2 Unix SMB/CIFS implementation.
4 test security descriptor operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/raw/libcliraw.h"
25 #include "librpc/gen_ndr/ndr_security.h"
27 #define BASEDIR "\\testsd"
29 #define CHECK_STATUS(status, correct) do { \
30 if (!NT_STATUS_EQUAL(status, correct)) { \
31 printf("(%s) Incorrect status %s - should be %s\n", \
32 __location__, nt_errstr(status), nt_errstr(correct)); \
38 static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
42 const char *fname = BASEDIR "\\sd.txt";
46 union smb_setfileinfo set;
47 struct security_ace ace;
48 struct security_descriptor *sd;
49 struct dom_sid *test_sid;
51 printf("TESTING SETFILEINFO EA_SET\n");
53 io.generic.level = RAW_OPEN_NTCREATEX;
54 io.ntcreatex.in.root_fid = 0;
55 io.ntcreatex.in.flags = 0;
56 io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED;
57 io.ntcreatex.in.create_options = 0;
58 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
59 io.ntcreatex.in.share_access =
60 NTCREATEX_SHARE_ACCESS_READ |
61 NTCREATEX_SHARE_ACCESS_WRITE;
62 io.ntcreatex.in.alloc_size = 0;
63 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
64 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
65 io.ntcreatex.in.security_flags = 0;
66 io.ntcreatex.in.fname = fname;
67 status = smb_raw_open(cli->tree, mem_ctx, &io);
68 CHECK_STATUS(status, NT_STATUS_OK);
69 fnum = io.ntcreatex.out.fnum;
71 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
72 q.query_secdesc.in.fnum = fnum;
73 q.query_secdesc.in.secinfo_flags =
74 OWNER_SECURITY_INFORMATION |
75 GROUP_SECURITY_INFORMATION |
76 DACL_SECURITY_INFORMATION;
77 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
78 CHECK_STATUS(status, NT_STATUS_OK);
79 sd = q.query_secdesc.out.sd;
81 printf("add a new ACE to the DACL\n");
83 test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432");
85 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
87 ace.access_mask = STD_RIGHT_ALL_ACCESS;
88 ace.trustee = *test_sid;
90 status = security_descriptor_dacl_add(sd, &ace);
91 CHECK_STATUS(status, NT_STATUS_OK);
93 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
94 set.set_secdesc.file.fnum = fnum;
95 set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
96 set.set_secdesc.in.sd = sd;
98 status = smb_raw_setfileinfo(cli->tree, &set);
99 CHECK_STATUS(status, NT_STATUS_OK);
101 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
102 CHECK_STATUS(status, NT_STATUS_OK);
104 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
105 printf("security descriptors don't match!\n");
107 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
108 printf("expected:\n");
109 NDR_PRINT_DEBUG(security_descriptor, sd);
112 printf("remove it again\n");
114 status = security_descriptor_dacl_del(sd, test_sid);
115 CHECK_STATUS(status, NT_STATUS_OK);
117 status = smb_raw_setfileinfo(cli->tree, &set);
118 CHECK_STATUS(status, NT_STATUS_OK);
120 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
121 CHECK_STATUS(status, NT_STATUS_OK);
123 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
124 printf("security descriptors don't match!\n");
126 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
127 printf("expected:\n");
128 NDR_PRINT_DEBUG(security_descriptor, sd);
132 smbcli_close(cli->tree, fnum);
138 test using NTTRANS CREATE to create a file with an initial ACL set
140 static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
144 const char *fname = BASEDIR "\\acl2.txt";
147 union smb_fileinfo q;
148 struct security_ace ace;
149 struct security_descriptor *sd;
150 struct dom_sid *test_sid;
152 printf("TESTING NTTRANS CREATE WITH SEC_DESC\n");
154 io.generic.level = RAW_OPEN_NTTRANS_CREATE;
155 io.ntcreatex.in.root_fid = 0;
156 io.ntcreatex.in.flags = 0;
157 io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED;
158 io.ntcreatex.in.create_options = 0;
159 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
160 io.ntcreatex.in.share_access =
161 NTCREATEX_SHARE_ACCESS_READ |
162 NTCREATEX_SHARE_ACCESS_WRITE;
163 io.ntcreatex.in.alloc_size = 0;
164 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
165 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
166 io.ntcreatex.in.security_flags = 0;
167 io.ntcreatex.in.fname = fname;
168 io.ntcreatex.in.sec_desc = NULL;
169 io.ntcreatex.in.ea_list = NULL;
171 printf("creating normal file\n");
173 status = smb_raw_open(cli->tree, mem_ctx, &io);
174 CHECK_STATUS(status, NT_STATUS_OK);
175 fnum = io.ntcreatex.out.fnum;
177 printf("querying ACL\n");
179 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
180 q.query_secdesc.in.fnum = fnum;
181 q.query_secdesc.in.secinfo_flags =
182 OWNER_SECURITY_INFORMATION |
183 GROUP_SECURITY_INFORMATION |
184 DACL_SECURITY_INFORMATION;
185 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
186 CHECK_STATUS(status, NT_STATUS_OK);
187 sd = q.query_secdesc.out.sd;
189 smbcli_close(cli->tree, fnum);
190 smbcli_unlink(cli->tree, fname);
192 printf("adding a new ACE\n");
193 test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-54321");
195 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
197 ace.access_mask = STD_RIGHT_ALL_ACCESS;
198 ace.trustee = *test_sid;
200 status = security_descriptor_dacl_add(sd, &ace);
201 CHECK_STATUS(status, NT_STATUS_OK);
203 printf("creating a file with an initial ACL\n");
205 io.ntcreatex.in.sec_desc = sd;
206 status = smb_raw_open(cli->tree, mem_ctx, &io);
207 CHECK_STATUS(status, NT_STATUS_OK);
208 fnum = io.ntcreatex.out.fnum;
210 q.query_secdesc.in.fnum = fnum;
211 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
212 CHECK_STATUS(status, NT_STATUS_OK);
214 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
215 printf("security descriptors don't match!\n");
217 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
218 printf("expected:\n");
219 NDR_PRINT_DEBUG(security_descriptor, sd);
223 smbcli_close(cli->tree, fnum);
229 basic testing of security descriptor calls
231 BOOL torture_raw_acls(void)
233 struct smbcli_state *cli;
237 if (!torture_open_connection(&cli)) {
241 mem_ctx = talloc_init("torture_raw_acls");
243 if (!torture_setup_dir(cli, BASEDIR)) {
247 ret &= test_sd(cli, mem_ctx);
248 ret &= test_nttrans_create(cli, mem_ctx);
250 smb_raw_exit(cli->session);
251 smbcli_deltree(cli->tree, BASEDIR);
253 torture_close_connection(cli);
254 talloc_destroy(mem_ctx);