The Samba-Bugzilla – Attachment 2949 Details for
Bug 4284
Null Dacl denies access in samba in contradiction to windows
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
New smbtortore null dacl test
smbtorture_dacl.patch (text/plain), 7.00 KB, created by
Andrew Bartlett
on 2007-10-22 23:46:00 UTC
(
hide
)
Description:
New smbtortore null dacl test
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2007-10-22 23:46:00 UTC
Size:
7.00 KB
patch
obsolete
>Index: torture/rpc/samlogon.c >=================================================================== >--- torture/rpc/samlogon.c (revision 25707) >+++ torture/rpc/samlogon.c (working copy) >@@ -1676,7 +1676,32 @@ > .expected_interactive_error = NT_STATUS_NO_SUCH_USER, > .parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT > }, >+#if 0 > { >+ .comment = "machine service principal name", >+ .domain = "", >+ .username = talloc_asprintf(mem_ctx, >+ "host/%s", >+ cli_credentials_get_workstation(machine_credentials)), >+ .password = cli_credentials_get_password(machine_credentials), >+ .network_login = True, >+ .expected_interactive_error = NT_STATUS_NO_SUCH_USER, >+ .parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT >+ }, >+ { >+ .comment = "machine service principal name (FQDN)", >+ .domain = NULL, >+ .username = talloc_asprintf(mem_ctx, >+ "host/%s.%s", >+ cli_credentials_get_workstation(machine_credentials), >+ strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_credentials))), >+ .password = cli_credentials_get_password(machine_credentials), >+ .network_login = True, >+ .expected_interactive_error = NT_STATUS_NO_SUCH_USER, >+ .parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT >+ }, >+#endif >+ { > .comment = "machine domain\\user", > .domain = cli_credentials_get_domain(machine_credentials), > .username = cli_credentials_get_username(machine_credentials), >Index: torture/raw/acls.c >=================================================================== >--- torture/raw/acls.c (revision 25707) >+++ torture/raw/acls.c (working copy) >@@ -146,7 +146,7 @@ > test using nttrans create to create a file with an initial acl set > */ > static bool test_nttrans_create(struct torture_context *tctx, >- struct smbcli_state *cli) >+ struct smbcli_state *cli) > { > NTSTATUS status; > union smb_open io; >@@ -248,7 +248,92 @@ > } \ > } while (0) > >+/* >+ test using NTTRANS CREATE to create a file with a null ACL set >+*/ >+static bool test_nttrans_create_null_dacl(struct torture_context *tctx, >+ struct smbcli_state *cli) >+{ >+ NTSTATUS status; >+ union smb_open io; >+ const char *fname = BASEDIR "\\acl3.txt"; >+ bool ret = true; >+ int fnum = -1; >+ union smb_fileinfo q; >+ struct security_descriptor *sd = security_descriptor_initialise(tctx); > >+ printf("TESTING SEC_DESC WITH A NULL DACL\n"); >+ >+ io.generic.level = RAW_OPEN_NTTRANS_CREATE; >+ io.ntcreatex.in.root_fid = 0; >+ io.ntcreatex.in.flags = 0; >+ io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; >+ io.ntcreatex.in.create_options = 0; >+ io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; >+ io.ntcreatex.in.share_access = >+ NTCREATEX_SHARE_ACCESS_READ | >+ NTCREATEX_SHARE_ACCESS_WRITE; >+ io.ntcreatex.in.alloc_size = 0; >+ io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; >+ io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF; >+ io.ntcreatex.in.security_flags = 0; >+ io.ntcreatex.in.fname = fname; >+ io.ntcreatex.in.sec_desc = sd; >+ io.ntcreatex.in.ea_list = NULL; >+ >+ printf("creating a file with a null dacl\n"); >+ >+ status = smb_raw_open(cli->tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ fnum = io.ntcreatex.out.file.fnum; >+ >+ printf("get the original sd\n"); >+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; >+ q.query_secdesc.in.file.fnum = fnum; >+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; >+ status = smb_raw_fileinfo(cli->tree, tctx, &q); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ if (!security_acl_equal(q.query_secdesc.out.sd->dacl, sd->dacl)) { >+ printf("%s: security descriptors don't match!