mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing.
This commit is contained in:
parent
64e57a1770
commit
6550bc0d26
@ -2391,9 +2391,119 @@ bool try_tcon(struct torture_context *tctx,
|
||||
|
||||
static bool torture_samba3_rpc_sharesec(struct torture_context *torture)
|
||||
{
|
||||
struct smbcli_state *cli;
|
||||
struct security_descriptor *sd;
|
||||
struct dom_sid *user_sid;
|
||||
struct smbcli_state *cli = NULL;
|
||||
struct security_descriptor *sd = NULL;
|
||||
struct dom_sid *user_sid = NULL;
|
||||
const char *testuser_passwd = NULL;
|
||||
struct cli_credentials *test_credentials = NULL;
|
||||
struct smbcli_options options;
|
||||
struct smbcli_session_options session_options;
|
||||
NTSTATUS status;
|
||||
struct test_join *tj = NULL;
|
||||
struct dcerpc_pipe *lsa_pipe = NULL;
|
||||
const char *priv_array[1];
|
||||
|
||||
/* Create a new user. The normal user has SeBackup and SeRestore
|
||||
privs so we can't lock them out with a share security descriptor. */
|
||||
tj = torture_create_testuser(torture,
|
||||
"sharesec_user",
|
||||
torture_setting_string(torture, "workgroup", NULL),
|
||||
ACB_NORMAL,
|
||||
&testuser_passwd);
|
||||
if (!tj) {
|
||||
torture_fail(torture, "Creating sharesec_user failed\n");
|
||||
}
|
||||
|
||||
/* Give them SeDiskOperatorPrivilege but no other privs. */
|
||||
status = torture_rpc_connection(torture, &lsa_pipe, &ndr_table_lsarpc);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
torture_fail(torture, "Error connecting to LSA pipe");
|
||||
}
|
||||
|
||||
priv_array[0] = "SeDiskOperatorPrivilege";
|
||||
if (!torture_setup_privs(torture,
|
||||
lsa_pipe,
|
||||
1,
|
||||
priv_array,
|
||||
torture_join_user_sid(tj))) {
|
||||
talloc_free(lsa_pipe);
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
torture_fail(torture, "Failed to setup privs\n");
|
||||
}
|
||||
talloc_free(lsa_pipe);
|
||||
|
||||
test_credentials = cli_credentials_init(torture);
|
||||
cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
|
||||
cli_credentials_set_domain(test_credentials, lpcfg_workgroup(torture->lp_ctx),
|
||||
CRED_SPECIFIED);
|
||||
cli_credentials_set_username(test_credentials, "sharesec_user", CRED_SPECIFIED);
|
||||
cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
|
||||
|
||||
ZERO_STRUCT(options);
|
||||
ZERO_STRUCT(session_options);
|
||||
lpcfg_smbcli_options(torture->lp_ctx, &options);
|
||||
lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
|
||||
|
||||
status = smbcli_full_connection(torture,
|
||||
&cli,
|
||||
torture_setting_string(torture, "host", NULL),
|
||||
lpcfg_smb_ports(torture->lp_ctx),
|
||||
"IPC$",
|
||||
NULL,
|
||||
lpcfg_socket_options(torture->lp_ctx),
|
||||
test_credentials,
|
||||
lpcfg_resolve_context(torture->lp_ctx),
|
||||
torture->ev,
|
||||
&options,
|
||||
&session_options,
|
||||
lpcfg_gensec_settings(torture, torture->lp_ctx));
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
talloc_free(cli);
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
torture_fail(torture, "Failed to open connection\n");
|
||||
}
|
||||
|
||||
if (!(user_sid = whoami(torture, torture, cli->tree))) {
|
||||
talloc_free(cli);
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
torture_fail(torture, "whoami failed\n");
|
||||
}
|
||||
|
||||
sd = get_sharesec(torture, torture, cli->session,
|
||||
torture_setting_string(torture, "share", NULL));
|
||||
|
||||
if (!try_tcon(torture, torture, sd, cli->session,
|
||||
torture_setting_string(torture, "share", NULL),
|
||||
user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK)) {
|
||||
talloc_free(cli);
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
torture_fail(torture, "failed to test tcon with 0 access_mask");
|
||||
}
|
||||
|
||||
if (!try_tcon(torture, torture, sd, cli->session,
|
||||
torture_setting_string(torture, "share", NULL),
|
||||
user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
|
||||
NT_STATUS_MEDIA_WRITE_PROTECTED)) {
|
||||
talloc_free(cli);
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
torture_fail(torture, "failed to test tcon with SEC_FILE_READ_DATA access_mask");
|
||||
}
|
||||
|
||||
/* sharesec_user doesn't have any rights on the underlying file system.
