Attachment 2949 Details for Bug 4284 – New smbtortore null dacl test

[patch] New smbtortore null dacl test

smbtorture_dacl.patch (text/plain), 7.00 KB, created by Andrew Bartlett on 2007-10-22 23:46:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2007-10-22 23:46:00 UTC

Size: 7.00 KB

patch

obsolete

>Index: torture/rpc/samlogon.c
>===================================================================
>--- torture/rpc/samlogon.c	(revision 25707)
>+++ torture/rpc/samlogon.c	(working copy)
>@@ -1676,7 +1676,32 @@
> 				.expected_interactive_error = NT_STATUS_NO_SUCH_USER,
> 				.parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
> 			},
>+#if 0
> 			{
>+				.comment      = "machine service principal name",
>+				.domain       = "",
>+				.username     = talloc_asprintf(mem_ctx, 
>+								"host/%s",
>+								cli_credentials_get_workstation(machine_credentials)),
>+				.password     = cli_credentials_get_password(machine_credentials),
>+				.network_login = True,
>+				.expected_interactive_error = NT_STATUS_NO_SUCH_USER,
>+				.parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
>+			},			
>+			{
>+				.comment      = "machine service principal name (FQDN)",
>+				.domain       = NULL,
>+				.username     = talloc_asprintf(mem_ctx, 
>+								"host/%s.%s",
>+								cli_credentials_get_workstation(machine_credentials),
>+								strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_credentials))),
>+				.password     = cli_credentials_get_password(machine_credentials),
>+				.network_login = True,
>+				.expected_interactive_error = NT_STATUS_NO_SUCH_USER,
>+				.parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
>+			},			
>+#endif
>+			{
> 				.comment      = "machine domain\\user",
> 				.domain       = cli_credentials_get_domain(machine_credentials),
> 				.username     = cli_credentials_get_username(machine_credentials),
>Index: torture/raw/acls.c
>===================================================================
>--- torture/raw/acls.c	(revision 25707)
>+++ torture/raw/acls.c	(working copy)
>@@ -146,7 +146,7 @@
>   test using nttrans create to create a file with an initial acl set
> */
> static bool test_nttrans_create(struct torture_context *tctx, 
>-								struct smbcli_state *cli)
>+				struct smbcli_state *cli)
> {
> 	NTSTATUS status;
> 	union smb_open io;
>@@ -248,7 +248,92 @@
> 	} \
> } while (0)
> 
>+/*
>+  test using NTTRANS CREATE to create a file with a null ACL set
>+*/
>+static bool test_nttrans_create_null_dacl(struct torture_context *tctx, 
>+					  struct smbcli_state *cli)
>+{
>+	NTSTATUS status;
>+	union smb_open io;
>+	const char *fname = BASEDIR "\\acl3.txt";
>+	bool ret = true;
>+	int fnum = -1;
>+	union smb_fileinfo q;
>+	struct security_descriptor *sd = security_descriptor_initialise(tctx);
> 
>+	printf("TESTING SEC_DESC WITH A NULL DACL\n");
>+
>+	io.generic.level = RAW_OPEN_NTTRANS_CREATE;
>+	io.ntcreatex.in.root_fid = 0;
>+	io.ntcreatex.in.flags = 0;
>+	io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
>+	io.ntcreatex.in.create_options = 0;
>+	io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
>+	io.ntcreatex.in.share_access = 
>+		NTCREATEX_SHARE_ACCESS_READ | 
>+		NTCREATEX_SHARE_ACCESS_WRITE;
>+	io.ntcreatex.in.alloc_size = 0;
>+	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
>+	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
>+	io.ntcreatex.in.security_flags = 0;
>+	io.ntcreatex.in.fname = fname;
>+	io.ntcreatex.in.sec_desc = sd;
>+	io.ntcreatex.in.ea_list = NULL;
>+
>+	printf("creating a file with a null dacl\n");
>+
>+	status = smb_raw_open(cli->tree, tctx, &io);
>+	CHECK_STATUS(status, NT_STATUS_OK);
>+	fnum = io.ntcreatex.out.file.fnum;
>+
>+	printf("get the original sd\n");
>+	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
>+	q.query_secdesc.in.file.fnum = fnum;
>+	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
>+	status = smb_raw_fileinfo(cli->tree, tctx, &q);