\n", __location__); >+ printf("got:\n"); >+ NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); >+ printf("expected:\n"); >+ NDR_PRINT_DEBUG(security_descriptor, sd); >+ ret = false; >+ } >+ >+ printf("try open for write\n"); >+ io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA; >+ status = smb_raw_open(cli->tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); >+ >+ printf("try open for read\n"); >+ io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA; >+ status = smb_raw_open(cli->tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum, >+ SEC_FILE_READ_DATA | >+ SEC_FILE_READ_ATTRIBUTE); >+ smbcli_close(cli->tree, io.ntcreatex.out.file.fnum); >+ >+ printf("try open for generic write\n"); >+ io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE; >+ status = smb_raw_open(cli->tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); >+ >+ printf("try open for generic read\n"); >+ io.ntcreatex.in.access_mask = SEC_GENERIC_READ; >+ status = smb_raw_open(cli->tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum, SEC_RIGHTS_FILE_READ); >+ smbcli_close(cli->tree, io.ntcreatex.out.file.fnum); >+ >+done: >+ smbcli_close(cli->tree, fnum); >+ return ret; >+} >+ > /* > test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic > mapping bits >@@ -959,7 +1044,7 @@ > test the inheritance of ACL flags onto new files and directories > */ > static bool test_inheritance(struct torture_context *tctx, >- struct smbcli_state *cli) >+ struct smbcli_state *cli) > { > NTSTATUS status; > union smb_open io; >@@ -1347,6 +1432,7 @@ > set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; > set.set_secdesc.in.file.fnum = fnum; > set.set_secdesc.in.secinfo_flags = SECINFO_DACL; >+ > set.set_secdesc.in.sd = sd_orig; > status = smb_raw_setfileinfo(cli->tree, &set); > CHECK_STATUS(status, NT_STATUS_OK); >@@ -1368,11 +1454,13 @@ > smbcli_rmdir(cli->tree, dname); > > done: >- set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; >- set.set_secdesc.in.file.fnum = fnum; >- set.set_secdesc.in.secinfo_flags = SECINFO_DACL; >- set.set_secdesc.in.sd = sd_orig; >- status = smb_raw_setfileinfo(cli->tree, &set); >+ if (sd_orig) { >+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; >+ set.set_secdesc.in.file.fnum = fnum; >+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; >+ set.set_secdesc.in.sd = sd_orig; >+ status = smb_raw_setfileinfo(cli->tree, &set); >+ } > > smbcli_close(cli->tree, fnum); > return ret; >@@ -1506,13 +1594,14 @@ > smbcli_unlink(cli->tree, fname1); > > done: >- printf("put back original sd\n"); >- set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; >- set.set_secdesc.in.file.fnum = fnum; >- set.set_secdesc.in.secinfo_flags = SECINFO_DACL; >- set.set_secdesc.in.sd = sd_orig; >- status = smb_raw_setfileinfo(cli->tree, &set); >- >+ if (sd_orig) { >+ printf("put back original sd\n"); >+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; >+ set.set_secdesc.in.file.fnum = fnum; >+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; >+ set.set_secdesc.in.sd = sd_orig; >+ status = smb_raw_setfileinfo(cli->tree, &set); >+ } > smbcli_close(cli->tree, fnum); > smbcli_rmdir(cli->tree, dname); > >@@ -1744,6 +1833,7 @@ > > ret &= test_sd(tctx, cli); > ret &= test_nttrans_create(tctx, cli); >+ ret &= test_nttrans_create_null_dacl(tctx, cli); > ret &= test_creator_sid(tctx, cli); > ret &= test_generic_bits(tctx, cli); > ret &= test_owner_bits(tctx, cli);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 4284
:
2887
|
2895
|
2949
|
2950
|
3089
|
3682
|
3683
|
3689