2 Unix SMB/CIFS implementation.
4 test security descriptor operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/raw/libcliraw.h"
25 #include "librpc/gen_ndr/ndr_security.h"
27 #define BASEDIR "\\testsd"
29 #define CHECK_STATUS(status, correct) do { \
30 if (!NT_STATUS_EQUAL(status, correct)) { \
31 printf("(%s) Incorrect status %s - should be %s\n", \
32 __location__, nt_errstr(status), nt_errstr(correct)); \
38 static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
42 const char *fname = BASEDIR "\\sd.txt";
46 union smb_setfileinfo set;
47 struct security_ace ace;
48 struct security_descriptor *sd;
49 struct dom_sid *test_sid;
51 printf("TESTING SETFILEINFO EA_SET\n");
53 io.generic.level = RAW_OPEN_NTCREATEX;
54 io.ntcreatex.in.root_fid = 0;
55 io.ntcreatex.in.flags = 0;
56 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
57 io.ntcreatex.in.create_options = 0;
58 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
59 io.ntcreatex.in.share_access =
60 NTCREATEX_SHARE_ACCESS_READ |
61 NTCREATEX_SHARE_ACCESS_WRITE;
62 io.ntcreatex.in.alloc_size = 0;
63 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
64 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
65 io.ntcreatex.in.security_flags = 0;
66 io.ntcreatex.in.fname = fname;
67 status = smb_raw_open(cli->tree, mem_ctx, &io);
68 CHECK_STATUS(status, NT_STATUS_OK);
69 fnum = io.ntcreatex.out.fnum;
71 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
72 q.query_secdesc.in.fnum = fnum;
73 q.query_secdesc.in.secinfo_flags =
77 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
78 CHECK_STATUS(status, NT_STATUS_OK);
79 sd = q.query_secdesc.out.sd;
81 printf("add a new ACE to the DACL\n");
83 test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432");
85 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
87 ace.access_mask = SEC_STD_ALL;
88 ace.trustee = *test_sid;
90 status = security_descriptor_dacl_add(sd, &ace);
91 CHECK_STATUS(status, NT_STATUS_OK);
93 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
94 set.set_secdesc.file.fnum = fnum;
95 set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
96 set.set_secdesc.in.sd = sd;
98 status = smb_raw_setfileinfo(cli->tree, &set);
99 CHECK_STATUS(status, NT_STATUS_OK);
101 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
102 CHECK_STATUS(status, NT_STATUS_OK);
104 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
105 printf("security descriptors don't match!\n");
107 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
108 printf("expected:\n");
109 NDR_PRINT_DEBUG(security_descriptor, sd);
112 printf("remove it again\n");
114 status = security_descriptor_dacl_del(sd, test_sid);
115 CHECK_STATUS(status, NT_STATUS_OK);
117 status = smb_raw_setfileinfo(cli->tree, &set);
118 CHECK_STATUS(status, NT_STATUS_OK);
120 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
121 CHECK_STATUS(status, NT_STATUS_OK);
123 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
124 printf("security descriptors don't match!\n");
126 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
127 printf("expected:\n");
128 NDR_PRINT_DEBUG(security_descriptor, sd);
132 smbcli_close(cli->tree, fnum);
138 test using NTTRANS CREATE to create a file with an initial ACL set
140 static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
144 const char *fname = BASEDIR "\\acl2.txt";
147 union smb_fileinfo q;
148 struct security_ace ace;
149 struct security_descriptor *sd;
150 struct dom_sid *test_sid;
152 printf("TESTING NTTRANS CREATE WITH SEC_DESC\n");
154 io.generic.level = RAW_OPEN_NTTRANS_CREATE;
155 io.ntcreatex.in.root_fid = 0;
156 io.ntcreatex.in.flags = 0;
157 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
158 io.ntcreatex.in.create_options = 0;
159 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
160 io.ntcreatex.in.share_access =
161 NTCREATEX_SHARE_ACCESS_READ |
162 NTCREATEX_SHARE_ACCESS_WRITE;
163 io.ntcreatex.in.alloc_size = 0;
164 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
165 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
166 io.ntcreatex.in.security_flags = 0;
167 io.ntcreatex.in.fname = fname;
168 io.ntcreatex.in.sec_desc = NULL;
169 io.ntcreatex.in.ea_list = NULL;
