The branch, master has been updated
via 1ebec7056bd s3: smbd: Refuse open in create_file_unixpath() with
only SEC_FLAG_SYSTEM_SECURITY set.
via d53c3f2b837 s3: smbd: Reformat code in SEC_FLAG_SYSTEM_SECURITY
check in create_file_unixpath().
via 21b8857919d smbd: Ensure SEC_FLAG_SYSTEM_SECURITY also opens the
underlying fd.
via fff86ad49a1 smbd: use helper variables in open_file()
via 81b26559cdc s3: smbd: When writing a security descriptor SACL,
ensure both SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC are set.
via b338636a1e8 s3: torture: Call the smbtorture3 SMB2-SACL test.
via ad5f6b82c39 s3: torture: Add a basic SMB2 SACL test.
via 3f7821c98da s3: torture: Run the SMB1-SYSTEM-SECURITY test.
via f3f81e8f28a s3: torture: Add an SMB1-specific test
SMB1-SYSTEM-SECURITY.
from 5651fafe985 dbwrap_watch: Set rec->value_valid while returning
nested share_mode_do_locked()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1ebec7056bdf4b268b0a070d70b5a94093147f19
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 14:23:07 2020 -0700
s3: smbd: Refuse open in create_file_unixpath() with only
SEC_FLAG_SYSTEM_SECURITY set.
We now pass smbtorture3 SMB2-SACL like Windows 10 does.
Note this is an SMB2-only behavior. SMB1 allows an open
with only SEC_FLAG_SYSTEM_SECURITY set as tested in
smbtorture3 SMB1-SYSTEM-SECURITY.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Tue Apr 21 20:17:10 UTC 2020 on sn-devel-184
commit d53c3f2b8376ffc743455e3300f38c15d9b87335
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 14:20:13 2020 -0700
s3: smbd: Reformat code in SEC_FLAG_SYSTEM_SECURITY check in
create_file_unixpath().
No logic change but uses modern formatting and will
make it easier to add another clause in the next commit.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 21b8857919d7a023d31c2e75221517727178f69f
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 14:16:36 2020 -0700
smbd: Ensure SEC_FLAG_SYSTEM_SECURITY also opens the underlying fd.
smbtorture3 SMB2-SAL test shows this is needed as we store the SACL in the
same
data store as the DACL.
Without this, opening a file with SEC_FLAG_SYSTEM_SECURITY | READ_ATTRIBUTES
would do a stat open, meaning when we call SMB_VFS_FGET_NT_ACL()
on the fsp we have no open fd to work on.
Pair-Programmed-With: Jeremy Allison <[email protected]>
Signed-off-by: Ralph Boehme <[email protected]>
commit fff86ad49a1b50c8d74ede4a66a90add1d338d76
Author: Ralph Boehme <[email protected]>
Date: Wed Mar 4 10:54:18 2020 +0100
smbd: use helper variables in open_file()
Simplify an if expression by using helper variables, no change in behaviour.
Signed-off-by: Ralph Boehme <[email protected]>
commit 81b26559cdc4aac974c2f98571f9a6d24a0d795d
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 14:14:38 2020 -0700
s3: smbd: When writing a security descriptor SACL, ensure both
SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC are set.
smbtorture3 SMB2-SACL tests this against Windows10 (and Samba).
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit b338636a1e8a5d426728c5fea1515642ef7ca881
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 17:39:22 2020 -0700
s3: torture: Call the smbtorture3 SMB2-SACL test.
Calls the test in the previous commit by adding
SeSecurityPrivilege first, running the SMB2-SACL test
then removing SeSecurityPrivilege.
Demonstrates the difference between server behavior
with SEC_FLAG_SYSTEM_SECURITY against SMB1 and SMB2 servers.
Mark as knownfail for now.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit ad5f6b82c39bd0905aa26514ef239f6161612b11
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 11:46:49 2020 -0700
s3: torture: Add a basic SMB2 SACL test.
Shows bits needed to set/get a SACL. We need a script within Samba to run
this
as it depends on a user with SeSecurityPrivilege to work.
Test does the following:
1). Create a test file.
2). Open with SEC_FLAG_SYSTEM_SECURITY *only*. ACCESS_DENIED.
NB. SMB2-only behavior. SMB1 allows this as tested in
SMB1-SYSTEM-SECURITY.
3). Open with SEC_FLAG_SYSTEM_SECURITY|FILE_WRITE_ATTRIBUTES.
4). Write SACL. Should fail with ACCESS_DENIED (seems to need WRITE_DAC).
