2025-02-08 05:57:51 +03:00 · 2019-03-01 18:06:48 +01:00 · 2019-03-01 18:06:48 +01:00 · 128e195e03
commit 128e195e03
parent 8d355dd976
1 changed files with 111 additions and 0 deletions
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@ -2914,6 +2914,115 @@ done:
 	return ret;
 }
 /*
 * test SEC_FLAG_MAXIMUM_ALLOWED with not-granted access
 *
 * When access_mask contains SEC_FLAG_MAXIMUM_ALLOWED, the server must still
 * proces other bits from access_mask. Eg if access_mask contains a right that
 * the requester doesn't have, the function must validate that against the
 * effective permissions.
 */
 static bool test_mxac_not_granted(struct torture_context *tctx,
 				  struct smb2_tree *tree)
 {
 	const char *fname = BASEDIR "\\test_mxac_not_granted.txt";
 	struct smb2_create cr;
 	struct smb2_handle handle = {{0}};
 	union smb_fileinfo gi;
 	union smb_setfileinfo si;
 	struct security_descriptor *sd_orig = NULL;
 	struct security_descriptor *sd = NULL;
 	const char *owner_sid = NULL;
 	NTSTATUS status;
 	bool ret = true;
 	smb2_deltree(tree, BASEDIR);
 	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
 	torture_assert_goto(tctx, ret, ret, done,
 			"smb2_util_setup_dir failed\n");
 	torture_comment(tctx, "TESTING OWNER RIGHTS DENY\n");
 	cr = (struct smb2_create) {
 		.in.desired_access = SEC_STD_READ_CONTROL |
 			SEC_STD_WRITE_DAC |SEC_STD_WRITE_OWNER,
 		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
 		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
 		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
 		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
 		.in.fname = fname,
 	};
 	status = smb2_create(tree, tctx, &cr);
 	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 					"smb2_create failed\n");
 	handle = cr.out.file.handle;
 	torture_comment(tctx, "get the original sd\n");
 	gi = (union smb_fileinfo) {
 		.query_secdesc.level = RAW_FILEINFO_SEC_DESC,
 		.query_secdesc.in.file.handle = handle,
 		.query_secdesc.in.secinfo_flags = SECINFO_DACL|SECINFO_OWNER,
 	};
 	status = smb2_getinfo_file(tree, tctx, &gi);
 	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 				"smb2_getinfo_file failed\n");
 	sd_orig = gi.query_secdesc.out.sd;
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 	sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL,
 					owner_sid,
 					SEC_ACE_TYPE_ACCESS_ALLOWED,
 					SEC_FILE_READ_DATA,
 					0,
 					NULL);
 	torture_assert_not_null_goto(tctx, sd, ret, done,
 					"SD create failed\n");
 	si = (union smb_setfileinfo) {
 		.set_secdesc.level = RAW_SFILEINFO_SEC_DESC,
 		.set_secdesc.in.file.handle = handle,
 		.set_secdesc.in.secinfo_flags = SECINFO_DACL,
 		.set_secdesc.in.sd = sd,
 	};
 	status = smb2_setinfo_file(tree, &si);
 	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 					"smb2_setinfo_file failed\n");
 	status = smb2_util_close(tree, handle);
 	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 					"smb2_util_close failed\n");
 	ZERO_STRUCT(handle);
 	cr = (struct smb2_create) {
 		.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED |
 				     SEC_FILE_WRITE_DATA,
 		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
 		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
 		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
 		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
 		.in.fname = fname,
 	};
 	status = smb2_create(tree, tctx, &cr);
 	torture_assert_ntstatus_equal_goto(tctx, status,
 					   NT_STATUS_ACCESS_DENIED,
 					   ret, done,
 					   "Wrong smb2_create result\n");
 done:
 	if (!smb2_util_handle_empty(handle)) {
 		smb2_util_close(tree, handle);
 	}
 	smb2_deltree(tree, BASEDIR);
 	return ret;
 }
 /*
   basic testing of SMB2 ACLs
 */
@ -2940,6 +3049,8 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
 			test_owner_rights_deny1);
 	torture_suite_add_1smb2_test(suite, "DENY1",
 			test_deny1);
 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
 			test_mxac_not_granted);
 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");