171 printf("creating normal file\n");
173 status = smb_raw_open(cli->tree, mem_ctx, &io);
174 CHECK_STATUS(status, NT_STATUS_OK);
175 fnum = io.ntcreatex.out.fnum;
177 printf("querying ACL\n");
179 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
180 q.query_secdesc.in.fnum = fnum;
181 q.query_secdesc.in.secinfo_flags =
185 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
186 CHECK_STATUS(status, NT_STATUS_OK);
187 sd = q.query_secdesc.out.sd;
189 smbcli_close(cli->tree, fnum);
190 smbcli_unlink(cli->tree, fname);
192 printf("adding a new ACE\n");
193 test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-54321");
195 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
197 ace.access_mask = SEC_STD_ALL;
198 ace.trustee = *test_sid;
200 status = security_descriptor_dacl_add(sd, &ace);
201 CHECK_STATUS(status, NT_STATUS_OK);
203 printf("creating a file with an initial ACL\n");
205 io.ntcreatex.in.sec_desc = sd;
206 status = smb_raw_open(cli->tree, mem_ctx, &io);
207 CHECK_STATUS(status, NT_STATUS_OK);
208 fnum = io.ntcreatex.out.fnum;
210 q.query_secdesc.in.fnum = fnum;
211 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
212 CHECK_STATUS(status, NT_STATUS_OK);
214 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
215 printf("security descriptors don't match!\n");
217 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
218 printf("expected:\n");
219 NDR_PRINT_DEBUG(security_descriptor, sd);
223 smbcli_close(cli->tree, fnum);
227 #define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
228 union smb_fileinfo _q; \
229 _q.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION; \
230 _q.access_information.in.fnum = (_fnum); \
231 status = smb_raw_fileinfo(cli->tree, mem_ctx, &_q); \
232 CHECK_STATUS(status, NT_STATUS_OK); \
233 if (_q.access_information.out.access_flags != (flags)) { \
234 printf("(%s) Incorrect access_flags 0x%08x - should be 0x%08x\n", \
235 __location__, _q.access_information.out.access_flags, (flags)); \
243 test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic
246 static BOOL test_creator_sid(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
250 const char *fname = BASEDIR "\\creator.txt";
253 union smb_fileinfo q;
254 union smb_setfileinfo set;
255 struct security_descriptor *sd, *sd_orig, *sd2;
256 const char *owner_sid;
258 printf("TESTING SID_CREATOR_OWNER\n");
260 io.generic.level = RAW_OPEN_NTCREATEX;
261 io.ntcreatex.in.root_fid = 0;
262 io.ntcreatex.in.flags = 0;
263 io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER;
264 io.ntcreatex.in.create_options = 0;
265 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
266 io.ntcreatex.in.share_access =
267 NTCREATEX_SHARE_ACCESS_READ |
268 NTCREATEX_SHARE_ACCESS_WRITE;
269 io.ntcreatex.in.alloc_size = 0;
270 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
271 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
272 io.ntcreatex.in.security_flags = 0;
273 io.ntcreatex.in.fname = fname;
274 status = smb_raw_open(cli->tree, mem_ctx, &io);
275 CHECK_STATUS(status, NT_STATUS_OK);
276 fnum = io.ntcreatex.out.fnum;
278 printf("get the original sd\n");
279 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
280 q.query_secdesc.in.fnum = fnum;
281 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
282 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
283 CHECK_STATUS(status, NT_STATUS_OK);
284 sd_orig = q.query_secdesc.out.sd;
286 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
288 printf("set a sec desc allowing no write by CREATOR_OWNER\n");
289 sd = security_descriptor_create(mem_ctx,
292 SEC_ACE_TYPE_ACCESS_ALLOWED,
293 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
297 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
298 set.set_secdesc.file.fnum = fnum;
299 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
300 set.set_secdesc.in.sd = sd;
302 status = smb_raw_setfileinfo(cli->tree, &set);
303 CHECK_STATUS(status, NT_STATUS_OK);
305 printf("try open for write\n");
306 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
307 status = smb_raw_open(cli->tree, mem_ctx, &io);
308 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
310 printf("try open for read\n");
