diff options
| author | Ralph Boehme <slow@samba.org> | 2019-03-03 08:33:51 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-03-11 07:52:24 +0000 |
| commit | 05a54f9c0efa7cd1f1e66cec2dc26658d0cce1f2 (patch) | |
| tree | c46b7a267feaec487922db78f05f8fa328dafbcc | |
| parent | 8f77ba1b7c7620910f9735681f8e357e4ed053e4 (diff) | |
| download | samba-05a54f9c0efa7cd1f1e66cec2dc26658d0cce1f2.tar.gz | |
s4:torture: Add test_deny1().
Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b205d695d769e910a91bec87451dec189ec33740)
| -rw-r--r-- | selftest/knownfail.d/smb2.acls | 2 | ||||
| -rw-r--r-- | source4/torture/smb2/acls.c | 140 |
2 files changed, 142 insertions, 0 deletions
diff --git a/selftest/knownfail.d/smb2.acls b/selftest/knownfail.d/smb2.acls index f8541adc1b0..b76a3c719ce 100644 --- a/selftest/knownfail.d/smb2.acls +++ b/selftest/knownfail.d/smb2.acls @@ -1,2 +1,4 @@ ^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(ad_dc\) ^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(nt4_dc\) +^samba3.smb2.acls.DENY1\(ad_dc\) +^samba3.smb2.acls.DENY1\(nt4_dc\) diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c index 916a582eac5..7bccce803f0 100644 --- a/source4/torture/smb2/acls.c +++ b/source4/torture/smb2/acls.c @@ -2777,6 +2777,144 @@ done: } /* + * test that shows that a DENY ACE doesn't remove rights granted + * by a previous ALLOW ACE. + */ +static bool test_deny1(struct torture_context *tctx, + struct smb2_tree *tree) +{ + const char *fname = BASEDIR "\\test_deny1.txt"; + struct smb2_create cr; + struct smb2_handle handle = {{0}}; + union smb_fileinfo gi; + union smb_setfileinfo si; + struct security_descriptor *sd_orig = NULL; + struct security_descriptor *sd = NULL; + const char *owner_sid = NULL; + NTSTATUS mxac_status; + NTSTATUS status; + bool ret = true; + + smb2_deltree(tree, BASEDIR); + + ret = smb2_util_setup_dir(tctx, tree, BASEDIR); + torture_assert_goto(tctx, ret, ret, done, + "smb2_util_setup_dir failed\n"); + + cr = (struct smb2_create) { + .in.desired_access = SEC_STD_READ_CONTROL | + SEC_STD_WRITE_DAC |SEC_STD_WRITE_OWNER, + .in.file_attributes = FILE_ATTRIBUTE_NORMAL, + .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, + .in.create_disposition = NTCREATEX_DISP_OPEN_IF, + .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, + .in.fname = fname, + }; + + status = smb2_create(tree, tctx, &cr); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_create failed\n"); + handle = cr.out.file.handle; + + torture_comment(tctx, "get the original sd\n"); + + gi = (union smb_fileinfo) { + .query_secdesc.level = RAW_FILEINFO_SEC_DESC, + .query_secdesc.in.file.handle = handle, + .query_secdesc.in.secinfo_flags = SECINFO_DACL|SECINFO_OWNER, + }; + + status = smb2_getinfo_file(tree, tctx, &gi); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_getinfo_file failed\n"); + + sd_orig = gi.query_secdesc.out.sd; + owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); + + /* + * Add a 2 element ACL + * + * SEC_RIGHTS_FILE_READ|SEC_FILE_WRITE_DATA allow for owner. + * SEC_FILE_WRITE_DATA deny for owner + * + * Shows on Windows that trailing DENY entries don't + * override granted permissions. + */ + sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL, + owner_sid, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_READ|SEC_FILE_WRITE_DATA, + 0, + owner_sid, + SEC_ACE_TYPE_ACCESS_DENIED, + SEC_FILE_WRITE_DATA, + 0, + NULL); + torture_assert_not_null_goto(tctx, sd, ret, done, + "SD create failed\n"); + + si = (union smb_setfileinfo) { + .set_secdesc.level = RAW_SFILEINFO_SEC_DESC, + .set_secdesc.in.file.handle = handle, + .set_secdesc.in.secinfo_flags = SECINFO_DACL, + .set_secdesc.in.sd = sd, + }; + + status = smb2_setinfo_file(tree, &si); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_setinfo_file failed\n"); + + status = smb2_util_close(tree, handle); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_util_close failed\n"); + ZERO_STRUCT(handle); + + cr = (struct smb2_create) { + .in.desired_access = SEC_STD_READ_CONTROL | SEC_FILE_WRITE_DATA, + .in.file_attributes = FILE_ATTRIBUTE_NORMAL, + .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, + .in.create_disposition = NTCREATEX_DISP_OPEN_IF, + .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, + .in.query_maximal_access = true, + .in.fname = fname, + }; + + status = smb2_create(tree, tctx, &cr); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_create failed\n"); + handle = cr.out.file.handle; + + mxac_status = NT_STATUS(cr.out.maximal_access_status); + torture_assert_ntstatus_ok_goto(tctx, mxac_status, ret, done, + "Wrong maximum access status\n"); + + /* + * For some reasons Windows 2016 doesn't set SEC_STD_DELETE but we + * do. Mask it out so the test passes against Samba and Windows. + * SEC_STD_WRITE_DAC comes from being the owner. + */ + torture_assert_int_equal_goto(tctx, + cr.out.maximal_access & ~SEC_STD_DELETE, + SEC_RIGHTS_FILE_READ | + SEC_FILE_WRITE_DATA | + SEC_STD_WRITE_DAC, + ret, done, + "Wrong maximum access\n"); + + status = smb2_util_close(tree, handle); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_util_close failed\n"); + ZERO_STRUCT(handle); + +done: + if (!smb2_util_handle_empty(handle)) { + smb2_util_close(tree, handle); + } + smb2_deltree(tree, BASEDIR); + return ret; +} + +/* basic testing of SMB2 ACLs */ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) @@ -2800,6 +2938,8 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) test_owner_rights_deny); torture_suite_add_1smb2_test(suite, "OWNER-RIGHTS-DENY1", test_owner_rights_deny1); + torture_suite_add_1smb2_test(suite, "DENY1", + test_deny1); suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); |