source3/script/tests/test_give_owner.sh

   1 #!/bin/sh
   2 #
   3 # this verifies that SEC_STD_WRITE_OWNER only effectively grants take-ownership
   4 # permissions but NOT give-ownership.
   5 #
   6
   7 if [ $# -lt 9 ]; then
   8         echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD PREFIX SMBCLIENT SMBCACLS NET SHARE"
   9         exit 1
  10 fi
  11
  12 SERVER="$1"
  13 SERVER_IP="$2"
  14 USERNAME="$3"
  15 PASSWORD="$4"
  16 PREFIX="$5"
  17 SMBCLIENT="$6"
  18 SMBCACLS="$7"
  19 NET="$8"
  20 SHARE="$9"
  21
  22 SMBCLIENT="$VALGRIND ${SMBCLIENT}"
  23 SMBCACLS="$VALGRIND ${SMBCACLS}"
  24 NET="$VALGRIND ${NET}"
  25 failed=0
  26
  27 incdir=$(dirname $0)/../../../testprogs/blackbox
  28 . $incdir/subunit.sh
  29
  30 setup_testfile()
  31 {
  32         local share=$1
  33         local fname=$2
  34         touch $PREFIX/$fname
  35         $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname"
  36         $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "ls" | grep "$fname" && return 1
  37         $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "lcd $PREFIX; put $fname" || return 1
  38 }
  39
  40 remove_testfile()
  41 {
  42         local share=$1
  43         local fname=$2
  44         $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname"
  45 }
  46
  47 set_win_owner()
  48 {
  49         local share=$1
  50         local fname=$2
  51         local owner=$3
  52         echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C '$owner'"
  53         $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$owner" || return 1
  54 }
  55
  56 win_owner_is()
  57 {
  58         local share=$1
  59         local fname=$2
  60         local expected_owner=$3
  61         local actual_owner
  62
  63         echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD"
  64         $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD
  65         actual_owner=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD | sed -rn 's/^OWNER:(.*)/\1/p')
  66         echo "actual_owner = $actual_owner"
  67         if ! test "x$actual_owner" = "x$expected_owner"; then
  68                 echo "Actual owner of $share/$fname is [$actual_owner] expected [$expected_owner]"
  69                 return 1
  70         fi
  71         return 0
  72 }
  73
  74 add_ace()
  75 {
  76         local share=$1
  77         local fname=$2
  78         local ace=$3
  79
  80         local_ace=$(printf '%s' "$ace" | sed 's|\\|/|')
  81
  82         # avoid duplicate
  83         out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD)
  84         if [ $? -ne 0 ]; then
  85                 echo "get acl failed"
  86                 echo "$out"
  87                 return 1
  88         fi
  89         echo "Original ACL"
  90         echo $out
  91         echo "$out" | grep "$local_ace" && return 0
  92
  93         # add it
  94         $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -a "$ace"
  95         if [ $? -ne 0 ]; then
  96                 echo "add acl failed"
  97                 return 1
  98         fi
  99
 100         # check it's there
 101         out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD)
 102         if [ $? -ne 0 ]; then
 103                 echo "get new acl failed"
 104                 echo "$out"
 105                 return 1
 106         fi
 107         echo "New ACL"
 108         echo $out
 109         echo "Checking if new ACL has \"$local_ace\""
 110         echo "$out" | grep "$local_ace" || return 1
 111         echo "ok"
 112 }
 113
 114 chown_give_fails()
 115 {
 116         local share=$1
 117         local fname=$2
 118         local user=$3
 119         local expected_error=$4
 120
 121         # this must fail
 122         out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$user") && return 1
 123         # it failed, now check it returned the expected error code
 124         echo "$out" | grep $expected_error || return 1
 125 }
 126
 127 # Create a testfile
 128 testit "create testfile" setup_testfile $SHARE afile || failed=$(expr $failed + 1)
 129 testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=$(expr $failed + 1)
 130
 131 # Grant SeRestorePrivilege to the user and full rights on the file
 132 testit "grant SeRestorePrivilege" $NET rpc rights grant $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=$(expr $failed + 1)
 133 testit "grant full rights" add_ace $SHARE afile "ACL:$SERVER\\$USERNAME:ALLOWED/0x0/FULL" || failed=$(expr $failed + 1)
 134
 135 # We have SeRestorePrivilege, so both give and take ownership must succeed
 136 testit "give owner with SeRestorePrivilege" set_win_owner $SHARE afile "$SERVER\user1" || failed=$(expr $failed + 1)
 137 testit "verify owner" win_owner_is $SHARE afile "$SERVER/user1" || failed=$(expr $failed + 1)
 138 testit "take owner" set_win_owner $SHARE afile "$SERVER\\$USERNAME" || failed=$(expr $failed + 1)
 139 testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=$(expr $failed + 1)
 140
 141 # Revoke SeRestorePrivilege, give ownership must fail now with NT_STATUS_INVALID_OWNER
 142 testit "revoke SeRestorePrivilege" $NET rpc rights revoke $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=$(expr $failed + 1)
 143 testit "give owner without SeRestorePrivilege" chown_give_fails $SHARE afile "$SERVER\user1" NT_STATUS_INVALID_OWNER || failed=$(expr $failed + 1)
 144
 145 testit "delete testfile" remove_testfile $SHARE afile || failed=$(expr $failed + 1)
 146
 147 exit $failed