311 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
312 status = smb_raw_open(cli->tree, mem_ctx, &io);
313 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
315 printf("try open for generic write\n");
316 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
317 status = smb_raw_open(cli->tree, mem_ctx, &io);
318 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
320 printf("try open for generic read\n");
321 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
322 status = smb_raw_open(cli->tree, mem_ctx, &io);
323 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
325 printf("set a sec desc allowing no write by owner\n");
326 sd = security_descriptor_create(mem_ctx,
329 SEC_ACE_TYPE_ACCESS_ALLOWED,
330 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
334 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
335 set.set_secdesc.file.fnum = fnum;
336 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
337 set.set_secdesc.in.sd = sd;
338 status = smb_raw_setfileinfo(cli->tree, &set);
339 CHECK_STATUS(status, NT_STATUS_OK);
341 printf("check that sd has been mapped correctly\n");
342 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
343 CHECK_STATUS(status, NT_STATUS_OK);
344 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
345 printf("security descriptors don't match!\n");
347 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
348 printf("expected:\n");
349 NDR_PRINT_DEBUG(security_descriptor, sd);
352 printf("try open for write\n");
353 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
354 status = smb_raw_open(cli->tree, mem_ctx, &io);
355 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
357 printf("try open for read\n");
358 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
359 status = smb_raw_open(cli->tree, mem_ctx, &io);
360 CHECK_STATUS(status, NT_STATUS_OK);
361 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
363 SEC_FILE_READ_ATTRIBUTE);
364 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
366 printf("try open for generic write\n");
367 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
368 status = smb_raw_open(cli->tree, mem_ctx, &io);
369 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
371 printf("try open for generic read\n");
372 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
373 status = smb_raw_open(cli->tree, mem_ctx, &io);
374 CHECK_STATUS(status, NT_STATUS_OK);
375 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
376 SEC_RIGHTS_FILE_READ);
377 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
379 printf("set a sec desc allowing generic read by owner\n");
380 sd = security_descriptor_create(mem_ctx,
383 SEC_ACE_TYPE_ACCESS_ALLOWED,
384 SEC_GENERIC_READ | SEC_STD_ALL,
388 set.set_secdesc.in.sd = sd;
389 status = smb_raw_setfileinfo(cli->tree, &set);
390 CHECK_STATUS(status, NT_STATUS_OK);
392 printf("check that generic read has been mapped correctly\n");
393 sd2 = security_descriptor_create(mem_ctx,
396 SEC_ACE_TYPE_ACCESS_ALLOWED,
397 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
401 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
402 CHECK_STATUS(status, NT_STATUS_OK);
403 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
404 printf("security descriptors don't match!\n");
406 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
407 printf("expected:\n");
408 NDR_PRINT_DEBUG(security_descriptor, sd2);
412 printf("try open for write\n");
413 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
414 status = smb_raw_open(cli->tree, mem_ctx, &io);
415 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
417 printf("try open for read\n");
418 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
419 status = smb_raw_open(cli->tree, mem_ctx, &io);
420 CHECK_STATUS(status, NT_STATUS_OK);
421 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
423 SEC_FILE_READ_ATTRIBUTE);
424 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
426 printf("try open for generic write\n");
427 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
428 status = smb_raw_open(cli->tree, mem_ctx, &io);
429 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
431 printf("try open for generic read\n");
432 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
