s4-torture: add a special check for administrators and privileges

lsa privileges calls don't expand groups. darn.
author: Andrew Tridgell <tridge@samba.org> 2009-10-16 18:23:42 +1100
committer: Andrew Tridgell <tridge@samba.org> 2009-10-17 13:01:03 +1100
commit: 7226ba73a0519f853b53adc3591d2358ff7429b2 (patch)
tree: 63ffdffd11c83daf154a90396b3f5d25a353a2a7 /source4
parent: 9526487010fff240d2f55f29352e7f74d3cec65a (diff)
download: samba-7226ba73a0519f853b53adc3591d2358ff7429b2.tar.gz
4 files changed, 57 insertions, 18 deletions
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 6b7ae2614fc..52b4d582e00 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2715,17 +2715,17 @@ bool torture_maximum_allowed(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
-					    owner_sid, 
-					    sec_privilege_name(SEC_PRIV_RESTORE));
+	status = torture_check_privilege(cli, 
+					 owner_sid, 
+					 sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n", 
 			owner_sid,
 			has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
-					    owner_sid, 
-					    sec_privilege_name(SEC_PRIV_BACKUP));
+	status = torture_check_privilege(cli, 
+					 owner_sid, 
+					 sec_privilege_name(SEC_PRIV_BACKUP));
 	has_backup_privilege = NT_STATUS_IS_OK(status);
 	torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n", 
 			owner_sid,
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 3d3aae4bb9b..b56345656a1 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -778,21 +778,21 @@ static bool test_generic_bits(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 
@@ -943,21 +943,21 @@ static bool test_generic_bits(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 
@@ -1132,21 +1132,21 @@ static bool test_owner_bits(struct torture_context *tctx,
 
 	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_RESTORE));
 	has_restore_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 
-	status = smblsa_sid_check_privilege(cli, 
+	status = torture_check_privilege(cli, 
 					    owner_sid, 
 					    sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 	has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+		printf("torture_check_privilege - %s\n", nt_errstr(status));
 	}
 	printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
 
diff --git a/source4/torture/util.h b/source4/torture/util.h
index 6a8ae36baf0..501d14d57c1 100644
--- a/source4/torture/util.h
+++ b/source4/torture/util.h
@@ -93,5 +93,8 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
 			     struct smbcli_tree **res);
 
 
+NTSTATUS torture_check_privilege(struct smbcli_state *cli, 
+				 const char *sid_str,
+				 const char *privilege);
 
 #endif /* _TORTURE_UTIL_H_ */
diff --git a/source4/torture/util_smb.c b/source4/torture/util_smb.c
index 7d3d04cdbb6..b6f2bee6355 100644
--- a/source4/torture/util_smb.c
+++ b/source4/torture/util_smb.c
@@ -33,6 +33,8 @@
 #include "auth/credentials/credentials.h"
 #include "libcli/resolve/resolve.h"
 #include "param/param.h"
+#include "libcli/security/security.h"
+#include "libcli/util/clilsa.h"
 
 
 /**
@@ -927,3 +929,37 @@ NTSTATUS torture_second_tcon(TALLOC_CTX *mem_ctx,
 	talloc_free(tmp_ctx);
 	return NT_STATUS_OK;
 }
+
+/* 
+   a wrapper around smblsa_sid_check_privilege, that tries to take
+   account of the fact that the lsa privileges calls don't expand
+   group memberships, using an explicit check for administrator. There
+   must be a better way ...
+ */
+NTSTATUS torture_check_privilege(struct smbcli_state *cli, 
+				 const char *sid_str,
+				 const char *privilege)
+{
+	struct dom_sid *sid;
+	TALLOC_CTX *tmp_ctx = talloc_new(cli);
+	uint32_t rid;
+	NTSTATUS status;
+
+	sid = dom_sid_parse_talloc(tmp_ctx, sid_str);
+	if (sid == NULL) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INVALID_SID;
+	}
+
+	status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
+	NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
+
+	if (rid == DOMAIN_RID_ADMINISTRATOR) {
+		/* assume the administrator has them all */
+		return NT_STATUS_OK;
+	}
+
+	talloc_free(tmp_ctx);
+
+	return smblsa_sid_check_privilege(cli, sid_str, privilege);
+}
author	Andrew Tridgell <tridge@samba.org>	2009-10-16 18:23:42 +1100
committer	Andrew Tridgell <tridge@samba.org>	2009-10-17 13:01:03 +1100
commit	7226ba73a0519f853b53adc3591d2358ff7429b2 (patch)
tree	63ffdffd11c83daf154a90396b3f5d25a353a2a7 /source4
parent	9526487010fff240d2f55f29352e7f74d3cec65a (diff)
download	samba-7226ba73a0519f853b53adc3591d2358ff7429b2.tar.gz