s4:torture: Add test_deny1().

Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b205d695d769e910a91bec87451dec189ec33740)

diff --git a/selftest/knownfail.d/smb2.acls b/selftest/knownfail.d/smb2.acls
index f8541adc1b082cb1c9def29f2b8fcb7c4a680076..b76a3c719cedab97fe6eb9c96e5e789b23a28786 100644 (file)
--- a/selftest/knownfail.d/smb2.acls
+++ b/selftest/knownfail.d/smb2.acls
@@ -1,2 +1,4 @@
 ^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(ad_dc\)
 ^samba3.smb2.acls.OWNER-RIGHTS-DENY1\(nt4_dc\)
+^samba3.smb2.acls.DENY1\(ad_dc\)
+^samba3.smb2.acls.DENY1\(nt4_dc\)

diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
index 916a582eac54cd07c0053b118f5ff6a0545073b7..7bccce803f0faeaab8e24c7f645f2d51da402e15 100644 (file)
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@@ -2776,6 +2776,144 @@ done:
        return ret;
 }
 
+/*
+ * test that shows that a DENY ACE doesn't remove rights granted
+ * by a previous ALLOW ACE.
+ */
+static bool test_deny1(struct torture_context *tctx,
+                      struct smb2_tree *tree)
+{
+       const char *fname = BASEDIR "\\test_deny1.txt";
+       struct smb2_create cr;
+       struct smb2_handle handle = {{0}};
+       union smb_fileinfo gi;
+       union smb_setfileinfo si;
+       struct security_descriptor *sd_orig = NULL;
+       struct security_descriptor *sd = NULL;
+       const char *owner_sid = NULL;
+       NTSTATUS mxac_status;
+       NTSTATUS status;
+       bool ret = true;
+
+       smb2_deltree(tree, BASEDIR);
+
+       ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+       torture_assert_goto(tctx, ret, ret, done,
+                       "smb2_util_setup_dir failed\n");
+
+       cr = (struct smb2_create) {
+               .in.desired_access = SEC_STD_READ_CONTROL |
+                       SEC_STD_WRITE_DAC |SEC_STD_WRITE_OWNER,
+               .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+               .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+               .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+               .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+               .in.fname = fname,
+       };
+
+       status = smb2_create(tree, tctx, &cr);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_create failed\n");
+       handle = cr.out.file.handle;
+
+       torture_comment(tctx, "get the original sd\n");
+
+       gi = (union smb_fileinfo) {
+               .query_secdesc.level = RAW_FILEINFO_SEC_DESC,
+               .query_secdesc.in.file.handle = handle,
+               .query_secdesc.in.secinfo_flags = SECINFO_DACL|SECINFO_OWNER,
+       };
+
+       status = smb2_getinfo_file(tree, tctx, &gi);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                               "smb2_getinfo_file failed\n");
+
+       sd_orig = gi.query_secdesc.out.sd;
+       owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+       /*
+        * Add a 2 element ACL
+        *
+        * SEC_RIGHTS_FILE_READ|SEC_FILE_WRITE_DATA allow for owner.
+        * SEC_FILE_WRITE_DATA deny for owner
+        *
+        * Shows on Windows that trailing DENY entries don't
+        * override granted permissions.
+        */
+       sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL,
+                                       owner_sid,
+                                       SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                       SEC_RIGHTS_FILE_READ|SEC_FILE_WRITE_DATA,
+                                       0,
+                                       owner_sid,
+                                       SEC_ACE_TYPE_ACCESS_DENIED,
+                                       SEC_FILE_WRITE_DATA,
+                                       0,
+                                       NULL);
+       torture_assert_not_null_goto(tctx, sd, ret, done,
+                                       "SD create failed\n");
+
+       si = (union smb_setfileinfo) {
+               .set_secdesc.level = RAW_SFILEINFO_SEC_DESC,
+               .set_secdesc.in.file.handle = handle,
+               .set_secdesc.in.secinfo_flags = SECINFO_DACL,
+               .set_secdesc.in.sd = sd,
+       };
+
+       status = smb2_setinfo_file(tree, &si);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_setinfo_file failed\n");
+
+       status = smb2_util_close(tree, handle);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_util_close failed\n");
+       ZERO_STRUCT(handle);
+
+       cr = (struct smb2_create) {
+               .in.desired_access = SEC_STD_READ_CONTROL | SEC_FILE_WRITE_DATA,
+               .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+               .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+               .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+               .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+               .in.query_maximal_access = true,
+               .in.fname = fname,
+       };
+
+       status = smb2_create(tree, tctx, &cr);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_create failed\n");
+       handle = cr.out.file.handle;
+
+       mxac_status = NT_STATUS(cr.out.maximal_access_status);
+       torture_assert_ntstatus_ok_goto(tctx, mxac_status, ret, done,
+                                       "Wrong maximum access status\n");
+
+       /*
+        * For some reasons Windows 2016 doesn't set SEC_STD_DELETE but we
+        * do. Mask it out so the test passes against Samba and Windows.
+        * SEC_STD_WRITE_DAC comes from being the owner.
+        */
+       torture_assert_int_equal_goto(tctx,
+                                     cr.out.maximal_access & ~SEC_STD_DELETE,
+                                     SEC_RIGHTS_FILE_READ |
+                                     SEC_FILE_WRITE_DATA |
+                                     SEC_STD_WRITE_DAC,
+                                     ret, done,
+                                     "Wrong maximum access\n");
+
+       status = smb2_util_close(tree, handle);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_util_close failed\n");
+       ZERO_STRUCT(handle);
+
+done:
+       if (!smb2_util_handle_empty(handle)) {
+               smb2_util_close(tree, handle);
+       }
+       smb2_deltree(tree, BASEDIR);
+       return ret;
+}
+
 /*
    basic testing of SMB2 ACLs
 */
@@ -2800,6 +2938,8 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
                        test_owner_rights_deny);
        torture_suite_add_1smb2_test(suite, "OWNER-RIGHTS-DENY1",
                        test_owner_rights_deny1);
+       torture_suite_add_1smb2_test(suite, "DENY1",
+                       test_deny1);
 
        suite->description = talloc_strdup(suite, "SMB2-ACLS tests");