433 status = smb_raw_open(cli->tree, mem_ctx, &io);
434 CHECK_STATUS(status, NT_STATUS_OK);
435 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, SEC_RIGHTS_FILE_READ);
436 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
439 printf("put back original sd\n");
440 set.set_secdesc.in.sd = sd_orig;
441 status = smb_raw_setfileinfo(cli->tree, &set);
442 CHECK_STATUS(status, NT_STATUS_OK);
446 smbcli_close(cli->tree, fnum);
452 test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
455 static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
459 const char *fname = BASEDIR "\\generic.txt";
462 union smb_fileinfo q;
463 union smb_setfileinfo set;
464 struct security_descriptor *sd, *sd_orig, *sd2;
465 const char *owner_sid;
468 uint32_t specific_bits;
469 } file_mappings[] = {
471 { SEC_GENERIC_READ, SEC_RIGHTS_FILE_READ },
472 { SEC_GENERIC_WRITE, SEC_RIGHTS_FILE_WRITE },
473 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_FILE_EXECUTE },
474 { SEC_GENERIC_ALL, SEC_RIGHTS_FILE_ALL },
475 { SEC_FILE_READ_DATA, SEC_FILE_READ_DATA },
476 { SEC_FILE_READ_ATTRIBUTE, SEC_FILE_READ_ATTRIBUTE }
480 uint32_t specific_bits;
483 { SEC_GENERIC_READ, SEC_RIGHTS_DIR_READ },
484 { SEC_GENERIC_WRITE, SEC_RIGHTS_DIR_WRITE },
485 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
486 { SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL }
488 BOOL has_restore_privilege;
489 BOOL has_take_ownership_privilege;
491 printf("TESTING FILE GENERIC BITS\n");
493 io.generic.level = RAW_OPEN_NTCREATEX;
494 io.ntcreatex.in.root_fid = 0;
495 io.ntcreatex.in.flags = 0;
496 io.ntcreatex.in.access_mask =
497 SEC_STD_READ_CONTROL |
500 io.ntcreatex.in.create_options = 0;
501 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
502 io.ntcreatex.in.share_access =
503 NTCREATEX_SHARE_ACCESS_READ |
504 NTCREATEX_SHARE_ACCESS_WRITE;
505 io.ntcreatex.in.alloc_size = 0;
506 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
507 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
508 io.ntcreatex.in.security_flags = 0;
509 io.ntcreatex.in.fname = fname;
510 status = smb_raw_open(cli->tree, mem_ctx, &io);
511 CHECK_STATUS(status, NT_STATUS_OK);
512 fnum = io.ntcreatex.out.fnum;
514 printf("get the original sd\n");
515 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
516 q.query_secdesc.in.fnum = fnum;
517 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
518 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
519 CHECK_STATUS(status, NT_STATUS_OK);
520 sd_orig = q.query_secdesc.out.sd;
522 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
524 status = smblsa_sid_check_privilege(cli,
526 sec_privilege_name(SEC_PRIV_RESTORE));
527 has_restore_privilege = NT_STATUS_IS_OK(status);
528 if (!NT_STATUS_IS_OK(status)) {
529 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
531 printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
533 status = smblsa_sid_check_privilege(cli,
535 sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
536 has_take_ownership_privilege = NT_STATUS_IS_OK(status);
537 if (!NT_STATUS_IS_OK(status)) {
538 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
540 printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No");
542 for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
543 uint32_t expected_mask =
545 SEC_STD_READ_CONTROL |
546 SEC_FILE_READ_ATTRIBUTE |
548 uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
550 if (has_restore_privilege) {
551 expected_mask_anon |= SEC_STD_DELETE;
554 printf("testing generic bits 0x%08x\n",
555 file_mappings[i].gen_bits);
556 sd = security_descriptor_create(mem_ctx,
559 SEC_ACE_TYPE_ACCESS_ALLOWED,
560 file_mappings[i].gen_bits,
564 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
565 set.set_secdesc.file.fnum = fnum;
566 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
567 set.set_secdesc.in.sd = sd;
569 status = smb_raw_setfileinfo(cli->tree, &set);
570 CHECK_STATUS(status, NT_STATUS_OK);
572 sd2 = security_descriptor_create(mem_ctx,
575 SEC_ACE_TYPE_ACCESS_ALLOWED,
576 file_mappings[i].specific_bits,
580 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
581 CHECK_STATUS(status, NT_STATUS_OK);
