3 # this verifies that SEC_STD_WRITE_OWNER only effectively grants take-ownership
4 # permissions but NOT give-ownership.
8 echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD PREFIX SMBCLIENT SMBCACLS NET SHARE"
22 SMBCLIENT="$VALGRIND ${SMBCLIENT}"
23 SMBCACLS="$VALGRIND ${SMBCACLS}"
24 NET="$VALGRIND ${NET}"
27 incdir=`dirname $0`/../../../testprogs/blackbox
34 $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname"
35 $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "ls" | grep "$fname" && return 1
36 $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "lcd $PREFIX; put $fname" || return 1
42 $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname"
49 echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C '$owner'"
50 $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$owner" || return 1
56 local expected_owner=$3
59 echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD"
60 $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD
61 actual_owner=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD | sed -rn 's/^OWNER:(.*)/\1/p')
62 echo "actual_owner = $actual_owner"
63 if ! test "x$actual_owner" = "x$expected_owner" ; then
64 echo "Actual owner of $share/$fname is [$actual_owner] expected [$expected_owner]"
75 local_ace=$(printf '%s' "$ace" | sed 's|\\|/|')
78 out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD)
79 if [ $? -ne 0 ] ; then
86 echo "$out" | grep "$local_ace" && return 0
89 $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -a "$ace"
90 if [ $? -ne 0 ] ; then
96 out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD)
97 if [ $? -ne 0 ] ; then
98 echo "get new acl failed"
104 echo "Checking if new ACL has \"$local_ace\""
105 echo "$out" | grep "$local_ace" || return 1
113 local expected_error=$4
116 out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$user") && return 1
117 # it failed, now check it returned the expected error code
118 echo "$out" | grep $expected_error || return 1
122 testit "create testfile" setup_testfile $SHARE afile || failed=`expr $failed + 1`
123 testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=`expr $failed + 1`
125 # Grant SeRestorePrivilege to the user and full rights on the file
126 testit "grant SeRestorePrivilege" $NET rpc rights grant $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
127 testit "grant full rights" add_ace $SHARE afile "ACL:$SERVER\\$USERNAME:ALLOWED/0x0/FULL" || failed=`expr $failed + 1`
129 # We have SeRestorePrivilege, so both give and take ownership must succeed
130 testit "give owner with SeRestorePrivilege" set_win_owner $SHARE afile "$SERVER\user1" || failed=`expr $failed + 1`
131 testit "verify owner" win_owner_is $SHARE afile "$SERVER/user1" || failed=`expr $failed + 1`
132 testit "take owner" set_win_owner $SHARE afile "$SERVER\\$USERNAME" || failed=`expr $failed + 1`
133 testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=`expr $failed + 1`
135 # Revoke SeRestorePrivilege, give ownership must fail now with NT_STATUS_INVALID_OWNER
136 testit "revoke SeRestorePrivilege" $NET rpc rights revoke $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
137 testit "give owner without SeRestorePrivilege" chown_give_fails $SHARE afile "$SERVER\user1" NT_STATUS_INVALID_OWNER || failed=`expr $failed + 1`
139 testit "delete testfile" remove_testfile $SHARE afile || failed=`expr $failed + 1`