2 Unix SMB/CIFS implementation.
4 test security descriptor operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "torture/torture.h"
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/libcli.h"
26 #include "librpc/gen_ndr/lsa.h"
27 #include "libcli/util/clilsa.h"
28 #include "libcli/security/security.h"
29 #include "torture/util.h"
30 #include "librpc/gen_ndr/ndr_security.h"
32 #define BASEDIR "\\testsd"
34 #define CHECK_STATUS(status, correct) do { \
35 if (!NT_STATUS_EQUAL(status, correct)) { \
36 printf("(%s) Incorrect status %s - should be %s\n", \
37 __location__, nt_errstr(status), nt_errstr(correct)); \
43 static bool test_sd(struct torture_context *tctx,
44 struct smbcli_state *cli)
48 const char *fname = BASEDIR "\\sd.txt";
52 union smb_setfileinfo set;
53 struct security_ace ace;
54 struct security_descriptor *sd;
55 struct dom_sid *test_sid;
57 printf("TESTING SETFILEINFO EA_SET\n");
59 io.generic.level = RAW_OPEN_NTCREATEX;
60 io.ntcreatex.in.root_fid = 0;
61 io.ntcreatex.in.flags = 0;
62 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
63 io.ntcreatex.in.create_options = 0;
64 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
65 io.ntcreatex.in.share_access =
66 NTCREATEX_SHARE_ACCESS_READ |
67 NTCREATEX_SHARE_ACCESS_WRITE;
68 io.ntcreatex.in.alloc_size = 0;
69 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
70 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
71 io.ntcreatex.in.security_flags = 0;
72 io.ntcreatex.in.fname = fname;
73 status = smb_raw_open(cli->tree, tctx, &io);
74 CHECK_STATUS(status, NT_STATUS_OK);
75 fnum = io.ntcreatex.out.file.fnum;
77 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
78 q.query_secdesc.in.file.fnum = fnum;
79 q.query_secdesc.in.secinfo_flags =
83 status = smb_raw_fileinfo(cli->tree, tctx, &q);
84 CHECK_STATUS(status, NT_STATUS_OK);
85 sd = q.query_secdesc.out.sd;
87 printf("add a new ACE to the DACL\n");
89 test_sid = dom_sid_parse_talloc(tctx, "S-1-5-32-1234-5432");
91 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
93 ace.access_mask = SEC_STD_ALL;
94 ace.trustee = *test_sid;
96 status = security_descriptor_dacl_add(sd, &ace);
97 CHECK_STATUS(status, NT_STATUS_OK);
99 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
100 set.set_secdesc.in.file.fnum = fnum;
101 set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
102 set.set_secdesc.in.sd = sd;
104 status = smb_raw_setfileinfo(cli->tree, &set);
105 CHECK_STATUS(status, NT_STATUS_OK);
107 status = smb_raw_fileinfo(cli->tree, tctx, &q);
108 CHECK_STATUS(status, NT_STATUS_OK);
110 if (!security_acl_equal(q.query_secdesc.out.sd->dacl, sd->dacl)) {
111 printf("%s: security descriptors don't match!\n", __location__);
113 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
114 printf("expected:\n");
115 NDR_PRINT_DEBUG(security_descriptor, sd);
119 printf("remove it again\n");
121 status = security_descriptor_dacl_del(sd, test_sid);
122 CHECK_STATUS(status, NT_STATUS_OK);
124 status = smb_raw_setfileinfo(cli->tree, &set);
125 CHECK_STATUS(status, NT_STATUS_OK);
127 status = smb_raw_fileinfo(cli->tree, tctx, &q);
128 CHECK_STATUS(status, NT_STATUS_OK);
130 if (!security_acl_equal(q.query_secdesc.out.sd->dacl, sd->dacl)) {
131 printf("%s: security descriptors don't match!\n", __location__);
133 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
134 printf("expected:\n");
135 NDR_PRINT_DEBUG(security_descriptor, sd);
140 smbcli_close(cli->tree, fnum);
146 test using nttrans create to create a file with an initial acl set
148 static bool test_nttrans_create(struct torture_context *tctx,
149 struct smbcli_state *cli)
153 const char *fname = BASEDIR "\\acl2.txt";
156 union smb_fileinfo q;
157 struct security_ace ace;
158 struct security_descriptor *sd;
159 struct dom_sid *test_sid;
161 printf("testing nttrans create with sec_desc\n");
163 io.generic.level = RAW_OPEN_NTTRANS_CREATE;
164 io.ntcreatex.in.root_fid = 0;
165 io.ntcreatex.in.flags = 0;
166 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
167 io.ntcreatex.in.create_options = 0;
168 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
169 io.ntcreatex.in.share_access =
170 NTCREATEX_SHARE_ACCESS_READ |
171 NTCREATEX_SHARE_ACCESS_WRITE;
172 io.ntcreatex.in.alloc_size = 0;
173 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
174 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
175 io.ntcreatex.in.security_flags = 0;
176 io.ntcreatex.in.fname = fname;
177 io.ntcreatex.in.sec_desc = NULL;
178 io.ntcreatex.in.ea_list = NULL;
180 printf("creating normal file\n");
182 status = smb_raw_open(cli->tree, tctx, &io);
183 CHECK_STATUS(status, NT_STATUS_OK);
184 fnum = io.ntcreatex.out.file.fnum;
186 printf("querying ACL\n");
188 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
189 q.query_secdesc.in.file.fnum = fnum;
190 q.query_secdesc.in.secinfo_flags =
194 status = smb_raw_fileinfo(cli->tree, tctx, &q);
195 CHECK_STATUS(status, NT_STATUS_OK);
196 sd = q.query_secdesc.out.sd;
198 smbcli_close(cli->tree, fnum);
199 smbcli_unlink(cli->tree, fname);
201 printf("adding a new ACE\n");
202 test_sid = dom_sid_parse_talloc(tctx, "S-1-5-32-1234-54321");
204 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
206 ace.access_mask = SEC_STD_ALL;
207 ace.trustee = *test_sid;
209 status = security_descriptor_dacl_add(sd, &ace);
210 CHECK_STATUS(status, NT_STATUS_OK);
212 printf("creating a file with an initial ACL\n");
214 io.ntcreatex.in.sec_desc = sd;
215 status = smb_raw_open(cli->tree, tctx, &io);
216 CHECK_STATUS(status, NT_STATUS_OK);
217 fnum = io.ntcreatex.out.file.fnum;
219 q.query_secdesc.in.file.fnum = fnum;
220 status = smb_raw_fileinfo(cli->tree, tctx, &q);
221 CHECK_STATUS(status, NT_STATUS_OK);
223 if (!security_acl_equal(q.query_secdesc.out.sd->dacl, sd->dacl)) {
224 printf("%s: security descriptors don't match!\n", __location__);
226 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
227 printf("expected:\n");
228 NDR_PRINT_DEBUG(security_descriptor, sd);
233 smbcli_close(cli->tree, fnum);
237 #define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
238 union smb_fileinfo _q; \
239 _q.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION; \
240 _q.access_information.in.file.fnum = (_fnum); \
241 status = smb_raw_fileinfo(cli->tree, tctx, &_q); \
242 CHECK_STATUS(status, NT_STATUS_OK); \
243 if (_q.access_information.out.access_flags != (flags)) { \
244 printf("(%s) Incorrect access_flags 0x%08x - should be 0x%08x\n", \
245 __location__, _q.access_information.out.access_flags, (flags)); \
253 test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic
