[SCM] Samba Shared Repository - branch master updated

Thu, 28 Feb 2019 11:19:25 -0800 

The branch, master has been updated
       via  5cf0764bc4b libcli/security: add "Owner Rights" calculation to 
access_check_max_allowed()
       via  3ca38d2cd11 s4:torture: add a Maximum Access check with an Owner 
Rights ACE
       via  9f4ee052958 s4:libcli: remember return code from maximum access
      from  c906153cc7a lib: Remove some unused code

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5cf0764bc4b65dbc59d8626760dbe946a2234833
Author: Ralph Boehme <[email protected]>
Date:   Wed Feb 27 18:07:03 2019 +0100

    libcli/security: add "Owner Rights" calculation to 
access_check_max_allowed()
    
    This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
    
    Signed-off-by: Ralph Boehme <[email protected]>
    Reviewed-by: David Disseldorp <[email protected]>
    
    Autobuild-User(master): David Disseldorp <[email protected]>
    Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144

commit 3ca38d2cd1189a5040e13ddab016063280be2b4d
Author: Ralph Boehme <[email protected]>
Date:   Thu Feb 28 14:48:02 2019 +0100

    s4:torture: add a Maximum Access check with an Owner Rights ACE
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
    
    Signed-off-by: Ralph Boehme <[email protected]>
    Reviewed-by: David Disseldorp <[email protected]>

commit 9f4ee05295827c9a607e1f63694a17906f777176
Author: Ralph Boehme <[email protected]>
Date:   Thu Feb 28 14:47:18 2019 +0100

    s4:libcli: remember return code from maximum access
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
    
    Signed-off-by: Ralph Boehme <[email protected]>
    Reviewed-by: David Disseldorp <[email protected]>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/access_check.c  |  33 +++++++++--
 source4/libcli/raw/interfaces.h |   1 +
 source4/libcli/smb2/create.c    |   4 +-
 source4/torture/smb2/acls.c     | 125 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 156 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 03a7dca4adf..5d49b718f0c 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -110,13 +110,15 @@ static uint32_t access_check_max_allowed(const struct 
security_descriptor *sd,
 {
        uint32_t denied = 0, granted = 0;
        unsigned i;
-
-       if (security_token_has_sid(token, sd->owner_sid)) {
-               granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
-       }
+       uint32_t owner_rights_allowed = 0;
+       uint32_t owner_rights_denied = 0;
+       bool owner_rights_default = true;
 
        if (sd->dacl == NULL) {
-               return granted & ~denied;
+               if (security_token_has_sid(token, sd->owner_sid)) {
+                       granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+               }
+               return granted;
        }
 
        for (i = 0;i<sd->dacl->num_aces; i++) {
@@ -126,6 +128,18 @@ static uint32_t access_check_max_allowed(const struct 
security_descriptor *sd,
                        continue;
                }
 
+               if (dom_sid_equal(&ace->trustee, &global_sid_Owner_Rights)) {
+                       if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
+                               owner_rights_allowed |= ace->access_mask;
+                               owner_rights_default = false;
+                       } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
+                               owner_rights_denied |= (owner_rights_allowed &
+                                                       ace->access_mask);
+                               owner_rights_default = false;
+                       }
+                       continue;
+               }
+
                if (!security_token_has_sid(token, &ace->trustee)) {
                        continue;
                }
@@ -143,6 +157,15 @@ static uint32_t access_check_max_allowed(const struct 
security_descriptor *sd,
                }
        }
 
+       if (security_token_has_sid(token, sd->owner_sid)) {
+               if (owner_rights_default) {
+                       granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL;
+               } else {
+                       granted |= owner_rights_allowed;
+                       granted &= ~owner_rights_denied;
+               }
+       }
+
        return granted & ~denied;
 }
 
diff --git a/source4/libcli/raw/interfaces.h b/source4/libcli/raw/interfaces.h
index 732ba1512dc..43a53f834df 100644
--- a/source4/libcli/raw/interfaces.h
+++ b/source4/libcli/raw/interfaces.h
@@ -1779,6 +1779,7 @@ union smb_open {
                        /* uint32_t blob_size; */
 
                        /* optional return values matching tagged values in the 
call */
+                       uint32_t maximal_access_status;
                        uint32_t maximal_access;
                        uint8_t on_disk_id[32];
                        struct smb2_lease lease_response;
diff --git a/source4/libcli/smb2/create.c b/source4/libcli/smb2/create.c
index 550069a6cea..eb0f6a421cd 100644
--- a/source4/libcli/smb2/create.c
+++ b/source4/libcli/smb2/create.c
@@ -360,12 +360,12 @@ NTSTATUS smb2_create_recv(struct smb2_request *req, 
TALLOC_CTX *mem_ctx, struct
        /* pull out the parsed blobs */
        for (i=0;i<io->out.blobs.num_blobs;i++) {
                if (strcmp(io->out.blobs.blobs[i].tag, SMB2_CREATE_TAG_MXAC) == 
0) {
-                       /* TODO: this also contains a status field in
-                          first 4 bytes */
                        if (io->out.blobs.blobs[i].data.length != 8) {
                                smb2_request_destroy(req);
                                return NT_STATUS_INVALID_NETWORK_RESPONSE;
                        }
+                       io->out.maximal_access_status =
+                               IVAL(io->out.blobs.blobs[i].data.data, 0);
                        io->out.maximal_access = 
IVAL(io->out.blobs.blobs[i].data.data, 4);
                }
                if (strcmp(io->out.blobs.blobs[i].tag, SMB2_CREATE_TAG_QFID) == 
0) {
diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
index 6178e211034..b02d74367e3 100644
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@@ -2363,6 +2363,130 @@ done:
        return ret;
 }
 
