Project

General

Profile

Bug #13442 ยป 0001-Test-SACL-permissions-smb2.acls.SACL.patch

Adds the 'smb2.acls.SACL' test to smbtorture - Matt Barden, 2021-01-30 12:31 AM

View differences:

source4/torture/smb2/acls.c
40 40
		goto done; \
41 41
	}} while (0)
42 42

  
43
#define CHECK_STATUS2(status, correct1, correct2) do {	 \
44
	if (!NT_STATUS_EQUAL(status, correct1) && !NT_STATUS_EQUAL(status, correct2)) { \
45
		torture_result(tctx, TORTURE_FAIL, "(%s) Incorrect status %s - should be %s or %s\n", \
46
		       __location__, nt_errstr(status), nt_errstr(correct1), nt_errstr(correct2)); \
47
		ret = false; \
48
		goto done; \
49
	}} while (0)
50

  
43 51
#define BASEDIR "smb2-testsd"
44 52

  
45 53
#define CHECK_ACCESS_IGNORE SEC_STD_SYNCHRONIZE
......
1672 1680
	CHECK_STATUS_FOR_BIT_ACTION(status, bits, do {} while (0)); \
1673 1681
} while (0)
1674 1682

  
1683
static bool
1684
test_create_with_sacl(struct torture_context *tctx, struct smb2_tree *tree)
1685
{
1686
	NTSTATUS status;
1687
	bool is_admin, ret = true;
1688
	struct smb2_create io;
1689
	struct security_descriptor *sd;
1690
	const char *fname = BASEDIR "\\create_with_sacl.txt";
1691
	const char *dname = BASEDIR "\\create_with_sacl_dir";
1692

  
1693
	if (!smb2_util_setup_dir(tctx, tree, BASEDIR))
1694
		return false;
1695

  
1696
	smb2_util_unlink(tree, fname);
1697
	smb2_util_rmdir(tree, dname);
1698

  
1699
	ZERO_STRUCT(io);
1700
	io.level = RAW_OPEN_SMB2;
1701
	io.in.create_flags = 0;
1702
	io.in.desired_access = SEC_FLAG_SYSTEM_SECURITY;
1703
	io.in.create_options = 0;
1704
	io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY;
1705
	io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE;
1706
	io.in.alloc_size = 0;
1707
	io.in.create_disposition = NTCREATEX_DISP_OPEN;
1708
	io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
1709
	io.in.security_flags = 0;
1710
	io.in.fname = BASEDIR;
1711
	status = smb2_create(tree, tctx, &io);
1712

  
1713
	is_admin = NT_STATUS_EQUAL(status, NT_STATUS_OK);
1714

  
1715
	if (NT_STATUS_EQUAL(NT_STATUS_SUCCESS))
1716
		smb2_util_close(tree, io.out.file.handle);
1717

  
1718
	/*
1719
	 * Try to open a new file with ACCESS_SYSTEM_SECURITY
1720
	 */
1721
	torture_comment(tctx, "TESTING CREATE WITH ACCESS_SYSTEM_SECURITY\n");
1722
	ZERO_STRUCT(io);
1723
	io.level = RAW_OPEN_SMB2;
1724
	io.in.create_flags = 0;
1725
	io.in.desired_access = SEC_STD_DELETE | SEC_FLAG_SYSTEM_SECURITY;
1726
	io.in.create_options = NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1727
	io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
1728
	io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE;
1729
	io.in.alloc_size = 0;
1730
	io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
1731
	io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
1732
	io.in.security_flags = 0;
1733
	io.in.fname = fname;
1734
	status = smb2_create(tree, tctx, &io);
1735

  
1736
	if (NT_STATUS_EQUAL(NT_STATUS_SUCCESS))
1737
		smb2_util_close(tree, io.out.file.handle);
1738

  
1739
	if (is_admin)
1740
		CHECK_STATUS(status, NT_STATUS_OK);
1741
	else
1742
		CHECK_STATUS2(status, NT_STATUS_ACCESS_DENIED,
1743
		    NT_STATUS_PRIVILEGE_NOT_HELD);
1744

  
1745
	/* Now try to create a file with a SACL */
1746
	torture_comment(tctx, "TESTING CREATE_WITH_SACL\n");
1747
	sd = security_descriptor_sacl_create(tctx,
1748
					0, SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
1749
					SID_WORLD,
1750
					SEC_ACE_TYPE_SYSTEM_AUDIT,
1751
					SEC_GENERIC_ALL,
1752
					0,
1753
					NULL);
1754

  
1755
	security_descriptor_append(sd,
1756
				   SID_WORLD,
1757
				   SEC_ACE_TYPE_ACCESS_ALLOWED,
1758
				   SEC_GENERIC_ALL,
1759
				   0,
1760
				   NULL);
1761