256 static bool test_creator_sid(struct torture_context *tctx,
257 struct smbcli_state *cli)
261 const char *fname = BASEDIR "\\creator.txt";
264 union smb_fileinfo q;
265 union smb_setfileinfo set;
266 struct security_descriptor *sd, *sd_orig, *sd2;
267 const char *owner_sid;
269 printf("TESTING SID_CREATOR_OWNER\n");
271 io.generic.level = RAW_OPEN_NTCREATEX;
272 io.ntcreatex.in.root_fid = 0;
273 io.ntcreatex.in.flags = 0;
274 io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER;
275 io.ntcreatex.in.create_options = 0;
276 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
277 io.ntcreatex.in.share_access =
278 NTCREATEX_SHARE_ACCESS_READ |
279 NTCREATEX_SHARE_ACCESS_WRITE;
280 io.ntcreatex.in.alloc_size = 0;
281 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
282 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
283 io.ntcreatex.in.security_flags = 0;
284 io.ntcreatex.in.fname = fname;
285 status = smb_raw_open(cli->tree, tctx, &io);
286 CHECK_STATUS(status, NT_STATUS_OK);
287 fnum = io.ntcreatex.out.file.fnum;
289 printf("get the original sd\n");
290 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
291 q.query_secdesc.in.file.fnum = fnum;
292 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
293 status = smb_raw_fileinfo(cli->tree, tctx, &q);
294 CHECK_STATUS(status, NT_STATUS_OK);
295 sd_orig = q.query_secdesc.out.sd;
297 owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
299 printf("set a sec desc allowing no write by CREATOR_OWNER\n");
300 sd = security_descriptor_create(tctx,
303 SEC_ACE_TYPE_ACCESS_ALLOWED,
304 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
308 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
309 set.set_secdesc.in.file.fnum = fnum;
310 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
311 set.set_secdesc.in.sd = sd;
313 status = smb_raw_setfileinfo(cli->tree, &set);
314 CHECK_STATUS(status, NT_STATUS_OK);
316 printf("try open for write\n");
317 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
318 status = smb_raw_open(cli->tree, tctx, &io);
319 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
321 printf("try open for read\n");
322 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
323 status = smb_raw_open(cli->tree, tctx, &io);
324 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
326 printf("try open for generic write\n");
327 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
328 status = smb_raw_open(cli->tree, tctx, &io);
329 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
331 printf("try open for generic read\n");
332 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
333 status = smb_raw_open(cli->tree, tctx, &io);
334 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
336 printf("set a sec desc allowing no write by owner\n");
337 sd = security_descriptor_create(tctx,
340 SEC_ACE_TYPE_ACCESS_ALLOWED,
341 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
345 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
346 set.set_secdesc.in.file.fnum = fnum;
347 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
348 set.set_secdesc.in.sd = sd;
349 status = smb_raw_setfileinfo(cli->tree, &set);
350 CHECK_STATUS(status, NT_STATUS_OK);
352 printf("check that sd has been mapped correctly\n");
353 status = smb_raw_fileinfo(cli->tree, tctx, &q);
354 CHECK_STATUS(status, NT_STATUS_OK);
355 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
356 printf("%s: security descriptors don't match!\n", __location__);
358 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
359 printf("expected:\n");
360 NDR_PRINT_DEBUG(security_descriptor, sd);
364 printf("try open for write\n");
365 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
366 status = smb_raw_open(cli->tree, tctx, &io);
367 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
369 printf("try open for read\n");
370 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
371 status = smb_raw_open(cli->tree, tctx, &io);
372 CHECK_STATUS(status, NT_STATUS_OK);
373 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
375 SEC_FILE_READ_ATTRIBUTE);
376 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
378 printf("try open for generic write\n");
379 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
380 status = smb_raw_open(cli->tree, tctx, &io);
381 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
383 printf("try open for generic read\n");
384 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
385 status = smb_raw_open(cli->tree, tctx, &io);
386 CHECK_STATUS(status, NT_STATUS_OK);
387 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
388 SEC_RIGHTS_FILE_READ);
389 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
391 printf("set a sec desc allowing generic read by owner\n");
392 sd = security_descriptor_create(tctx,
395 SEC_ACE_TYPE_ACCESS_ALLOWED,
396 SEC_GENERIC_READ | SEC_STD_ALL,
400 set.set_secdesc.in.sd = sd;
401 status = smb_raw_setfileinfo(cli->tree, &set);
402 CHECK_STATUS(status, NT_STATUS_OK);
404 printf("check that generic read has been mapped correctly\n");
405 sd2 = security_descriptor_create(tctx,
408 SEC_ACE_TYPE_ACCESS_ALLOWED,
409 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
413 status = smb_raw_fileinfo(cli->tree, tctx, &q);
414 CHECK_STATUS(status, NT_STATUS_OK);
415 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
416 printf("%s: security descriptors don't match!\n", __location__);
418 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
419 printf("expected:\n");
420 NDR_PRINT_DEBUG(security_descriptor, sd2);
425 printf("try open for write\n");
426 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
427 status = smb_raw_open(cli->tree, tctx, &io);
428 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
430 printf("try open for read\n");
431 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
432 status = smb_raw_open(cli->tree, tctx, &io);
433 CHECK_STATUS(status, NT_STATUS_OK);
434 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
436 SEC_FILE_READ_ATTRIBUTE);
437 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
439 printf("try open for generic write\n");
440 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
441 status = smb_raw_open(cli->tree, tctx, &io);
442 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
444 printf("try open for generic read\n");
445 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
446 status = smb_raw_open(cli->tree, tctx, &io);
447 CHECK_STATUS(status, NT_STATUS_OK);
448 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum, SEC_RIGHTS_FILE_READ);
449 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
