From 3542bd324ecea130292909fd052f71ab0790b7d3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 29 Apr 2011 15:54:20 +1000
Subject: [PATCH] selftest: Restore the s3member environment by avoiding
 smbcacls

This removes the need for acls on the filesystem for simple domain
member tests.  ACL tests should be written at some point...

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
---
 selftest/selftest.pl      | 10 ++++++++--
 selftest/target/Samba3.pm | 18 +++++-------------
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 5077a179013..6f8cbe1fe8e 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -399,8 +399,14 @@ $prefix =~ s+/$++;
 
 die("using an empty prefix isn't allowed") unless $prefix ne "";
 
-#Ensure we have the test prefix around
-mkdir($prefix, 0777) unless -d $prefix;
+# Ensure we have the test prefix around.
+#
+# We need restrictive
+# permissions on this as some subdirectories in this tree will have
+# wider permissions (ie 0777) and this would allow other users on the
+# host to subvert the test process.
+mkdir($prefix, 0700) unless -d $prefix;
+chmod 0700, $prefix;
 
 my $prefix_abs = abs_path($prefix);
 my $tmpdir_abs = abs_path("$prefix/tmp");
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 6312d650a0c..01158347b31 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -247,24 +247,16 @@ sub setup_admember($$$$)
 	    return undef;
 	}
 
+	# We need world access to this share, as otherwise the domain
+	# administrator from the AD domain provided by Samba4 can't
+	# access the share for tests.
+	chmod 0777, "$prefix/share";
+
 	$self->check_or_start($ret,
 			      "yes", "yes", "yes");
 
 	$self->wait_for_start($ret);
 
-	my $smbcacls = Samba::bindir_path($self, "smbcacls");
-	#Allow domain users to manipulate the share
-	$cmd = "";
-	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
-	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
-	$cmd .= "$smbcacls $ret->{CONFIGURATION} //127.0.0.29/tmp / -U$ret->{USERNAME}%$ret->{PASSWORD} ";
-	$cmd .= "-S ACL:$dcvars->{DOMAIN}\\\\Domain\\ Users:ALLOWED/0x0/FULL";
-
-	if (system($cmd) != 0) {
-	    warn("smbcacls failed, your filesystem may not support ACLs.  Try mount $prefix_abs -oremount,acl\nThis support is required for S3 member in S4 tests\n$cmd");
-	    return undef;
-	}
-
 	$ret->{DC_SERVER} = $dcvars->{SERVER};
 	$ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
 	$ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
-- 
2.34.1