582 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
583 printf("security descriptors don't match!\n");
585 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
586 printf("expected:\n");
587 NDR_PRINT_DEBUG(security_descriptor, sd2);
590 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
591 status = smb_raw_open(cli->tree, mem_ctx, &io);
592 CHECK_STATUS(status, NT_STATUS_OK);
593 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
594 expected_mask | file_mappings[i].specific_bits);
595 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
597 if (!has_take_ownership_privilege) {
601 printf("testing generic bits 0x%08x (anonymous)\n",
602 file_mappings[i].gen_bits);
603 sd = security_descriptor_create(mem_ctx,
604 SID_NT_ANONYMOUS, NULL,
606 SEC_ACE_TYPE_ACCESS_ALLOWED,
607 file_mappings[i].gen_bits,
611 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
612 set.set_secdesc.file.fnum = fnum;
613 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
614 set.set_secdesc.in.sd = sd;
616 status = smb_raw_setfileinfo(cli->tree, &set);
617 CHECK_STATUS(status, NT_STATUS_OK);
619 sd2 = security_descriptor_create(mem_ctx,
620 SID_NT_ANONYMOUS, NULL,
622 SEC_ACE_TYPE_ACCESS_ALLOWED,
623 file_mappings[i].specific_bits,
627 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
628 CHECK_STATUS(status, NT_STATUS_OK);
629 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
630 printf("security descriptors don't match!\n");
632 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
633 printf("expected:\n");
634 NDR_PRINT_DEBUG(security_descriptor, sd2);
637 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
638 status = smb_raw_open(cli->tree, mem_ctx, &io);
639 CHECK_STATUS(status, NT_STATUS_OK);
640 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
641 expected_mask_anon | file_mappings[i].specific_bits);
642 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
645 printf("put back original sd\n");
646 set.set_secdesc.in.sd = sd_orig;
647 status = smb_raw_setfileinfo(cli->tree, &set);
648 CHECK_STATUS(status, NT_STATUS_OK);
650 smbcli_close(cli->tree, fnum);
651 smbcli_unlink(cli->tree, fname);
654 printf("TESTING DIR GENERIC BITS\n");
656 io.generic.level = RAW_OPEN_NTCREATEX;
657 io.ntcreatex.in.root_fid = 0;
658 io.ntcreatex.in.flags = 0;
659 io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC;
660 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
661 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
662 io.ntcreatex.in.share_access =
663 NTCREATEX_SHARE_ACCESS_READ |
664 NTCREATEX_SHARE_ACCESS_WRITE;
665 io.ntcreatex.in.alloc_size = 0;
666 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
667 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
668 io.ntcreatex.in.security_flags = 0;
669 io.ntcreatex.in.fname = fname;
670 status = smb_raw_open(cli->tree, mem_ctx, &io);
671 CHECK_STATUS(status, NT_STATUS_OK);
672 fnum = io.ntcreatex.out.fnum;
674 printf("get the original sd\n");
675 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
676 q.query_secdesc.in.fnum = fnum;
677 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
678 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
679 CHECK_STATUS(status, NT_STATUS_OK);
680 sd_orig = q.query_secdesc.out.sd;
682 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
685 for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
686 uint32_t expected_mask =
688 SEC_STD_READ_CONTROL |
689 SEC_FILE_READ_ATTRIBUTE |
692 printf("testing generic bits 0x%08x\n",
693 file_mappings[i].gen_bits);
694 sd = security_descriptor_create(mem_ctx,
697 SEC_ACE_TYPE_ACCESS_ALLOWED,
698 dir_mappings[i].gen_bits,
702 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
703 set.set_secdesc.file.fnum = fnum;
704 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
705 set.set_secdesc.in.sd = sd;
707 status = smb_raw_setfileinfo(cli->tree, &set);
708 CHECK_STATUS(status, NT_STATUS_OK);
710 sd2 = security_descriptor_create(mem_ctx,
713 SEC_ACE_TYPE_ACCESS_ALLOWED,
714 dir_mappings[i].specific_bits,
718 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
719 CHECK_STATUS(status, NT_STATUS_OK);
720 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
721 printf("security descriptors don't match!\n");