452 printf("put back original sd\n");
453 set.set_secdesc.in.sd = sd_orig;
454 status = smb_raw_setfileinfo(cli->tree, &set);
455 CHECK_STATUS(status, NT_STATUS_OK);
459 smbcli_close(cli->tree, fnum);
465 test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
468 static bool test_generic_bits(struct torture_context *tctx,
469 struct smbcli_state *cli)
473 const char *fname = BASEDIR "\\generic.txt";
476 union smb_fileinfo q;
477 union smb_setfileinfo set;
478 struct security_descriptor *sd, *sd_orig, *sd2;
479 const char *owner_sid;
482 uint32_t specific_bits;
483 } file_mappings[] = {
485 { SEC_GENERIC_READ, SEC_RIGHTS_FILE_READ },
486 { SEC_GENERIC_WRITE, SEC_RIGHTS_FILE_WRITE },
487 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_FILE_EXECUTE },
488 { SEC_GENERIC_ALL, SEC_RIGHTS_FILE_ALL },
489 { SEC_FILE_READ_DATA, SEC_FILE_READ_DATA },
490 { SEC_FILE_READ_ATTRIBUTE, SEC_FILE_READ_ATTRIBUTE }
494 uint32_t specific_bits;
497 { SEC_GENERIC_READ, SEC_RIGHTS_DIR_READ },
498 { SEC_GENERIC_WRITE, SEC_RIGHTS_DIR_WRITE },
499 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
500 { SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL }
502 BOOL has_restore_privilege;
503 BOOL has_take_ownership_privilege;
505 printf("TESTING FILE GENERIC BITS\n");
507 io.generic.level = RAW_OPEN_NTCREATEX;
508 io.ntcreatex.in.root_fid = 0;
509 io.ntcreatex.in.flags = 0;
510 io.ntcreatex.in.access_mask =
511 SEC_STD_READ_CONTROL |
514 io.ntcreatex.in.create_options = 0;
515 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
516 io.ntcreatex.in.share_access =
517 NTCREATEX_SHARE_ACCESS_READ |
518 NTCREATEX_SHARE_ACCESS_WRITE;
519 io.ntcreatex.in.alloc_size = 0;
520 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
521 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
522 io.ntcreatex.in.security_flags = 0;
523 io.ntcreatex.in.fname = fname;
524 status = smb_raw_open(cli->tree, tctx, &io);
525 CHECK_STATUS(status, NT_STATUS_OK);
526 fnum = io.ntcreatex.out.file.fnum;
528 printf("get the original sd\n");
529 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
530 q.query_secdesc.in.file.fnum = fnum;
531 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
532 status = smb_raw_fileinfo(cli->tree, tctx, &q);
533 CHECK_STATUS(status, NT_STATUS_OK);
534 sd_orig = q.query_secdesc.out.sd;
536 owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
538 status = smblsa_sid_check_privilege(cli,
540 sec_privilege_name(SEC_PRIV_RESTORE));
541 has_restore_privilege = NT_STATUS_IS_OK(status);
542 if (!NT_STATUS_IS_OK(status)) {
543 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
545 printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
547 status = smblsa_sid_check_privilege(cli,
549 sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
550 has_take_ownership_privilege = NT_STATUS_IS_OK(status);
551 if (!NT_STATUS_IS_OK(status)) {
552 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
554 printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
556 for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
557 uint32_t expected_mask =
559 SEC_STD_READ_CONTROL |
560 SEC_FILE_READ_ATTRIBUTE |
562 uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
564 if (has_restore_privilege) {
565 expected_mask_anon |= SEC_STD_DELETE;
568 printf("testing generic bits 0x%08x\n",
569 file_mappings[i].gen_bits);
570 sd = security_descriptor_create(tctx,
573 SEC_ACE_TYPE_ACCESS_ALLOWED,
574 file_mappings[i].gen_bits,
578 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
579 set.set_secdesc.in.file.fnum = fnum;
580 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
581 set.set_secdesc.in.sd = sd;
583 status = smb_raw_setfileinfo(cli->tree, &set);
584 CHECK_STATUS(status, NT_STATUS_OK);
586 sd2 = security_descriptor_create(tctx,
589 SEC_ACE_TYPE_ACCESS_ALLOWED,
590 file_mappings[i].specific_bits,
594 status = smb_raw_fileinfo(cli->tree, tctx, &q);
595 CHECK_STATUS(status, NT_STATUS_OK);
596 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
597 printf("%s: security descriptors don't match!\n", __location__);
599 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
600 printf("expected:\n");
601 NDR_PRINT_DEBUG(security_descriptor, sd2);
605 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
606 status = smb_raw_open(cli->tree, tctx, &io);
607 CHECK_STATUS(status, NT_STATUS_OK);
608 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
609 expected_mask | file_mappings[i].specific_bits);
610 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
612 if (!has_take_ownership_privilege) {
616 printf("testing generic bits 0x%08x (anonymous)\n",
617 file_mappings[i].gen_bits);
618 sd = security_descriptor_create(tctx,
619 SID_NT_ANONYMOUS, NULL,
621 SEC_ACE_TYPE_ACCESS_ALLOWED,
622 file_mappings[i].gen_bits,
626 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
627 set.set_secdesc.in.file.fnum = fnum;
628 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
629 set.set_secdesc.in.sd = sd;
631 status = smb_raw_setfileinfo(cli->tree, &set);
632 CHECK_STATUS(status, NT_STATUS_OK);
634 sd2 = security_descriptor_create(tctx,
635 SID_NT_ANONYMOUS, NULL,
637 SEC_ACE_TYPE_ACCESS_ALLOWED,
638 file_mappings[i].specific_bits,
642 status = smb_raw_fileinfo(cli->tree, tctx, &q);
643 CHECK_STATUS(status, NT_STATUS_OK);
644 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
645 printf("%s: security descriptors don't match!\n", __location__);
647 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
648 printf("expected:\n");
649 NDR_PRINT_DEBUG(security_descriptor, sd2);
653 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
654 status = smb_raw_open(cli->tree, tctx, &io);
655 CHECK_STATUS(status, NT_STATUS_OK);
656 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
657 expected_mask_anon | file_mappings[i].specific_bits);
658 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
661 printf("put back original sd\n");
662 set.set_secdesc.in.sd = sd_orig;
663 status = smb_raw_setfileinfo(cli->tree, &set);
664 CHECK_STATUS(status, NT_STATUS_OK);
666 smbcli_close(cli->tree, fnum);
667 smbcli_unlink(cli->tree, fname);
670 printf("TESTING DIR GENERIC BITS\n");
672 io.generic.level = RAW_OPEN_NTCREATEX;
673 io.ntcreatex.in.root_fid = 0;
674 io.ntcreatex.in.flags = 0;
675 io.ntcreatex.in.access_mask =
676 SEC_STD_READ_CONTROL |
679 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
680 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
681 io.ntcreatex.in.share_access =
682 NTCREATEX_SHARE_ACCESS_READ |
683 NTCREATEX_SHARE_ACCESS_WRITE;