  
1762
	ZERO_STRUCT(io);
1763
	io.level = RAW_OPEN_SMB2;
1764
	io.in.create_flags = 0;
1765
	io.in.desired_access = SEC_FLAG_SYSTEM_SECURITY;
1766
	io.in.create_options = 0;
1767
	io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
1768
	io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE;
1769
	io.in.alloc_size = 0;
1770
	io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
1771
	io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
1772
	io.in.security_flags = 0;
1773
	io.in.fname = fname;
1774
	io.in.sec_desc = sd;
1775
	status = smb2_create(tree, tctx, &io);
1776

  
1777
	if (NT_STATUS_EQUAL(NT_STATUS_SUCCESS))
1778
		smb2_util_close(tree, io.out.file.handle);
1779

  
1780
	if (is_admin)
1781
		CHECK_STATUS(status, NT_STATUS_OK);
1782
	else
1783
		CHECK_STATUS2(status, NT_STATUS_ACCESS_DENIED,
1784
		    NT_STATUS_PRIVILEGE_NOT_HELD);
1785

  
1786
	/*
1787
	 * Repeat the tests, but with a directory
1788
	 */
1789
	torture_comment(tctx, "TESTING MKDIR WITH ACCESS_SYSTEM_SECURITY\n");
1790
	ZERO_STRUCT(io);
1791
	io.level = RAW_OPEN_SMB2;
1792
	io.in.create_flags = 0;
1793
	io.in.desired_access = SEC_STD_DELETE | SEC_FLAG_SYSTEM_SECURITY;
1794
	io.in.create_options = NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1795
	io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY;
1796
	io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE;
1797
	io.in.alloc_size = 0;
1798
	io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
1799
	io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
1800
	io.in.security_flags = 0;
1801
	io.in.fname = dname;
1802
	status = smb2_create(tree, tctx, &io);
1803

  
1804
	if (NT_STATUS_EQUAL(NT_STATUS_SUCCESS))
1805
		smb2_util_close(tree, io.out.file.handle);
1806

  
1807
	if (is_admin)
1808
		CHECK_STATUS(status, NT_STATUS_OK);
1809
	else
1810
		CHECK_STATUS2(status, NT_STATUS_ACCESS_DENIED,
1811
		    NT_STATUS_PRIVILEGE_NOT_HELD);
1812

  
1813
	/* Now try to create a file with a SACL */
1814
	torture_comment(tctx, "TESTING MKDIR_WITH_SACL\n");
1815
	sd = security_descriptor_sacl_create(tctx,
1816
					0, SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
1817
					SID_WORLD,
1818
					SEC_ACE_TYPE_SYSTEM_AUDIT,
1819
					SEC_GENERIC_ALL,
1820
					0,
1821
					NULL);
1822

  
1823
	security_descriptor_append(sd,
1824
				   SID_WORLD,
1825
				   SEC_ACE_TYPE_ACCESS_ALLOWED,
1826
				   SEC_GENERIC_ALL,
1827
				   0,
1828
				   NULL);
1829

  
1830
	ZERO_STRUCT(io);
1831
	io.level = RAW_OPEN_SMB2;
1832
	io.in.create_flags = 0;
1833
	io.in.desired_access = SEC_FLAG_SYSTEM_SECURITY;
1834
	io.in.create_options = 0;
1835
	io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY;
1836
	io.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE;
1837
	io.in.alloc_size = 0;
1838
	io.in.create_disposition = NTCREATEX_DISP_OVERWRITE_IF;
1839
	io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
1840
	io.in.security_flags = 0;
1841
	io.in.fname = dname;
1842
	io.in.sec_desc = sd;
1843
	status = smb2_create(tree, tctx, &io);
1844

  
1845
	if (NT_STATUS_EQUAL(NT_STATUS_SUCCESS))
1846
		smb2_util_close(tree, io.out.file.handle);
1847

  
1848
	if (is_admin)
1849
		CHECK_STATUS(status, NT_STATUS_OK);
1850
	else
1851
		CHECK_STATUS2(status, NT_STATUS_ACCESS_DENIED,
1852
		    NT_STATUS_PRIVILEGE_NOT_HELD);
1853

  
1854

  
1855
 done:
1856
	smb2_util_unlink(tree, fname);
1857
	smb2_util_unlink(tree, dname);
1858

  
1859
	return ret;
1860
}
1861

  
1675 1862
#if 0
1676 1863
/* test what access mask is needed for getting and setting security_descriptors */
1677 1864
/* Note: This test was copied from raw/acls.c. */
......
2099 2286
	torture_suite_add_1smb2_test(suite, "INHERITANCE", test_inheritance);
2100 2287
	torture_suite_add_1smb2_test(suite, "INHERITFLAGS", test_inheritance_flags);
2101 2288
	torture_suite_add_1smb2_test(suite, "DYNAMIC", test_inheritance_dynamic);
2289
	torture_suite_add_1smb2_test(suite, "SACL", test_create_with_sacl);
2102 2290
#if 0
2103 2291
	/* XXX This test does not work against XP or Vista. */
2104 2292
	torture_suite_add_1smb2_test(suite, "GETSET", test_sd_get_set);
    (1-1/1)