5). Close (3).
6). Open with SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC.
7). Write SACL. Success.
8). Close (4).
9). Open with SEC_FLAG_SYSTEM_SECURITY|READ_ATTRIBUTES.
10). Read SACL. Success.
11). Read DACL. Should fail with ACCESS_DENIED (no READ_CONTROL).
12). Close (9).
13 - and on error). Delete test file.
Passes against Windows 10.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 3f7821c98da962db053f075df6619ba0e6a54e90
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 17:36:10 2020 -0700
s3: torture: Run the SMB1-SYSTEM-SECURITY test.
Calls the test in the previous commit by adding
SeSecurityPrivilege first, running the SMB1-SYSTEM-SECURITY
test then removing SeSecurityPrivilege.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit f3f81e8f28afa524fddb8308382cce590c049de2
Author: Jeremy Allison <[email protected]>
Date: Fri Apr 17 15:48:09 2020 -0700
s3: torture: Add an SMB1-specific test SMB1-SYSTEM-SECURITY.
NB. This is also tested in samba3.base.createx_access
but this makes it very explicit what we're looking for.
Shows SMB1 allows explicit open of a file with only
he SEC_FLAG_SYSTEM_SECURITY access mask requested.
SMB2 doesn't.
Requires a Windows 10 system with a user with
SeSecurityPrivilege set. Passes against Windows 10
with SMB1 enabled.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/script/tests/test_sacl_set_get.sh | 44 +++
source3/script/tests/test_smb1_system_security.sh | 43 +++
source3/selftest/tests.py | 6 +
source3/smbd/nttrans.c | 7 +
source3/smbd/open.c | 54 +++-
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 336 ++++++++++++++++++++++
source3/torture/torture.c | 102 +++++++
8 files changed, 579 insertions(+), 14 deletions(-)
create mode 100755 source3/script/tests/test_sacl_set_get.sh
create mode 100755 source3/script/tests/test_smb1_system_security.sh
Changeset truncated at 500 lines:
diff --git a/source3/script/tests/test_sacl_set_get.sh
b/source3/script/tests/test_sacl_set_get.sh
new file mode 100755
index 00000000000..68a9057d4ce
--- /dev/null
+++ b/source3/script/tests/test_sacl_set_get.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Runs the smbtorture3 SMB2-SACL test
+# that requres SeSecurityPrivilege
+# against Samba.
+#
+
+if [ $# -lt 7 ]; then
+ echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SMBTORTURE3 NET SHARE"
+ exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+SMBTORTURE3="$5"
+NET="$6"
+SHARE="$7"
+
+failed=0
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+sacl_set_get() {
+ out=$($SMBTORTURE3 //$SERVER_IP/$SHARE -U $USERNAME%$PASSWORD SMB2-SACL)
+ if [ $? -ne 0 ] ; then
+ echo "SMB2-SACL failed"
+ echo "$out"
+ return 1
+ fi
+}
+
+# Grant SeSecurityPrivilege to the user
+testit "grant SeSecurityPrivilege" $NET rpc rights grant $USERNAME
SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr
$failed + 1`
+
+# Run the tests.
+testit "SACL set_get" sacl_set_get || failed=`expr $failed + 1`
+
+# Revoke SeSecurityPrivilege
+testit "revoke SeSecurityPrivilege" $NET rpc rights revoke $USERNAME
SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr
$failed + 1`
+
+exit $failed
diff --git a/source3/script/tests/test_smb1_system_security.sh
b/source3/script/tests/test_smb1_system_security.sh
new file mode 100755
index 00000000000..4c678b364f4
--- /dev/null
+++ b/source3/script/tests/test_smb1_system_security.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# Runs the smbtorture3 SMB1-SYSTEM-SECURITY test
+# that requres SeSecurityPrivilege against Samba.
+#
+
+if [ $# -lt 7 ]; then
+ echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SMBTORTURE3 NET SHARE"
+ exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+SMBTORTURE3="$5"
+NET="$6"
+SHARE="$7"
+
+failed=0
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+smb1_system_security() {
+ out=$($SMBTORTURE3 //$SERVER_IP/$SHARE -U $USERNAME%$PASSWORD -mNT1
SMB1-SYSTEM-SECURITY)
+ if [ $? -ne 0 ] ; then
+ echo "SMB1-SYSTEM-SECURITY failed"
+ echo "$out"
+ return 1
+ fi
+}
+
+# Grant SeSecurityPrivilege to the user
+testit "grant SeSecurityPrivilege" $NET rpc rights grant $USERNAME
SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr
$failed + 1`
+
+# Run the test.