684 io.ntcreatex.in.alloc_size = 0;
685 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
686 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
687 io.ntcreatex.in.security_flags = 0;
688 io.ntcreatex.in.fname = fname;
689 status = smb_raw_open(cli->tree, tctx, &io);
690 CHECK_STATUS(status, NT_STATUS_OK);
691 fnum = io.ntcreatex.out.file.fnum;
693 printf("get the original sd\n");
694 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
695 q.query_secdesc.in.file.fnum = fnum;
696 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
697 status = smb_raw_fileinfo(cli->tree, tctx, &q);
698 CHECK_STATUS(status, NT_STATUS_OK);
699 sd_orig = q.query_secdesc.out.sd;
701 owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
703 status = smblsa_sid_check_privilege(cli,
705 sec_privilege_name(SEC_PRIV_RESTORE));
706 has_restore_privilege = NT_STATUS_IS_OK(status);
707 if (!NT_STATUS_IS_OK(status)) {
708 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
710 printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
712 status = smblsa_sid_check_privilege(cli,
714 sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
715 has_take_ownership_privilege = NT_STATUS_IS_OK(status);
716 if (!NT_STATUS_IS_OK(status)) {
717 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
719 printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
721 for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
722 uint32_t expected_mask =
724 SEC_STD_READ_CONTROL |
725 SEC_FILE_READ_ATTRIBUTE |
727 uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
729 if (has_restore_privilege) {
730 expected_mask_anon |= SEC_STD_DELETE;
733 printf("testing generic bits 0x%08x\n",
734 file_mappings[i].gen_bits);
735 sd = security_descriptor_create(tctx,
738 SEC_ACE_TYPE_ACCESS_ALLOWED,
739 dir_mappings[i].gen_bits,
743 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
744 set.set_secdesc.in.file.fnum = fnum;
745 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
746 set.set_secdesc.in.sd = sd;
748 status = smb_raw_setfileinfo(cli->tree, &set);
749 CHECK_STATUS(status, NT_STATUS_OK);
751 sd2 = security_descriptor_create(tctx,
754 SEC_ACE_TYPE_ACCESS_ALLOWED,
755 dir_mappings[i].specific_bits,
759 status = smb_raw_fileinfo(cli->tree, tctx, &q);
760 CHECK_STATUS(status, NT_STATUS_OK);
761 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
762 printf("%s: security descriptors don't match!\n", __location__);
764 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
765 printf("expected:\n");
766 NDR_PRINT_DEBUG(security_descriptor, sd2);
770 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
771 status = smb_raw_open(cli->tree, tctx, &io);
772 CHECK_STATUS(status, NT_STATUS_OK);
773 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
774 expected_mask | dir_mappings[i].specific_bits);
775 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
777 if (!has_take_ownership_privilege) {
781 printf("testing generic bits 0x%08x (anonymous)\n",
782 file_mappings[i].gen_bits);
783 sd = security_descriptor_create(tctx,
784 SID_NT_ANONYMOUS, NULL,
786 SEC_ACE_TYPE_ACCESS_ALLOWED,
787 file_mappings[i].gen_bits,
791 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
792 set.set_secdesc.in.file.fnum = fnum;
793 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
794 set.set_secdesc.in.sd = sd;
796 status = smb_raw_setfileinfo(cli->tree, &set);
797 CHECK_STATUS(status, NT_STATUS_OK);
799 sd2 = security_descriptor_create(tctx,
800 SID_NT_ANONYMOUS, NULL,
802 SEC_ACE_TYPE_ACCESS_ALLOWED,
803 file_mappings[i].specific_bits,
807 status = smb_raw_fileinfo(cli->tree, tctx, &q);
808 CHECK_STATUS(status, NT_STATUS_OK);
809 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
810 printf("%s: security descriptors don't match!\n", __location__);
812 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
813 printf("expected:\n");
814 NDR_PRINT_DEBUG(security_descriptor, sd2);
818 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
819 status = smb_raw_open(cli->tree, tctx, &io);
820 CHECK_STATUS(status, NT_STATUS_OK);
821 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum,
822 expected_mask_anon | dir_mappings[i].specific_bits);
823 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
826 printf("put back original sd\n");
827 set.set_secdesc.in.sd = sd_orig;
828 status = smb_raw_setfileinfo(cli->tree, &set);
829 CHECK_STATUS(status, NT_STATUS_OK);
831 smbcli_close(cli->tree, fnum);
832 smbcli_unlink(cli->tree, fname);
835 smbcli_close(cli->tree, fnum);
841 see what access bits the owner of a file always gets
843 static bool test_owner_bits(struct torture_context *tctx,
844 struct smbcli_state *cli)
848 const char *fname = BASEDIR "\\generic.txt";
851 union smb_fileinfo q;
852 union smb_setfileinfo set;
853 struct security_descriptor *sd, *sd_orig;
854 const char *owner_sid;
855 BOOL has_restore_privilege;
856 BOOL has_take_ownership_privilege;
857 uint32_t expected_bits;
859 printf("TESTING FILE OWNER BITS\n");
861 io.generic.level = RAW_OPEN_NTCREATEX;
862 io.ntcreatex.in.root_fid = 0;
863 io.ntcreatex.in.flags = 0;
864 io.ntcreatex.in.access_mask =
865 SEC_STD_READ_CONTROL |
868 io.ntcreatex.in.create_options = 0;
869 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
870 io.ntcreatex.in.share_access =
871 NTCREATEX_SHARE_ACCESS_READ |
872 NTCREATEX_SHARE_ACCESS_WRITE;
873 io.ntcreatex.in.alloc_size = 0;
874 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
875 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
876 io.ntcreatex.in.security_flags = 0;
877 io.ntcreatex.in.fname = fname;
878 status = smb_raw_open(cli->tree, tctx, &io);
879 CHECK_STATUS(status, NT_STATUS_OK);
880 fnum = io.ntcreatex.out.file.fnum;
882 printf("get the original sd\n");
883 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
884 q.query_secdesc.in.file.fnum = fnum;
885 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
886 status = smb_raw_fileinfo(cli->tree, tctx, &q);
887 CHECK_STATUS(status, NT_STATUS_OK);
888 sd_orig = q.query_secdesc.out.sd;
890 owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
892 status = smblsa_sid_check_privilege(cli,
894 sec_privilege_name(SEC_PRIV_RESTORE));
895 has_restore_privilege = NT_STATUS_IS_OK(status);
896 if (!NT_STATUS_IS_OK(status)) {
897 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
899 printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
901 status = smblsa_sid_check_privilege(cli,
903 sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
904 has_take_ownership_privilege = NT_STATUS_IS_OK(status);
905 if (!NT_STATUS_IS_OK(status)) {