+/*
+ * test Owner Rights, S-1-3-4
+ */
+static bool test_owner_rights(struct torture_context *tctx,
+                             struct smb2_tree *tree)
+{
+       const char *fname = BASEDIR "\\owner_right.txt";
+       struct smb2_create cr;
+       struct smb2_handle handle = {{0}};
+       union smb_fileinfo gi;
+       union smb_setfileinfo si;
+       struct security_descriptor *sd_orig = NULL;
+       struct security_descriptor *sd = NULL;
+       const char *owner_sid = NULL;
+       NTSTATUS mxac_status;
+       NTSTATUS status;
+       bool ret = true;
+
+       smb2_deltree(tree, BASEDIR);
+
+       ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+       torture_assert_goto(tctx, ret, ret, done,
+                           "smb2_util_setup_dir failed\n");
+
+       torture_comment(tctx, "TESTING OWNER RIGHTS\n");
+
+       cr = (struct smb2_create) {
+               .in.desired_access = SEC_STD_READ_CONTROL |
+                       SEC_STD_WRITE_DAC |SEC_STD_WRITE_OWNER,
+               .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+               .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+               .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+               .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+               .in.fname = fname,
+       };
+
+       status = smb2_create(tree, tctx, &cr);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_create failed\n");
+       handle = cr.out.file.handle;
+
+       torture_comment(tctx, "get the original sd\n");
+
+       gi = (union smb_fileinfo) {
+               .query_secdesc.level = RAW_FILEINFO_SEC_DESC,
+               .query_secdesc.in.file.handle = handle,
+               .query_secdesc.in.secinfo_flags = SECINFO_DACL|SECINFO_OWNER,
+       };
+
+       status = smb2_getinfo_file(tree, tctx, &gi);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_getinfo_file failed\n");
+
+       sd_orig = gi.query_secdesc.out.sd;
+       owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+       sd = security_descriptor_dacl_create(tctx, 0, NULL, NULL,
+                                            owner_sid,
+                                            SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                            SEC_RIGHTS_FILE_READ,
+                                            0,
+                                            SID_OWNER_RIGHTS,
+                                            SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                            SEC_RIGHTS_FILE_READ,
+                                            0,
+                                            NULL);
+       torture_assert_not_null_goto(tctx, sd, ret, done,
+                                    "SD create failed\n");
+
+       si = (union smb_setfileinfo) {
+               .set_secdesc.level = RAW_SFILEINFO_SEC_DESC,
+               .set_secdesc.in.file.handle = handle,
+               .set_secdesc.in.secinfo_flags = SECINFO_DACL,
+               .set_secdesc.in.sd = sd,
+       };
+
+       status = smb2_setinfo_file(tree, &si);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_setinfo_file failed\n");
+
+       status = smb2_util_close(tree, handle);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_util_close failed\n");
+       ZERO_STRUCT(handle);
+
+       cr = (struct smb2_create) {
+               .in.desired_access = SEC_STD_READ_CONTROL,
+               .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+               .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+               .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+               .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+               .in.query_maximal_access = true,
+               .in.fname = fname,
+       };
+
+       status = smb2_create(tree, tctx, &cr);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_setinfo_file failed\n");
+       handle = cr.out.file.handle;
+
+       mxac_status = NT_STATUS(cr.out.maximal_access_status);
+       torture_assert_ntstatus_ok_goto(tctx, mxac_status, ret, done,
+                                       "smb2_setinfo_file failed\n");
+
+       /* SEC_STD_DELETE comes from the parent directory */
+       torture_assert_int_equal_goto(tctx,
+                                     cr.out.maximal_access,
+                                     SEC_RIGHTS_FILE_READ|SEC_STD_DELETE,
+                                     ret, done,
+                                     "Wrong maximum access\n");
+
+       status = smb2_util_close(tree, handle);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+                                       "smb2_util_close failed\n");
+       ZERO_STRUCT(handle);
+
+done:
+       if (!smb2_util_handle_empty(handle)) {
+               smb2_util_close(tree, handle);
+       }
+       smb2_deltree(tree, BASEDIR);
+       return ret;
+}
+
 /*
    basic testing of SMB2 ACLs
 */
@@ -2382,6 +2506,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX 
*ctx)
        torture_suite_add_1smb2_test(suite, "GETSET", test_sd_get_set);
 #endif
        torture_suite_add_1smb2_test(suite, "ACCESSBASED", test_access_based);
+       torture_suite_add_1smb2_test(suite, "OWNER-RIGHTS", test_owner_rights);
 
        suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
 


-- 
Samba Shared Repository

Reply via email to