+testit "smb1-system-secuirity" smb1_system_security || failed=`expr $failed +
1`
+
+# Revoke SeSecurityPrivilege
+testit "revoke SeSecurityPrivilege" $NET rpc rights revoke $USERNAME
SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr
$failed + 1`
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 568434a208c..a536a473cb5 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -412,6 +412,12 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.timestamps", env,
[os.path.join(samba3srcdir,
"script/tests/test_timestamps.sh"),
'$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH',
smbclient3])
+ plantestsuite("samba3.blackbox.smb1_system_security", env + "_smb1_done",
+ [os.path.join(samba3srcdir,
"script/tests/test_smb1_system_security.sh"),
+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD',
smbtorture3, net, 'tmp'])
+ plantestsuite("samba3.blackbox.sacl_get_set", env,
+ [os.path.join(samba3srcdir,
"script/tests/test_sacl_set_get.sh"),
+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD',
smbtorture3, net, 'tmp'])
#
# tar command tests
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index f7e313d6edf..66bcebf1313 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -950,6 +950,13 @@ NTSTATUS set_sd(files_struct *fsp, struct
security_descriptor *psd,
if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
return NT_STATUS_ACCESS_DENIED;
}
+ /*
+ * Setting a SACL also requires WRITE_DAC.
+ * See the smbtorture3 SMB2-SACL test.
+ */
+ if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
/* Convert all the generic bits. */
if (psd->sacl) {
security_acl_map_generic(psd->sacl,
&file_generic_mapping);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index b2d0455ba43..ecb46d75215 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1150,6 +1150,17 @@ static NTSTATUS open_file(files_struct *fsp,
int accmode = (flags & O_ACCMODE);
int local_flags = flags;
bool file_existed = VALID_STAT(fsp->fsp_name->st);
+ uint32_t need_fd_mask =
+ FILE_READ_DATA |
+ FILE_WRITE_DATA |
+ FILE_APPEND_DATA |
+ FILE_EXECUTE |
+ WRITE_DAC_ACCESS |
+ WRITE_OWNER_ACCESS |
+ SEC_FLAG_SYSTEM_SECURITY |
+ READ_CONTROL_ACCESS;
+ bool creating = !file_existed && (flags & O_CREAT);
+ bool truncating = (flags & O_TRUNC);
fsp->fh->fd = -1;
errno = EPERM;
@@ -1201,12 +1212,7 @@ static NTSTATUS open_file(files_struct *fsp,
local_flags = (flags & ~O_ACCMODE)|O_RDWR;
}
- if ((open_access_mask & (FILE_READ_DATA|FILE_WRITE_DATA|
- FILE_APPEND_DATA|FILE_EXECUTE|
- WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
- READ_CONTROL_ACCESS))||
- (!file_existed && (local_flags & O_CREAT)) ||
- ((local_flags & O_TRUNC) == O_TRUNC) ) {
+ if ((open_access_mask & need_fd_mask) || creating || truncating) {
const char *wild;
int ret;
@@ -1220,6 +1226,7 @@ static NTSTATUS open_file(files_struct *fsp,
if (file_existed && S_ISFIFO(smb_fname->st.st_ex_mode)) {
local_flags &= ~O_TRUNC; /* Can't truncate a FIFO. */
local_flags |= O_NONBLOCK;
+ truncating = false;
}
#endif
@@ -5413,14 +5420,33 @@ static NTSTATUS create_file_unixpath(connection_struct
*conn,
}
}
- if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
- !security_token_has_privilege(get_current_nttok(conn),
- SEC_PRIV_SECURITY)) {
- DEBUG(10, ("create_file_unixpath: open on %s "
- "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
- smb_fname_str_dbg(smb_fname)));
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
+ if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+ bool ok;
+
+ ok = security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY);
+ if (!ok) {
+ DBG_DEBUG("open on %s failed - "
+ "SEC_FLAG_SYSTEM_SECURITY denied.\n",
+ smb_fname_str_dbg(smb_fname));
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
+
+ if (conn->sconn->using_smb2 &&
+ (access_mask == SEC_FLAG_SYSTEM_SECURITY))
+ {
+ /*
+ * No other bits set. Windows SMB2 refuses this.
+ * See smbtorture3 SMB2-SACL test.
+ *
+ * Note this is an SMB2-only behavior,
+ * smbtorture3 SMB1-SYSTEM-SECURITY already tests
+ * that SMB1 allows this.