723 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
724 printf("expected:\n");
725 NDR_PRINT_DEBUG(security_descriptor, sd2);
728 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
729 status = smb_raw_open(cli->tree, mem_ctx, &io);
730 CHECK_STATUS(status, NT_STATUS_OK);
731 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
732 expected_mask | dir_mappings[i].specific_bits);
733 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
736 printf("put back original sd\n");
737 set.set_secdesc.in.sd = sd_orig;
738 status = smb_raw_setfileinfo(cli->tree, &set);
739 CHECK_STATUS(status, NT_STATUS_OK);
741 smbcli_close(cli->tree, fnum);
742 smbcli_unlink(cli->tree, fname);
745 smbcli_close(cli->tree, fnum);
752 test the inheritance of ACL flags onto new files and directories
754 static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
758 const char *dname = BASEDIR "\\inheritance";
759 const char *fname1 = BASEDIR "\\inheritance\\testfile";
760 const char *fname2 = BASEDIR "\\inheritance\\testdir";
763 union smb_fileinfo q;
764 union smb_setfileinfo set;
765 struct security_descriptor *sd, *sd_orig, *sd_def;
766 const char *owner_sid;
768 uint32_t parent_flags;
778 SEC_ACE_FLAG_OBJECT_INHERIT,
780 SEC_ACE_FLAG_OBJECT_INHERIT |
781 SEC_ACE_FLAG_INHERIT_ONLY,
784 SEC_ACE_FLAG_CONTAINER_INHERIT,
786 SEC_ACE_FLAG_CONTAINER_INHERIT,
789 SEC_ACE_FLAG_OBJECT_INHERIT |
790 SEC_ACE_FLAG_CONTAINER_INHERIT,
792 SEC_ACE_FLAG_OBJECT_INHERIT |
793 SEC_ACE_FLAG_CONTAINER_INHERIT,
796 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
801 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
802 SEC_ACE_FLAG_OBJECT_INHERIT,
807 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
808 SEC_ACE_FLAG_CONTAINER_INHERIT,
813 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
814 SEC_ACE_FLAG_CONTAINER_INHERIT |
815 SEC_ACE_FLAG_OBJECT_INHERIT,
820 SEC_ACE_FLAG_INHERIT_ONLY,
825 SEC_ACE_FLAG_INHERIT_ONLY |
826 SEC_ACE_FLAG_OBJECT_INHERIT,
828 SEC_ACE_FLAG_OBJECT_INHERIT |
829 SEC_ACE_FLAG_INHERIT_ONLY,
832 SEC_ACE_FLAG_INHERIT_ONLY |
833 SEC_ACE_FLAG_CONTAINER_INHERIT,
835 SEC_ACE_FLAG_CONTAINER_INHERIT,
838 SEC_ACE_FLAG_INHERIT_ONLY |
839 SEC_ACE_FLAG_CONTAINER_INHERIT |
840 SEC_ACE_FLAG_OBJECT_INHERIT,
842 SEC_ACE_FLAG_CONTAINER_INHERIT |
843 SEC_ACE_FLAG_OBJECT_INHERIT,
846 SEC_ACE_FLAG_INHERIT_ONLY |
847 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
852 SEC_ACE_FLAG_INHERIT_ONLY |
853 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
854 SEC_ACE_FLAG_OBJECT_INHERIT,
859 SEC_ACE_FLAG_INHERIT_ONLY |
860 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
861 SEC_ACE_FLAG_CONTAINER_INHERIT,
866 SEC_ACE_FLAG_INHERIT_ONLY |
867 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
868 SEC_ACE_FLAG_CONTAINER_INHERIT |
869 SEC_ACE_FLAG_OBJECT_INHERIT,
875 printf("TESTING ACL INHERITANCE\n");
877 io.generic.level = RAW_OPEN_NTCREATEX;
878 io.ntcreatex.in.root_fid = 0;
879 io.ntcreatex.in.flags = 0;
880 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
881 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
882 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
883 io.ntcreatex.in.share_access = 0;
884 io.ntcreatex.in.alloc_size = 0;
885 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
886 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
887 io.ntcreatex.in.security_flags = 0;
888 io.ntcreatex.in.fname = dname;
890 status = smb_raw_open(cli->tree, mem_ctx, &io);
891 CHECK_STATUS(status, NT_STATUS_OK);
892 fnum = io.ntcreatex.out.fnum;
894 printf("get the original sd\n");
895 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
896 q.query_secdesc.in.fnum = fnum;
897 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
898 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
899 CHECK_STATUS(status, NT_STATUS_OK);
900 sd_orig = q.query_secdesc.out.sd;
902 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
904 sd_def = security_descriptor_create(mem_ctx,
907 SEC_ACE_TYPE_ACCESS_ALLOWED,
911 SEC_ACE_TYPE_ACCESS_ALLOWED,
916 for (i=0;i<ARRAY_SIZE(test_flags);i++) {
917 sd = security_descriptor_create(mem_ctx,
920 SEC_ACE_TYPE_ACCESS_ALLOWED,
922 test_flags[i].parent_flags,
