits , SEC_STD_READ_CONTROL ) ;
if ( fi . query_secdesc . out . sd ) {
sd_group = fi . query_secdesc . out . sd ;
} else if ( ! sd_group ) {
sd_group = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_GROUP ;
si . set_secdesc . in . sd = sd_group ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_group_bits , SEC_STD_WRITE_OWNER ) ;
/* test the DACL */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_DACL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS_FOR_BIT ( status , get_dacl_bits , SEC_STD_READ_CONTROL ) ;
if ( fi . query_secdesc . out . sd ) {
sd_dacl = fi . query_secdesc . out . sd ;
} else if ( ! sd_dacl ) {
sd_dacl = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_DACL ;
si . set_secdesc . in . sd = sd_dacl ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_dacl_bits , SEC_STD_WRITE_DAC ) ;
/* test the SACL */
ZERO_STRUCT ( fi ) ;
fi . query_secdesc . level = RAW_FILEINFO_SEC_DESC ;
fi . query_secdesc . in . file . fnum = fnum ;
fi . query_secdesc . in . secinfo_flags = SECINFO_SACL ;
2007-08-29 00:56:13 +00:00
status = smb_raw_fileinfo ( cli - > tree , tctx , & fi ) ;
2006-04-13 11:37:44 +00:00
CHECK_STATUS_FOR_BIT ( status , get_sacl_bits , SEC_FLAG_SYSTEM_SECURITY ) ;
if ( fi . query_secdesc . out . sd ) {
sd_sacl = fi . query_secdesc . out . sd ;
} else if ( ! sd_sacl ) {
sd_sacl = sd ;
}
si . set_secdesc . level = RAW_SFILEINFO_SEC_DESC ;
si . set_secdesc . in . file . fnum = fnum ;
si . set_secdesc . in . secinfo_flags = SECINFO_SACL ;
si . set_secdesc . in . sd = sd_sacl ;
status = smb_raw_setfileinfo ( cli - > tree , & si ) ;
CHECK_STATUS_FOR_BIT ( status , set_sacl_bits , SEC_FLAG_SYSTEM_SECURITY ) ;
/* close the handle */
status = smbcli_close ( cli - > tree , fnum ) ;
CHECK_STATUS ( status , NT_STATUS_OK ) ;
next :
continue ;
}
done :
smbcli_close ( cli - > tree , fnum ) ;
smbcli_unlink ( cli - > tree , fname ) ;
2009-07-02 14:08:41 -07:00
smb_raw_exit ( cli - > session ) ;
smbcli_deltree ( cli - > tree , BASEDIR ) ;
2006-04-13 11:37:44 +00:00
return ret ;
}
2011-05-04 14:57:37 -07:00
# endif
2005-01-07 06:59:53 +00:00
2004-11-18 01:02:27 +00:00
/*
basic testing of security descriptor calls
*/
2009-07-02 14:08:41 -07:00
struct torture_suite * torture_raw_acls ( TALLOC_CTX * mem_ctx )
2004-11-18 01:02:27 +00:00
{
2010-12-11 03:26:31 +01:00
struct torture_suite * suite = torture_suite_create ( mem_ctx , " acls " ) ;
2009-07-02 14:08:41 -07:00
2010-12-11 03:26:31 +01:00
torture_suite_add_1smb_test ( suite , " sd " , test_sd ) ;
torture_suite_add_1smb_test ( suite , " create_file " , test_nttrans_create_file ) ;
torture_suite_add_1smb_test ( suite , " create_dir " , test_nttrans_create_dir ) ;
torture_suite_add_1smb_test ( suite , " nulldacl " , test_nttrans_create_null_dacl ) ;
torture_suite_add_1smb_test ( suite , " creator " , test_creator_sid ) ;
torture_suite_add_1smb_test ( suite , " generic " , test_generic_bits ) ;
torture_suite_add_1smb_test ( suite , " owner " , test_owner_bits ) ;
torture_suite_add_1smb_test ( suite , " inheritance " , test_inheritance ) ;
2009-12-07 17:19:30 -08:00
2011-05-04 14:57:37 -07:00
torture_suite_add_1smb_test ( suite , " INHERITFLAGS " , test_inheritance_flags ) ;
2010-12-11 03:26:31 +01:00
torture_suite_add_1smb_test ( suite , " dynamic " , test_inheritance_dynamic ) ;
2011-05-04 14:57:37 -07:00
#if 0
/* XXX This test does not work against XP or Vista. */
2009-07-02 14:08:41 -07:00
torture_suite_add_1smb_test ( suite , " GETSET " , test_sd_get_set ) ;
2011-05-04 14:57:37 -07:00
# endif
2009-07-02 14:08:41 -07:00
return suite ;
2004-11-18 01:02:27 +00:00
}