906 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
908 printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
910 sd = security_descriptor_create(tctx,
913 SEC_ACE_TYPE_ACCESS_ALLOWED,
918 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
919 set.set_secdesc.in.file.fnum = fnum;
920 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
921 set.set_secdesc.in.sd = sd;
923 status = smb_raw_setfileinfo(cli->tree, &set);
924 CHECK_STATUS(status, NT_STATUS_OK);
926 expected_bits = SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE;
929 uint32_t bit = (1<<i);
930 io.ntcreatex.in.access_mask = bit;
931 status = smb_raw_open(cli->tree, tctx, &io);
932 if (expected_bits & bit) {
933 if (!NT_STATUS_IS_OK(status)) {
934 printf("failed with access mask 0x%08x of expected 0x%08x\n",
937 CHECK_STATUS(status, NT_STATUS_OK);
938 CHECK_ACCESS_FLAGS(io.ntcreatex.out.file.fnum, bit | SEC_FILE_READ_ATTRIBUTE);
939 smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
941 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
945 printf("put back original sd\n");
946 set.set_secdesc.in.sd = sd_orig;
947 status = smb_raw_setfileinfo(cli->tree, &set);
948 CHECK_STATUS(status, NT_STATUS_OK);
951 smbcli_close(cli->tree, fnum);
952 smbcli_unlink(cli->tree, fname);
959 test the inheritance of ACL flags onto new files and directories
961 static bool test_inheritance(struct torture_context *tctx,
962 struct smbcli_state *cli)
966 const char *dname = BASEDIR "\\inheritance";
967 const char *fname1 = BASEDIR "\\inheritance\\testfile";
968 const char *fname2 = BASEDIR "\\inheritance\\testdir";
970 int fnum=0, fnum2, i;
971 union smb_fileinfo q;
972 union smb_setfileinfo set;
973 struct security_descriptor *sd, *sd2, *sd_orig=NULL, *sd_def;
974 const char *owner_sid;
975 const struct dom_sid *creator_owner;
977 uint32_t parent_flags;
987 SEC_ACE_FLAG_OBJECT_INHERIT,
989 SEC_ACE_FLAG_OBJECT_INHERIT |
990 SEC_ACE_FLAG_INHERIT_ONLY,
993 SEC_ACE_FLAG_CONTAINER_INHERIT,
995 SEC_ACE_FLAG_CONTAINER_INHERIT,
998 SEC_ACE_FLAG_OBJECT_INHERIT |
999 SEC_ACE_FLAG_CONTAINER_INHERIT,
1001 SEC_ACE_FLAG_OBJECT_INHERIT |
1002 SEC_ACE_FLAG_CONTAINER_INHERIT,
1005 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
1010 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
1011 SEC_ACE_FLAG_OBJECT_INHERIT,
1016 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
1017 SEC_ACE_FLAG_CONTAINER_INHERIT,
1022 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
1023 SEC_ACE_FLAG_CONTAINER_INHERIT |
1024 SEC_ACE_FLAG_OBJECT_INHERIT,
1029 SEC_ACE_FLAG_INHERIT_ONLY,
1034 SEC_ACE_FLAG_INHERIT_ONLY |
1035 SEC_ACE_FLAG_OBJECT_INHERIT,
1037 SEC_ACE_FLAG_OBJECT_INHERIT |
1038 SEC_ACE_FLAG_INHERIT_ONLY,
1041 SEC_ACE_FLAG_INHERIT_ONLY |
1042 SEC_ACE_FLAG_CONTAINER_INHERIT,
1044 SEC_ACE_FLAG_CONTAINER_INHERIT,
1047 SEC_ACE_FLAG_INHERIT_ONLY |
1048 SEC_ACE_FLAG_CONTAINER_INHERIT |
1049 SEC_ACE_FLAG_OBJECT_INHERIT,
1051 SEC_ACE_FLAG_CONTAINER_INHERIT |
1052 SEC_ACE_FLAG_OBJECT_INHERIT,
1055 SEC_ACE_FLAG_INHERIT_ONLY |
1056 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT,
1061 SEC_ACE_FLAG_INHERIT_ONLY |
1062 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
1063 SEC_ACE_FLAG_OBJECT_INHERIT,
1068 SEC_ACE_FLAG_INHERIT_ONLY |
1069 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
1070 SEC_ACE_FLAG_CONTAINER_INHERIT,
1075 SEC_ACE_FLAG_INHERIT_ONLY |
1076 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
1077 SEC_ACE_FLAG_CONTAINER_INHERIT |
1078 SEC_ACE_FLAG_OBJECT_INHERIT,
1084 smbcli_rmdir(cli->tree, dname);
1086 printf("TESTING ACL INHERITANCE\n");
1088 io.generic.level = RAW_OPEN_NTCREATEX;
1089 io.ntcreatex.in.root_fid = 0;
1090 io.ntcreatex.in.flags = 0;
1091 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
1092 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
1093 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
1094 io.ntcreatex.in.share_access = 0;
1095 io.ntcreatex.in.alloc_size = 0;
1096 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
1097 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
1098 io.ntcreatex.in.security_flags = 0;
1099 io.ntcreatex.in.fname = dname;
1101 status = smb_raw_open(cli->tree, tctx, &io);
1102 CHECK_STATUS(status, NT_STATUS_OK);
1103 fnum = io.ntcreatex.out.file.fnum;
1105 printf("get the original sd\n");
1106 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
1107 q.query_secdesc.in.file.fnum = fnum;
1108 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
1109 status = smb_raw_fileinfo(cli->tree, tctx, &q);
1110 CHECK_STATUS(status, NT_STATUS_OK);
1111 sd_orig = q.query_secdesc.out.sd;
1113 owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
1115 printf("owner_sid is %s\n", owner_sid);
1117 sd_def = security_descriptor_create(tctx,
1120 SEC_ACE_TYPE_ACCESS_ALLOWED,
1121 SEC_RIGHTS_FILE_ALL,
1124 SEC_ACE_TYPE_ACCESS_ALLOWED,
1125 SEC_RIGHTS_FILE_ALL,
1129 creator_owner = dom_sid_parse_talloc(tctx, SID_CREATOR_OWNER);
1131 for (i=0;i<ARRAY_SIZE(test_flags);i++) {
1132 sd = security_descriptor_create(tctx,
1135 SEC_ACE_TYPE_ACCESS_ALLOWED,
1136 SEC_FILE_WRITE_DATA,
1137 test_flags[i].parent_flags,
1139 SEC_ACE_TYPE_ACCESS_ALLOWED,
1140 SEC_FILE_ALL | SEC_STD_ALL,
1143 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1144 set.set_secdesc.in.file.fnum = fnum;
1145 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1146 set.set_secdesc.in.sd = sd;
1147 status = smb_raw_setfileinfo(cli->tree, &set);
1148 CHECK_STATUS(status, NT_STATUS_OK);
1150 io.ntcreatex.in.fname = fname1;
1151 io.ntcreatex.in.create_options = 0;
1152 status = smb_raw_open(cli->tree, tctx, &io);
1153 CHECK_STATUS(status, NT_STATUS_OK);
1154 fnum2 = io.ntcreatex.out.file.fnum;
1156 q.query_secdesc.in.file.fnum = fnum2;
1157 status = smb_raw_fileinfo(cli->tree, tctx, &q);
1158 CHECK_STATUS(status, NT_STATUS_OK);
1160 smbcli_close(cli->tree, fnum2);
1161 smbcli_unlink(cli->tree, fname1);
1163 if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
1164 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) {
1165 printf("Expected default sd at %d - got:\n", i);
1166 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1171 if (q.query_secdesc.out.sd->dacl == NULL ||
1172 q.query_secdesc.out.sd->dacl->num_aces != 1 ||
1173 q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA ||
1174 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
1175 sd_orig->owner_sid)) {
1176 printf("Bad sd in child file at %d\n", i);
1177 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1182 if (q.query_secdesc.out.sd->dacl->aces[0].flags !=
1183 test_flags[i].file_flags) {
