seltest: implicit FILE_READ_DATA non-reporting

This test (passes against Windows Server 2012R2) shows
that the implicit FILE_READ_DATA that is added whenever
FILE_EXECUTE is granted, is not reported back when querying
the handle.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12149

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

diff --git a/source4/torture/smb2/getinfo.c b/source4/torture/smb2/getinfo.c
index 4bf41008460093f9a8cb9ffc731a75bde2a36088..82eda75abd1c7961ed3b516582d6cffe3ab4d811 100644 (file)
--- a/source4/torture/smb2/getinfo.c
+++ b/source4/torture/smb2/getinfo.c
@@ -126,6 +126,49 @@ static bool torture_smb2_fileinfo(struct torture_context *tctx, struct smb2_tree
        return true;
 }
 
+/*
+  test granted access when desired access includes
+  FILE_EXECUTE and does not include FILE_READ_DATA
+*/
+static bool torture_smb2_fileinfo_grant_read(struct torture_context *tctx)
+{
+       struct smb2_tree *tree;
+       bool ret;
+       struct smb2_handle hfile, hdir;
+       NTSTATUS status;
+       uint32_t file_granted_access, dir_granted_access;
+
+       ret = torture_smb2_connection(tctx, &tree);
+       torture_assert(tctx, ret, "connection failed");
+
+       status = torture_smb2_testfile_access(
+           tree, FNAME, &hfile, SEC_FILE_EXECUTE | SEC_FILE_READ_ATTRIBUTE);
+       torture_assert_ntstatus_ok(tctx, status,
+                                  "Unable to create test file " FNAME "\n");
+       status =
+           torture_smb2_get_allinfo_access(tree, hfile, &file_granted_access);
+       torture_assert_ntstatus_ok(tctx, status,
+                                  "Unable to query test file access ");
+       torture_assert_int_equal(tctx, file_granted_access,
+                                SEC_FILE_EXECUTE | SEC_FILE_READ_ATTRIBUTE,
+                                "granted file access ");
+       smb2_util_close(tree, hfile);
+
+       status = torture_smb2_testdir_access(
+           tree, DNAME, &hdir, SEC_FILE_EXECUTE | SEC_FILE_READ_ATTRIBUTE);
+       torture_assert_ntstatus_ok(tctx, status,
+                                  "Unable to create test dir " DNAME "\n");
+       status =
+           torture_smb2_get_allinfo_access(tree, hdir, &dir_granted_access);
+       torture_assert_ntstatus_ok(tctx, status,
+                                  "Unable to query test dir access ");
+       torture_assert_int_equal(tctx, dir_granted_access,
+                                SEC_FILE_EXECUTE | SEC_FILE_READ_ATTRIBUTE,
+                                "granted dir access ");
+       smb2_util_close(tree, hdir);
+
+       return true;
+}
 
 /*
   test fsinfo levels
@@ -444,5 +487,7 @@ struct torture_suite *torture_smb2_getinfo_init(void)
                                      torture_smb2_qfile_buffercheck);
        torture_suite_add_simple_test(suite, "qsec_buffercheck",
                                      torture_smb2_qsec_buffercheck);
+       torture_suite_add_simple_test(suite, "granted",
+                                     torture_smb2_fileinfo_grant_read);
        return suite;
 }

diff --git a/source4/torture/smb2/util.c b/source4/torture/smb2/util.c
index c9d47aec1e6b54a289535a502732b6d768692c64..d0fc69590df966146f5b802382c80be218ad4b25 100644 (file)
--- a/source4/torture/smb2/util.c
+++ b/source4/torture/smb2/util.c
@@ -261,6 +261,33 @@ void torture_smb2_all_info(struct smb2_tree *tree, struct smb2_handle handle)
        talloc_free(tmp_ctx);   
 }
 
+/*
+  get granted access of a file handle
+*/
+NTSTATUS torture_smb2_get_allinfo_access(struct smb2_tree *tree,
+                                        struct smb2_handle handle,
+                                        uint32_t *granted_access)
+{
+       NTSTATUS status;
+       TALLOC_CTX *tmp_ctx = talloc_new(tree);
+       union smb_fileinfo io;
+
+       io.generic.level = RAW_FILEINFO_SMB2_ALL_INFORMATION;
+       io.generic.in.file.handle = handle;
+
+       status = smb2_getinfo_file(tree, tmp_ctx, &io);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0, ("getinfo failed - %s\n", nt_errstr(status)));
+               goto out;
+       }
+
+       *granted_access = io.all_info2.out.access_mask;
+
+out:
+       talloc_free(tmp_ctx);
+       return status;
+}
+
 /**
  * open a smb2 tree connect
  */