From: Andrew Tridgell Date: Wed, 29 Dec 2004 07:28:03 +0000 (+0000) Subject: r4389: added checking for the default inherited ACL, which is used when no ACEs X-Git-Tag: samba-4.0.0alpha6~801^3~12202 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=d39ae5434185b6e54d029b1868ec610f0d638d6f r4389: added checking for the default inherited ACL, which is used when no ACEs are inheritable (This used to be commit e30b8d5783e073a31f738a36400fe866c970464b) --- diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 75a5b31693c..82e04ffcc72 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -762,7 +762,7 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) int fnum, fnum2, i; union smb_fileinfo q; union smb_setfileinfo set; - struct security_descriptor *sd, *sd_orig; + struct security_descriptor *sd, *sd_orig, *sd_def; const char *owner_sid; const struct { uint32_t parent_flags; @@ -901,12 +901,24 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid); + sd_def = security_descriptor_create(mem_ctx, + owner_sid, NULL, + owner_sid, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_ALL, + 0, + SID_NT_SYSTEM, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_ALL, + 0, + NULL); + for (i=0;itree, fnum2); smbcli_unlink(cli->tree, fname1); + if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) { + printf("Expected default sd at %d - got:\n", i); + NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); + } + goto check_dir; + } if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces < 1 || + q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid)) { - printf("Bad sd in child at %d\n", i); + printf("Bad sd in child file at %d\n", i); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = False; - goto done; + goto check_dir; } if (q.query_secdesc.out.sd->dacl->aces[0].flags != @@ -954,6 +974,7 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) ret = False; } + check_dir: io.ntcreatex.in.fname = fname2; io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; status = smb_raw_open(cli->tree, mem_ctx, &io); @@ -967,14 +988,26 @@ static BOOL test_inheritance(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) smbcli_close(cli->tree, fnum2); smbcli_rmdir(cli->tree, fname2); + if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) && + (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) || + (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) { + if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) { + printf("Expected default sd for dir at %d - got:\n", i); + NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); + } + continue; + } + if (q.query_secdesc.out.sd->dacl == NULL || q.query_secdesc.out.sd->dacl->num_aces < 1 || + q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA || !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee, sd_orig->owner_sid)) { - printf("Bad sd in child at %d\n", i); + printf("Bad sd in child dir at %d (parent 0x%x)\n", + i, test_flags[i].parent_flags); NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); ret = False; - goto done; + continue; } if (q.query_secdesc.out.sd->dacl->aces[0].flags !=