1184 printf("incorrect file_flags 0x%x - expected 0x%x for parent 0x%x with (i=%d)\n",
1185 q.query_secdesc.out.sd->dacl->aces[0].flags,
1186 test_flags[i].file_flags,
1187 test_flags[i].parent_flags,
1193 io.ntcreatex.in.fname = fname2;
1194 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
1195 status = smb_raw_open(cli->tree, tctx, &io);
1196 CHECK_STATUS(status, NT_STATUS_OK);
1197 fnum2 = io.ntcreatex.out.file.fnum;
1199 q.query_secdesc.in.file.fnum = fnum2;
1200 status = smb_raw_fileinfo(cli->tree, tctx, &q);
1201 CHECK_STATUS(status, NT_STATUS_OK);
1203 smbcli_close(cli->tree, fnum2);
1204 smbcli_rmdir(cli->tree, fname2);
1206 if (!(test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) &&
1207 (!(test_flags[i].parent_flags & SEC_ACE_FLAG_OBJECT_INHERIT) ||
1208 (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT))) {
1209 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd_def)) {
1210 printf("Expected default sd for dir at %d - got:\n", i);
1211 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1216 if ((test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) &&
1217 (test_flags[i].parent_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
1218 if (q.query_secdesc.out.sd->dacl == NULL ||
1219 q.query_secdesc.out.sd->dacl->num_aces != 1 ||
1220 q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA ||
1221 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
1222 sd_orig->owner_sid) ||
1223 q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) {
1224 printf("Bad sd in child dir at %d (parent 0x%x)\n",
1225 i, test_flags[i].parent_flags);
1226 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1230 } else if (test_flags[i].parent_flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
1231 if (q.query_secdesc.out.sd->dacl == NULL ||
1232 q.query_secdesc.out.sd->dacl->num_aces != 2 ||
1233 q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA ||
1234 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
1235 sd_orig->owner_sid) ||
1236 q.query_secdesc.out.sd->dacl->aces[1].access_mask != SEC_FILE_WRITE_DATA ||
1237 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[1].trustee,
1239 q.query_secdesc.out.sd->dacl->aces[0].flags != 0 ||
1240 q.query_secdesc.out.sd->dacl->aces[1].flags !=
1241 (test_flags[i].dir_flags | SEC_ACE_FLAG_INHERIT_ONLY)) {
1242 printf("Bad sd in child dir at %d (parent 0x%x)\n",
1243 i, test_flags[i].parent_flags);
1244 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1249 if (q.query_secdesc.out.sd->dacl == NULL ||
1250 q.query_secdesc.out.sd->dacl->num_aces != 1 ||
1251 q.query_secdesc.out.sd->dacl->aces[0].access_mask != SEC_FILE_WRITE_DATA ||
1252 !dom_sid_equal(&q.query_secdesc.out.sd->dacl->aces[0].trustee,
1254 q.query_secdesc.out.sd->dacl->aces[0].flags != test_flags[i].dir_flags) {
1255 printf("Bad sd in child dir at %d (parent 0x%x)\n",
1256 i, test_flags[i].parent_flags);
1257 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1264 printf("testing access checks on inherited create with %s\n", fname1);
1265 sd = security_descriptor_create(tctx,
1268 SEC_ACE_TYPE_ACCESS_ALLOWED,
1269 SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC,
1270 SEC_ACE_FLAG_OBJECT_INHERIT,
1272 SEC_ACE_TYPE_ACCESS_ALLOWED,
1273 SEC_FILE_ALL | SEC_STD_ALL,
1276 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1277 set.set_secdesc.in.file.fnum = fnum;
1278 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1279 set.set_secdesc.in.sd = sd;
1280 status = smb_raw_setfileinfo(cli->tree, &set);
1281 CHECK_STATUS(status, NT_STATUS_OK);
1283 io.ntcreatex.in.fname = fname1;
1284 io.ntcreatex.in.create_options = 0;
1285 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
1286 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
1287 status = smb_raw_open(cli->tree, tctx, &io);
1288 CHECK_STATUS(status, NT_STATUS_OK);
1289 fnum2 = io.ntcreatex.out.file.fnum;
1290 CHECK_ACCESS_FLAGS(fnum2, SEC_RIGHTS_FILE_ALL);
1292 q.query_secdesc.in.file.fnum = fnum2;
1293 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
1294 status = smb_raw_fileinfo(cli->tree, tctx, &q);
1295 CHECK_STATUS(status, NT_STATUS_OK);
1296 smbcli_close(cli->tree, fnum2);
1298 sd2 = security_descriptor_create(tctx,
1301 SEC_ACE_TYPE_ACCESS_ALLOWED,
1302 SEC_FILE_WRITE_DATA | SEC_STD_WRITE_DAC,
1305 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
1306 printf("%s: security descriptors don't match!\n", __location__);
1308 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
1309 printf("expected:\n");
1310 NDR_PRINT_DEBUG(security_descriptor, sd2);
1314 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
1315 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
1316 status = smb_raw_open(cli->tree, tctx, &io);
1317 if (NT_STATUS_IS_OK(status)) {
1318 printf("failed: w2k3 ACL bug (allowed open when ACL should deny)\n");
1320 fnum2 = io.ntcreatex.out.file.fnum;
1321 CHECK_ACCESS_FLAGS(fnum2, SEC_RIGHTS_FILE_ALL);
1322 smbcli_close(cli->tree, fnum2);
1324 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
1327 printf("trying without execute\n");
1328 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
1329 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL & ~SEC_FILE_EXECUTE;
1330 status = smb_raw_open(cli->tree, tctx, &io);
1331 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
1333 printf("and with full permissions again\n");
1334 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
1335 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
1336 status = smb_raw_open(cli->tree, tctx, &io);
1337 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
1339 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
1340 status = smb_raw_open(cli->tree, tctx, &io);
1341 CHECK_STATUS(status, NT_STATUS_OK);
1342 fnum2 = io.ntcreatex.out.file.fnum;
1343 CHECK_ACCESS_FLAGS(fnum2, SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE);
1344 smbcli_close(cli->tree, fnum2);
1346 printf("put back original sd\n");
1347 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1348 set.set_secdesc.in.file.fnum = fnum;
1349 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1350 set.set_secdesc.in.sd = sd_orig;
1351 status = smb_raw_setfileinfo(cli->tree, &set);
1352 CHECK_STATUS(status, NT_STATUS_OK);
1354 smbcli_close(cli->tree, fnum);
1356 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
1357 status = smb_raw_open(cli->tree, tctx, &io);
1358 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
1360 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
1361 status = smb_raw_open(cli->tree, tctx, &io);
1362 CHECK_STATUS(status, NT_STATUS_OK);