>+	CHECK_STATUS(status, NT_STATUS_OK);
>+
>+	if (!security_acl_equal(q.query_secdesc.out.sd->dacl, sd->dacl)) {
>+		printf("%s: security descriptors don't match!\n", __location__);
>+		printf("got:\n");
>+		NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
>+		printf("expected:\n");
>+		NDR_PRINT_DEBUG(security_descriptor, sd);
>+		ret = false;
>+	}
>+	
>+	printf("try open for write\n");
>+	io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
>+	status = smb_raw_open(cli->tree, tctx, &io);
>+	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
>+
>+	printf("try open for read\n");
>+	io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
>+	status = smb_raw_open(cli->tree, tctx, &io);
>+	CHECK_STATUS(status, NT_STATUS_OK);
>+	CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum, 
>+			   SEC_FILE_READ_DATA | 
>+			   SEC_FILE_READ_ATTRIBUTE);
>+	smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
>+
>+	printf("try open for generic write\n");
>+	io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
>+	status = smb_raw_open(cli->tree, tctx, &io);
>+	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
>+
>+	printf("try open for generic read\n");
>+	io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
>+	status = smb_raw_open(cli->tree, tctx, &io);
>+	CHECK_STATUS(status, NT_STATUS_OK);
>+	CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum, SEC_RIGHTS_FILE_READ);
>+	smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
>+
>+done:
>+	smbcli_close(cli->tree, fnum);	
>+	return ret;
>+}
>+
> /*
>   test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic
>   mapping bits
>@@ -959,7 +1044,7 @@
>   test the inheritance of ACL flags onto new files and directories
> */
> static bool test_inheritance(struct torture_context *tctx, 
>-							 struct smbcli_state *cli)
>+			     struct smbcli_state *cli)
> {
> 	NTSTATUS status;
> 	union smb_open io;
>@@ -1347,6 +1432,7 @@
> 	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
> 	set.set_secdesc.in.file.fnum = fnum;
> 	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
>+
> 	set.set_secdesc.in.sd = sd_orig;
> 	status = smb_raw_setfileinfo(cli->tree, &set);
> 	CHECK_STATUS(status, NT_STATUS_OK);
>@@ -1368,11 +1454,13 @@
> 	smbcli_rmdir(cli->tree, dname);
> 
> done:
>-	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>-	set.set_secdesc.in.file.fnum = fnum;
>-	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
>-	set.set_secdesc.in.sd = sd_orig;
>-	status = smb_raw_setfileinfo(cli->tree, &set);
>+	if (sd_orig) {
>+		set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>+		set.set_secdesc.in.file.fnum = fnum;
>+		set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
>+		set.set_secdesc.in.sd = sd_orig;
>+		status = smb_raw_setfileinfo(cli->tree, &set);
>+	}
> 
> 	smbcli_close(cli->tree, fnum);
> 	return ret;
>@@ -1506,13 +1594,14 @@
> 	smbcli_unlink(cli->tree, fname1);
> 
> done:
>-	printf("put back original sd\n");
>-	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>-	set.set_secdesc.in.file.fnum = fnum;
>-	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
>-	set.set_secdesc.in.sd = sd_orig;
>-	status = smb_raw_setfileinfo(cli->tree, &set);
>-
>+	if (sd_orig) {
>+		printf("put back original sd\n");
>+		set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>+		set.set_secdesc.in.file.fnum = fnum;
>+		set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
>+		set.set_secdesc.in.sd = sd_orig;
>+		status = smb_raw_setfileinfo(cli->tree, &set);
>+	}
> 	smbcli_close(cli->tree, fnum);
> 	smbcli_rmdir(cli->tree, dname);
> 
>@@ -1744,6 +1833,7 @@
> 
> 	ret &= test_sd(tctx, cli);
> 	ret &= test_nttrans_create(tctx, cli);
>+	ret &= test_nttrans_create_null_dacl(tctx, cli);
> 	ret &= test_creator_sid(tctx, cli);
> 	ret &= test_generic_bits(tctx, cli);
> 	ret &= test_owner_bits(tctx, cli);

Actions: View

Attachments on bug 4284: 2887 | 2895 | 2949 | 2950 | 3089 | 3682 | 3683 | 3689