+ */
+ status = NT_STATUS_ACCESS_DENIED;
+ goto fail;
+ }
}
/*
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index 73a28991735..bae58ef9659 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -103,6 +103,7 @@ bool run_smb2_session_reauth(int dummy);
bool run_smb2_ftruncate(int dummy);
bool run_smb2_dir_fsync(int dummy);
bool run_smb2_path_slash(int dummy);
+bool run_smb2_sacl(int dummy);
bool run_chain3(int dummy);
bool run_local_conv_auth_info(int dummy);
bool run_local_sprintf_append(int dummy);
diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
index 4e6d103b339..52f1c397623 100644
--- a/source3/torture/test_smb2.c
+++ b/source3/torture/test_smb2.c
@@ -29,6 +29,7 @@
#include "auth_generic.h"
#include "../librpc/ndr/libndr.h"
#include "libsmb/clirap.h"
+#include "libsmb/cli_smb2_fnum.h"
extern fstring host, workgroup, share, password, username, myname;
extern struct cli_credentials *torture_creds;
@@ -2540,3 +2541,338 @@ bool run_smb2_path_slash(int dummy)
(void)cli_unlink(cli, fname_noslash, 0);
return true;
}
+
+/*
+ * NB. This can only work against a server where
+ * the connecting user has been granted SeSecurityPrivilege.
+ *
+ * 1). Create a test file.
+ * 2). Open with SEC_FLAG_SYSTEM_SECURITY *only*. ACCESS_DENIED -
+ * NB. SMB2-only behavior.
+ * 3). Open with SEC_FLAG_SYSTEM_SECURITY|FILE_WRITE_ATTRIBUTES.
+ * 4). Write SACL. Should fail with ACCESS_DENIED (seems to need WRITE_DAC).
+ * 5). Close (3).
+ * 6). Open with SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC.
+ * 7). Write SACL. Success.
+ * 8). Close (4).
+ * 9). Open with SEC_FLAG_SYSTEM_SECURITY|READ_ATTRIBUTES.
+ * 10). Read SACL. Success.
+ * 11). Read DACL. Should fail with ACCESS_DENIED (no READ_CONTROL).
+ * 12). Close (9).
+ */
+
+bool run_smb2_sacl(int dummy)
+{
+ struct cli_state *cli = NULL;
+ NTSTATUS status;
+ struct security_descriptor *sd_dacl = NULL;
+ struct security_descriptor *sd_sacl = NULL;
+ const char *fname = "sacl_test_file";
+ uint16_t fnum = (uint16_t)-1;
+
+ printf("Starting SMB2-SACL\n");
+
+ if (!torture_init_connection(&cli)) {
+ return false;
+ }
+
+ status = smbXcli_negprot(cli->conn,
+ cli->timeout,
+ PROTOCOL_SMB2_02,
+ PROTOCOL_SMB3_11);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_session_setup_creds(cli, torture_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_session_setup returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_tree_connect(cli, share, "?????", NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_tree_connect returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ (void)cli_unlink(cli, fname, 0);
+
+ /* First create a file. */
+ status = cli_ntcreate(cli,
+ fname,
+ 0,
+ GENERIC_ALL_ACCESS,
+ FILE_ATTRIBUTE_NORMAL,
+ FILE_SHARE_NONE,
+ FILE_CREATE,
+ 0,
+ 0,
+ &fnum,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Create of %s failed (%s)\n",
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ cli_close(cli, fnum);
+ fnum = (uint16_t)-1;
+
+ /*
+ * Now try to open with *only* SEC_FLAG_SYSTEM_SECURITY.
+ * This should fail with NT_STATUS_ACCESS_DENIED - but
+ * only against an SMB2 server. SMB1 allows this as tested
+ * in SMB1-SYSTEM-SECURITY.
+ */
+
+ status = cli_smb2_create_fnum(cli,
+ fname,
+ SMB2_OPLOCK_LEVEL_NONE,
+ SMB2_IMPERSONATION_IMPERSONATION,
+ SEC_FLAG_SYSTEM_SECURITY, /* desired access */
+ 0, /* file_attributes, */
+ FILE_SHARE_READ|
+ FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE, /* share_access, */
+ FILE_OPEN, /* create_disposition, */
+ FILE_NON_DIRECTORY_FILE, /* create_options, */
+ NULL, /* in_cblobs. */
+ &fnum, /* fnum */
+ NULL, /* smb_create_returns */
+ talloc_tos(), /* mem_ctx */
+ NULL); /* out_cblobs */
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PRIVILEGE_NOT_HELD)) {
+ printf("SMB2-SACL-TEST can only work with a user "
+ "who has been granted SeSecurityPrivilege.\n"
+ "This is the "
+ "\"Manage auditing and security log\""
+ "privilege setting on Windows\n");
+ goto fail;
+ }
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("open file %s with SEC_FLAG_SYSTEM_SECURITY only: "
+ "got %s - should fail with ACCESS_DENIED\n",
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ /*
+ * Open with SEC_FLAG_SYSTEM_SECURITY|FILE_WRITE_ATTRIBUTES.