1363 fnum2 = io.ntcreatex.out.file.fnum;
1364 CHECK_ACCESS_FLAGS(fnum2, SEC_FILE_WRITE_DATA | SEC_FILE_READ_ATTRIBUTE);
1365 smbcli_close(cli->tree, fnum2);
1367 smbcli_unlink(cli->tree, fname1);
1368 smbcli_rmdir(cli->tree, dname);
1371 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1372 set.set_secdesc.in.file.fnum = fnum;
1373 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1374 set.set_secdesc.in.sd = sd_orig;
1375 status = smb_raw_setfileinfo(cli->tree, &set);
1377 smbcli_close(cli->tree, fnum);
1383 test dynamic acl inheritance
1385 static BOOL test_inheritance_dynamic(struct torture_context *tctx,
1386 struct smbcli_state *cli)
1390 const char *dname = BASEDIR "\\inheritance";
1391 const char *fname1 = BASEDIR "\\inheritance\\testfile";
1394 union smb_fileinfo q;
1395 union smb_setfileinfo set;
1396 struct security_descriptor *sd, *sd_orig=NULL;
1397 const char *owner_sid;
1399 printf("TESTING DYNAMIC ACL INHERITANCE\n");
1401 if (!torture_setup_dir(cli, BASEDIR)) {
1405 io.generic.level = RAW_OPEN_NTCREATEX;
1406 io.ntcreatex.in.root_fid = 0;
1407 io.ntcreatex.in.flags = 0;
1408 io.ntcreatex.in.access_mask = SEC_RIGHTS_FILE_ALL;
1409 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
1410 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
1411 io.ntcreatex.in.share_access = 0;
1412 io.ntcreatex.in.alloc_size = 0;
1413 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
1414 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
1415 io.ntcreatex.in.security_flags = 0;
1416 io.ntcreatex.in.fname = dname;
1418 status = smb_raw_open(cli->tree, tctx, &io);
1419 CHECK_STATUS(status, NT_STATUS_OK);
1420 fnum = io.ntcreatex.out.file.fnum;
1422 printf("get the original sd\n");
1423 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
1424 q.query_secdesc.in.file.fnum = fnum;
1425 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
1426 status = smb_raw_fileinfo(cli->tree, tctx, &q);
1427 CHECK_STATUS(status, NT_STATUS_OK);
1428 sd_orig = q.query_secdesc.out.sd;
1430 owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
1432 printf("owner_sid is %s\n", owner_sid);
1434 sd = security_descriptor_create(tctx,
1437 SEC_ACE_TYPE_ACCESS_ALLOWED,
1438 SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE,
1439 SEC_ACE_FLAG_OBJECT_INHERIT,
1441 sd->type |= SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ;
1443 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1444 set.set_secdesc.in.file.fnum = fnum;
1445 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1446 set.set_secdesc.in.sd = sd;
1447 status = smb_raw_setfileinfo(cli->tree, &set);
1448 CHECK_STATUS(status, NT_STATUS_OK);
1450 printf("create a file with an inherited acl\n");
1451 io.ntcreatex.in.fname = fname1;
1452 io.ntcreatex.in.create_options = 0;
1453 io.ntcreatex.in.access_mask = SEC_FILE_READ_ATTRIBUTE;
1454 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
1455 status = smb_raw_open(cli->tree, tctx, &io);
1456 CHECK_STATUS(status, NT_STATUS_OK);
1457 fnum2 = io.ntcreatex.out.file.fnum;
1458 smbcli_close(cli->tree, fnum2);
1460 printf("try and access file with base rights - should be OK\n");
1461 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
1462 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
1463 status = smb_raw_open(cli->tree, tctx, &io);
1464 CHECK_STATUS(status, NT_STATUS_OK);
1465 fnum2 = io.ntcreatex.out.file.fnum;
1466 smbcli_close(cli->tree, fnum2);
1468 printf("try and access file with extra rights - should be denied\n");
1469 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE;
1470 status = smb_raw_open(cli->tree, tctx, &io);
1471 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
1473 printf("update parent sd\n");
1474 sd = security_descriptor_create(tctx,
1477 SEC_ACE_TYPE_ACCESS_ALLOWED,
1478 SEC_FILE_WRITE_DATA | SEC_STD_DELETE | SEC_FILE_READ_ATTRIBUTE | SEC_FILE_EXECUTE,
1479 SEC_ACE_FLAG_OBJECT_INHERIT,
1481 sd->type |= SEC_DESC_DACL_AUTO_INHERITED | SEC_DESC_DACL_AUTO_INHERIT_REQ;
1483 set.set_secdesc.in.sd = sd;
1484 status = smb_raw_setfileinfo(cli->tree, &set);
1485 CHECK_STATUS(status, NT_STATUS_OK);
1487 printf("try and access file with base rights - should be OK\n");
1488 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
1489 status = smb_raw_open(cli->tree, tctx, &io);
1490 CHECK_STATUS(status, NT_STATUS_OK);
1491 fnum2 = io.ntcreatex.out.file.fnum;
1492 smbcli_close(cli->tree, fnum2);
1495 printf("try and access now - should be OK if dynamic inheritance works\n");
1496 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA | SEC_FILE_EXECUTE;
1497 status = smb_raw_open(cli->tree, tctx, &io);
1498 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1499 printf("Server does not have dynamic inheritance\n");
1501 if (NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
1502 printf("Server does have dynamic inheritance\n");
1504 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
1506 smbcli_unlink(cli->tree, fname1);
1509 printf("put back original sd\n");
1510 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1511 set.set_secdesc.in.file.fnum = fnum;
1512 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1513 set.set_secdesc.in.sd = sd_orig;
1514 status = smb_raw_setfileinfo(cli->tree, &set);
1516 smbcli_close(cli->tree, fnum);
1517 smbcli_rmdir(cli->tree, dname);
1522 #define CHECK_STATUS_FOR_BIT_ACTION(status, bits, action) do { \
1523 if (!(bits & desired_64)) {\
1524 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); \
1527 CHECK_STATUS(status, NT_STATUS_OK); \
1531 #define CHECK_STATUS_FOR_BIT(status, bits, access) do { \
1532 if (NT_STATUS_IS_OK(status)) { \
1533 if (!(granted & access)) {\
1534 printf("(%s) %s but flags 0x%08X are not granted! granted[0x%08X] desired[0x%08X]\n", \
1535 __location__, nt_errstr(status), access, granted, desired); \
1540 if (granted & access) {\
1541 printf("(%s) %s but flags 0x%08X are granted! granted[0x%08X] desired[0x%08X]\n", \
1542 __location__, nt_errstr(status), access, granted, desired); \
1547 CHECK_STATUS_FOR_BIT_ACTION(status, bits, do {} while (0)); \
1550 /* test what access mask is needed for getting and setting security_descriptors */
1551 static bool test_sd_get_set(struct torture_context *tctx,
1552 struct smbcli_state *cli)
1557 union smb_fileinfo fi;
1558 union smb_setfileinfo si;
1559 struct security_descriptor *sd;
1560 struct security_descriptor *sd_owner = NULL;
1561 struct security_descriptor *sd_group = NULL;
1562 struct security_descriptor *sd_dacl = NULL;
1563 struct security_descriptor *sd_sacl = NULL;
1565 const char *fname = BASEDIR "\\sd_get_set.txt";