924 SEC_ACE_TYPE_ACCESS_ALLOWED,
925 SEC_FILE_ALL | SEC_STD_ALL,
928 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
929 set.set_secdesc.file.fnum = fnum;
930 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
931 set.set_secdesc.in.sd = sd;
932 status = smb_raw_setfileinfo(cli->tree, &set);
933 CHECK_STATUS(status, NT_STATUS_OK);
935 io.ntcreatex.in.fname = fname1;
936 io.ntcreatex.in.create_options = 0;
937 status = smb_raw_open(cli->tree, mem_ctx, &io);
938 CHECK_STATUS(status, NT_STATUS_OK);
939 fnum2 = io.ntcreatex.out.fnum;
941 q.query_secdesc.in.fnum = fnum2;
942 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
943 CHECK_STATUS(status, NT_STATUS_OK);
945 smbcli_close(cli->tree, fnum2);
946 smbcli_unlink(cli->tree, fname1);
948 if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
949 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) {
950 printf("Expected default sd at %d - got:\n", i);
951 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
956 if (q.query_secdesc.out.sd->dacl == NULL ||
957 q.query_secdesc.out.sd->dacl->num_aces != 1 ||
958 q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA ||
959 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
960 sd_orig->owner_sid)) {
961 printf("Bad sd in child file at %d\n", i);
962 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
967 if (q.query_secdesc.out.sd->dacl->aces[0].flags !=
968 test_flags[i].file_flags) {
969 printf("incorrect file_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d)\n",
970 q.query_secdesc.out.sd->dacl->aces[0].flags,
971 test_flags[i].file_flags,
972 test_flags[i].parent_flags,
978 io.ntcreatex.in.fname = fname2;
979 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
980 status = smb_raw_open(cli->tree, mem_ctx, &io);
981 CHECK_STATUS(status, NT_STATUS_OK);
982 fnum2 = io.ntcreatex.out.fnum;
984 q.query_secdesc.in.fnum = fnum2;
985 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
986 CHECK_STATUS(status, NT_STATUS_OK);
988 smbcli_close(cli->tree, fnum2);
989 smbcli_rmdir(cli->tree, fname2);
991 if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) &&
992 (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) ||
993 (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) {
994 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) {
995 printf("Expected default sd for dir at %d - got:\n", i);
996 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1001 if (q.query_secdesc.out.sd->dacl == NULL ||
1002 q.query_secdesc.out.sd->dacl->num_aces != 1 ||
1003 q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA ||
1004 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
1005 sd_orig->owner_sid)) {
1006 printf("Bad sd in child dir at %d (parent 0x%x)\n",
1007 i, test_flags[i].parent_flags);
1008 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1013 if (q.query_secdesc.out.sd->dacl->aces[0].flags !=
1014 test_flags[i].dir_flags) {
1015 printf("incorrect dir_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d)\n",
1016 q.query_secdesc.out.sd->dacl->aces[0].flags,
1017 test_flags[i].dir_flags,
1018 test_flags[i].parent_flags,
1024 printf("put back original sd\n");
1025 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1026 set.set_secdesc.file.fnum = fnum;
1027 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1028 set.set_secdesc.in.sd = sd_orig;
1029 status = smb_raw_setfileinfo(cli->tree, &set);
1030 CHECK_STATUS(status, NT_STATUS_OK);
1032 smbcli_close(cli->tree, fnum);
1033 smbcli_rmdir(cli->tree, dname);
1037 smbcli_close(cli->tree, fnum);
1043 basic testing of security descriptor calls
1045 BOOL torture_raw_acls(void)
1047 struct smbcli_state *cli;
1049 TALLOC_CTX *mem_ctx;
1051 if (!torture_open_connection(&cli)) {
1055 mem_ctx = talloc_init("torture_raw_acls");
1057 if (!torture_setup_dir(cli, BASEDIR)) {
1061 ret &= test_sd(cli, mem_ctx);
1062 ret &= test_nttrans_create(cli, mem_ctx);
1063 ret &= test_creator_sid(cli, mem_ctx);
1064 ret &= test_generic_bits(cli, mem_ctx);
1065 ret &= test_inheritance(cli, mem_ctx);
1067 smb_raw_exit(cli->session);
1068 smbcli_deltree(cli->tree, BASEDIR);
1070 torture_close_connection(cli);
1071 talloc_destroy(mem_ctx);
git.samba.org / samba.git / blob