|
||||
Go back to the normal user. */
|
||||
|
||||
talloc_free(cli);
|
||||
cli = NULL;
|
||||
torture_delete_testuser(torture, tj, "sharesec_user");
|
||||
talloc_free(tj);
|
||||
tj = NULL;
|
||||
|
||||
if (!(torture_open_connection_share(
|
||||
torture, &cli, torture, torture_setting_string(torture, "host", NULL),
|
||||
@ -2404,23 +2514,6 @@ static bool torture_samba3_rpc_sharesec(struct torture_context *torture)
|
||||
if (!(user_sid = whoami(torture, torture, cli->tree))) {
|
||||
torture_fail(torture, "whoami failed\n");
|
||||
}
|
||||
|
||||
sd = get_sharesec(torture, torture, cli->session,
|
||||
torture_setting_string(torture, "share", NULL));
|
||||
|
||||
torture_assert(torture, try_tcon(
|
||||
torture, torture, sd, cli->session,
|
||||
torture_setting_string(torture, "share", NULL),
|
||||
user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK),
|
||||
"failed to test tcon with 0 access_mask");
|
||||
|
||||
torture_assert(torture, try_tcon(
|
||||
torture, torture, sd, cli->session,
|
||||
torture_setting_string(torture, "share", NULL),
|
||||
user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
|
||||
NT_STATUS_MEDIA_WRITE_PROTECTED),
|
||||
"failed to test tcon with SEC_FILE_READ_DATA access_mask");
|
||||
|
||||
torture_assert(torture, try_tcon(
|
||||
torture, torture, sd, cli->session,
|
||||
torture_setting_string(torture, "share", NULL),
|
||||
|
@ -29,6 +29,7 @@
|
||||
#include "../lib/crypto/crypto.h"
|
||||
#include "libnet/libnet.h"
|
||||
#include "lib/cmdline/popt_common.h"
|
||||
#include "librpc/gen_ndr/ndr_lsa_c.h"
|
||||
#include "librpc/gen_ndr/ndr_samr_c.h"
|
||||
|
||||
#include "libcli/auth/libcli_auth.h"
|
||||
@ -394,6 +395,79 @@ failed:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Set privileges on an account.
|
||||
*/
|
||||
|
||||
static void init_lsa_StringLarge(struct lsa_StringLarge *name, const char *s)
|
||||
{
|
||||
name->string = s;
|
||||
}
|
||||
static void init_lsa_String(struct lsa_String *name, const char *s)
|
||||
{
|
||||
name->string = s;
|
||||
}
|
||||
|
||||
bool torture_setup_privs(struct torture_context *tctx,
|
||||
struct dcerpc_pipe *p,
|
||||
uint32_t num_privs,
|
||||
const char **privs,
|
||||
const struct dom_sid *user_sid)
|
||||
{
|
||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
||||
struct policy_handle *handle;
|
||||
int i;
|
||||
|
||||
torture_assert(tctx,
|
||||
test_lsa_OpenPolicy2(b, tctx, &handle),
|
||||
"failed to open policy");
|
||||
|
||||
for (i=0; i < num_privs; i++) {
|
||||
struct lsa_LookupPrivValue r;
|
||||
struct lsa_LUID luid;
|
||||
struct lsa_String name;
|
||||
|
||||
init_lsa_String(&name, privs[i]);
|
||||
|
||||
r.in.handle = handle;
|
||||
r.in.name = &name;
|
||||
r.out.luid = &luid;
|
||||
|
||||
torture_assert_ntstatus_ok(tctx,
|
||||
dcerpc_lsa_LookupPrivValue_r(b, tctx, &r),
|
||||
"lsa_LookupPrivValue failed");
|
||||
if (!NT_STATUS_IS_OK(r.out.result)) {
|
||||
torture_comment(tctx, "lsa_LookupPrivValue failed for '%s' with %s\n",
|
||||
privs[i], nt_errstr(r.out.result));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
{
|
||||
struct lsa_AddAccountRights r;
|
||||
struct lsa_RightSet rights;
|
||||
|
||||
rights.count = num_privs;
|
||||
rights.names = talloc_zero_array(tctx, struct lsa_StringLarge, rights.count);
|
||||
for (i=0; i < rights.count; i++) {
|
||||
init_lsa_StringLarge(&rights.names[i], privs[i]);
|
||||
}
|
||||
|
||||
r.in.handle = handle;
|
||||
r.in.sid = discard_const_p(struct dom_sid, user_sid);
|
||||
r.in.rights = &rights;
|
||||
|
||||
torture_assert_ntstatus_ok(tctx,
|
||||
dcerpc_lsa_AddAccountRights_r(b, tctx, &r),
|
||||
"lsa_AddAccountRights failed");
|
||||
torture_assert_ntstatus_ok(tctx, r.out.result,
|
||||
"lsa_AddAccountRights failed");
|
||||
}
|
||||
|
||||
test_lsa_Close(b, tctx, handle);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
struct test_join *torture_create_testuser(struct torture_context *torture,
|
||||
const char *username,
|
||||
|
Loading…
Reference in New Issue
Block a user