1566 uint64_t desired_64;
1567 uint32_t desired = 0, granted;
1569 #define NO_BITS_HACK (((uint64_t)1)<<32)
1570 uint64_t open_bits =
1572 SEC_FLAG_SYSTEM_SECURITY |
1573 SEC_FLAG_MAXIMUM_ALLOWED |
1577 uint64_t get_owner_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL;
1578 uint64_t set_owner_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER;
1579 uint64_t get_group_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL;
1580 uint64_t set_group_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_OWNER;
1581 uint64_t get_dacl_bits = SEC_MASK_GENERIC | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_READ_CONTROL;
1582 uint64_t set_dacl_bits = SEC_GENERIC_ALL | SEC_FLAG_MAXIMUM_ALLOWED | SEC_STD_WRITE_DAC;
1583 uint64_t get_sacl_bits = SEC_FLAG_SYSTEM_SECURITY;
1584 uint64_t set_sacl_bits = SEC_FLAG_SYSTEM_SECURITY;
1586 printf("TESTING ACCESS MASKS FOR SD GET/SET\n");
1588 /* first create a file with full access for everyone */
1589 sd = security_descriptor_create(tctx,
1590 SID_NT_ANONYMOUS, SID_BUILTIN_USERS,
1592 SEC_ACE_TYPE_ACCESS_ALLOWED,
1596 sd->type |= SEC_DESC_SACL_PRESENT;
1598 io.ntcreatex.level = RAW_OPEN_NTTRANS_CREATE;
1599 io.ntcreatex.in.root_fid = 0;
1600 io.ntcreatex.in.flags = 0;
1601 io.ntcreatex.in.access_mask = SEC_GENERIC_ALL;
1602 io.ntcreatex.in.create_options = 0;
1603 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
1604 io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE;
1605 io.ntcreatex.in.alloc_size = 0;
1606 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OVERWRITE_IF;
1607 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
1608 io.ntcreatex.in.security_flags = 0;
1609 io.ntcreatex.in.fname = fname;
1610 io.ntcreatex.in.sec_desc = sd;
1611 io.ntcreatex.in.ea_list = NULL;
1612 status = smb_raw_open(cli->tree, tctx, &io);
1613 CHECK_STATUS(status, NT_STATUS_OK);
1614 fnum = io.ntcreatex.out.file.fnum;
1616 status = smbcli_close(cli->tree, fnum);
1617 CHECK_STATUS(status, NT_STATUS_OK);
1620 * now try each access_mask bit and no bit at all in a loop
1621 * and see what's allowed
1622 * NOTE: if i == 32 it means access_mask = 0 (see NO_BITS_HACK above)
1624 for (i=0; i <= 32; i++) {
1625 desired_64 = ((uint64_t)1) << i;
1626 desired = (uint32_t)desired_64;
1628 /* first open the file with the desired access */
1629 io.ntcreatex.level = RAW_OPEN_NTCREATEX;
1630 io.ntcreatex.in.access_mask = desired;
1631 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
1632 status = smb_raw_open(cli->tree, tctx, &io);
1633 CHECK_STATUS_FOR_BIT_ACTION(status, open_bits, goto next);
1634 fnum = io.ntcreatex.out.file.fnum;
1636 /* then check what access was granted */
1637 fi.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1638 fi.access_information.in.file.fnum = fnum;
1639 status = smb_raw_fileinfo(cli->tree, tctx, &fi);
1640 CHECK_STATUS(status, NT_STATUS_OK);
1641 granted = fi.access_information.out.access_flags;
1643 /* test the owner */
1645 fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
1646 fi.query_secdesc.in.file.fnum = fnum;
1647 fi.query_secdesc.in.secinfo_flags = SECINFO_OWNER;
1648 status = smb_raw_fileinfo(cli->tree, tctx, &fi);
1649 CHECK_STATUS_FOR_BIT(status, get_owner_bits, SEC_STD_READ_CONTROL);
1650 if (fi.query_secdesc.out.sd) {
1651 sd_owner = fi.query_secdesc.out.sd;
1652 } else if (!sd_owner) {
1655 si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1656 si.set_secdesc.in.file.fnum = fnum;
1657 si.set_secdesc.in.secinfo_flags = SECINFO_OWNER;
1658 si.set_secdesc.in.sd = sd_owner;
1659 status = smb_raw_setfileinfo(cli->tree, &si);
1660 CHECK_STATUS_FOR_BIT(status, set_owner_bits, SEC_STD_WRITE_OWNER);
1662 /* test the group */
1664 fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
1665 fi.query_secdesc.in.file.fnum = fnum;
1666 fi.query_secdesc.in.secinfo_flags = SECINFO_GROUP;
1667 status = smb_raw_fileinfo(cli->tree, tctx, &fi);
1668 CHECK_STATUS_FOR_BIT(status, get_group_bits, SEC_STD_READ_CONTROL);
1669 if (fi.query_secdesc.out.sd) {
1670 sd_group = fi.query_secdesc.out.sd;
1671 } else if (!sd_group) {
1674 si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1675 si.set_secdesc.in.file.fnum = fnum;
1676 si.set_secdesc.in.secinfo_flags = SECINFO_GROUP;
1677 si.set_secdesc.in.sd = sd_group;
1678 status = smb_raw_setfileinfo(cli->tree, &si);
1679 CHECK_STATUS_FOR_BIT(status, set_group_bits, SEC_STD_WRITE_OWNER);
1683 fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
1684 fi.query_secdesc.in.file.fnum = fnum;
1685 fi.query_secdesc.in.secinfo_flags = SECINFO_DACL;
1686 status = smb_raw_fileinfo(cli->tree, tctx, &fi);
1687 CHECK_STATUS_FOR_BIT(status, get_dacl_bits, SEC_STD_READ_CONTROL);
1688 if (fi.query_secdesc.out.sd) {
1689 sd_dacl = fi.query_secdesc.out.sd;
1690 } else if (!sd_dacl) {
1693 si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1694 si.set_secdesc.in.file.fnum = fnum;
1695 si.set_secdesc.in.secinfo_flags = SECINFO_DACL;
1696 si.set_secdesc.in.sd = sd_dacl;
1697 status = smb_raw_setfileinfo(cli->tree, &si);
1698 CHECK_STATUS_FOR_BIT(status, set_dacl_bits, SEC_STD_WRITE_DAC);
1702 fi.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
1703 fi.query_secdesc.in.file.fnum = fnum;
1704 fi.query_secdesc.in.secinfo_flags = SECINFO_SACL;
1705 status = smb_raw_fileinfo(cli->tree, tctx, &fi);
1706 CHECK_STATUS_FOR_BIT(status, get_sacl_bits, SEC_FLAG_SYSTEM_SECURITY);
1707 if (fi.query_secdesc.out.sd) {
1708 sd_sacl = fi.query_secdesc.out.sd;
1709 } else if (!sd_sacl) {
1712 si.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
1713 si.set_secdesc.in.file.fnum = fnum;
1714 si.set_secdesc.in.secinfo_flags = SECINFO_SACL;
1715 si.set_secdesc.in.sd = sd_sacl;
1716 status = smb_raw_setfileinfo(cli->tree, &si);
1717 CHECK_STATUS_FOR_BIT(status, set_sacl_bits, SEC_FLAG_SYSTEM_SECURITY);
1719 /* close the handle */
1720 status = smbcli_close(cli->tree, fnum);
1721 CHECK_STATUS(status, NT_STATUS_OK);
1727 smbcli_close(cli->tree, fnum);
1728 smbcli_unlink(cli->tree, fname);
1735 basic testing of security descriptor calls
1737 bool torture_raw_acls(struct torture_context *tctx, struct smbcli_state *cli)
1741 if (!torture_setup_dir(cli, BASEDIR)) {
1745 ret &= test_sd(tctx, cli);
1746 ret &= test_nttrans_create(tctx, cli);
1747 ret &= test_creator_sid(tctx, cli);
1748 ret &= test_generic_bits(tctx, cli);
1749 ret &= test_owner_bits(tctx, cli);
1750 ret &= test_inheritance(tctx, cli);
1751 ret &= test_inheritance_dynamic(tctx, cli);
1752 ret &= test_sd_get_set(tctx, cli);
1754 smb_raw_exit(cli->session);
1755 smbcli_deltree(cli->tree, BASEDIR);