+ */
+
+ status = cli_smb2_create_fnum(cli,
+ fname,
+ SMB2_OPLOCK_LEVEL_NONE,
+ SMB2_IMPERSONATION_IMPERSONATION,
+ SEC_FLAG_SYSTEM_SECURITY|
+ FILE_WRITE_ATTRIBUTES, /* desired access */
+ 0, /* file_attributes, */
+ FILE_SHARE_READ|
+ FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE, /* share_access, */
+ FILE_OPEN, /* create_disposition, */
+ FILE_NON_DIRECTORY_FILE, /* create_options, */
+ NULL, /* in_cblobs. */
+ &fnum, /* fnum */
+ NULL, /* smb_create_returns */
+ talloc_tos(), /* mem_ctx */
+ NULL); /* out_cblobs */
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Open of %s with (SEC_FLAG_SYSTEM_SECURITY|"
+ "FILE_WRITE_ATTRIBUTES) failed (%s)\n",
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ /* Create an SD with a SACL. */
+ sd_sacl = security_descriptor_sacl_create(talloc_tos(),
+ 0,
+ NULL, /* owner. */
+ NULL, /* group. */
+ /* first ACE. */
+ SID_WORLD,
+ SEC_ACE_TYPE_SYSTEM_AUDIT,
+ SEC_GENERIC_ALL,
+ SEC_ACE_FLAG_FAILED_ACCESS,
+ NULL);
+
+ if (sd_sacl == NULL) {
+ printf("Out of memory creating SACL\n");
+ goto fail;
+ }
+
+ /*
+ * Write the SACL SD. This should fail
+ * even though we have SEC_FLAG_SYSTEM_SECURITY,
+ * as it seems to also need WRITE_DAC access.
+ */
+ status = cli_smb2_set_security_descriptor(cli,
+ fnum,
+ SECINFO_DACL|SECINFO_SACL,
+ sd_sacl);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Writing SACL on file %s got (%s) "
+ "should have failed with ACCESS_DENIED.\n",
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ /* And close. */
+ cli_smb2_close_fnum(cli, fnum);
+ fnum = (uint16_t)-1;
+
+ /*
+ * Open with SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC.
+ */
+
+ status = cli_smb2_create_fnum(cli,
+ fname,
+ SMB2_OPLOCK_LEVEL_NONE,
+ SMB2_IMPERSONATION_IMPERSONATION,
+ SEC_FLAG_SYSTEM_SECURITY|
+ SEC_STD_WRITE_DAC, /* desired access */
+ 0, /* file_attributes, */
+ FILE_SHARE_READ|
+ FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE, /* share_access, */
+ FILE_OPEN, /* create_disposition, */
+ FILE_NON_DIRECTORY_FILE, /* create_options, */
+ NULL, /* in_cblobs. */
+ &fnum, /* fnum */
+ NULL, /* smb_create_returns */
+ talloc_tos(), /* mem_ctx */
+ NULL); /* out_cblobs */
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Open of %s with (SEC_FLAG_SYSTEM_SECURITY|"
+ "FILE_WRITE_ATTRIBUTES) failed (%s)\n",
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ /*
+ * Write the SACL SD. This should now succeed
+ * as we have both SEC_FLAG_SYSTEM_SECURITY
+ * and WRITE_DAC access.
+ */
+ status = cli_smb2_set_security_descriptor(cli,
+ fnum,
+ SECINFO_DACL|SECINFO_SACL,
+ sd_sacl);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_smb2_set_security_descriptor SACL "
+ "on file %s failed (%s)\n",
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ /* And close. */
+ cli_smb2_close_fnum(cli, fnum);
+ fnum = (uint16_t)-1;
+
+ /* We're done with the sacl we made. */
+ TALLOC_FREE(sd_sacl);
+
+ /*
+ * Now try to open with SEC_FLAG_SYSTEM_SECURITY|READ_ATTRIBUTES.
+ * This gives us access to the SACL.
+ */
+
+ status = cli_smb2_create_fnum(cli,
--
Samba Shared Repository
