The branch, master has been updated
via 5a0fce58650 source4/torture: Add SEC_STD_DELETE to enable proper
cleanup
from e4c3c61302b python:gp: Implement client site lookup in
site_dn_for_machine()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5a0fce58650770bc7701d1be72492637c2ced63c
Author: Anoop C S <anoo...@samba.org>
Date: Thu Feb 22 19:26:08 2024 +0530
source4/torture: Add SEC_STD_DELETE to enable proper cleanup
basic.maximum_allowed and smb2.maximum_allowed attempt to unlink the
files created by those tests. But the restrictive SD with which they
were created prohibits the deletion inside shares where vfs_acl_xattr
is configured including "ignore system acls". The very same file will
otherwise cause problems while progressing with remaining sub tests.
SEC_STD_DELETE could be the minimum required additional access mask
to successfully delete the file under the said configuration using
vfs_acl_xattr and "ignore system acls" option without loosing the
integrity of the overall test.
Signed-off-by: Anoop C S <anoo...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Mon Feb 26 18:35:43 UTC 2024 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
source4/torture/basic/denytest.c | 30 ++++++++++++++++++++++++++-
source4/torture/smb2/max_allowed.c | 42 +++++++++++++++++++++++++++++++++-----
2 files changed, 66 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index c9f4a97743e..ba636fe2a95 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2680,10 +2680,11 @@ bool torture_maximum_allowed(struct torture_context
*tctx,
struct security_descriptor *sd, *sd_orig;
union smb_open io;
static TALLOC_CTX *mem_ctx;
- int fnum, i;
+ int fnum, fnum1 = -1, i;
bool ret = true;
NTSTATUS status;
union smb_fileinfo q;
+ union smb_setfileinfo set;
const char *owner_sid;
bool has_restore_privilege, has_backup_privilege,
has_system_security_privilege;
@@ -2813,7 +2814,34 @@ bool torture_maximum_allowed(struct torture_context
*tctx,
smbcli_close(cli->tree, fnum);
}
+ io.generic.level = RAW_OPEN_NTTRANS_CREATE;
+ io.ntcreatex.in.access_mask = SEC_STD_WRITE_DAC;
+ io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+ io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
+ io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
+ io.ntcreatex.in.fname = MAXIMUM_ALLOWED_FILE;
+
+ status = smb_raw_open(cli->tree, mem_ctx, &io);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ fnum1 = io.ntcreatex.out.file.fnum;
+
+ sd = security_descriptor_dacl_create(tctx,
+ 0, NULL, NULL,
+ SID_NT_AUTHENTICATED_USERS,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_STD_DELETE,
+ 0,
+ NULL);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.fnum = fnum1;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd;
+
+ status = smb_raw_setfileinfo(cli->tree, &set);
+ CHECK_STATUS(status, NT_STATUS_OK);
+
done:
+ smbcli_close(cli->tree, fnum1);
smbcli_unlink(cli->tree, MAXIMUM_ALLOWED_FILE);
return ret;
}
diff --git a/source4/torture/smb2/max_allowed.c
b/source4/torture/smb2/max_allowed.c
index af8b08ac9a9..6d69b84fbe6 100644
--- a/source4/torture/smb2/max_allowed.c
+++ b/source4/torture/smb2/max_allowed.c
@@ -33,11 +33,12 @@ static bool torture_smb2_maximum_allowed(struct
torture_context *tctx,
struct security_descriptor *sd = NULL, *sd_orig = NULL;
struct smb2_create io = {0};
TALLOC_CTX *mem_ctx = NULL;
- struct smb2_handle fnum = {{0}};
+ struct smb2_handle fnum = {{0}}, fnum1 = {{0}};
int i;
bool ret = true;
NTSTATUS status;
union smb_fileinfo q;
+ union smb_setfileinfo set;
const char *owner_sid = NULL;
bool has_restore_privilege, has_backup_privilege,
has_system_security_privilege;
@@ -82,7 +83,7 @@ static bool torture_smb2_maximum_allowed(struct
torture_context *tctx,
q.query_secdesc.in.file.handle = fnum;
q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
status = smb2_getinfo_file(tree, tctx, &q);
- torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, set_sd,
talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
nt_errstr(status), nt_errstr(NT_STATUS_OK)));
sd_orig = q.query_secdesc.out.sd;
@@ -159,21 +160,21 @@ static bool torture_smb2_maximum_allowed(struct
torture_context *tctx,
if (mask & ok_mask ||
mask == SEC_FLAG_MAXIMUM_ALLOWED) {
torture_assert_ntstatus_ok_goto(tctx, status, ret,
- done, talloc_asprintf(tctx,
+ set_sd, talloc_asprintf(tctx,
"Incorrect status %s - should be %s\n",
nt_errstr(status), nt_errstr(NT_STATUS_OK)));
} else {
if (mask & SEC_FLAG_SYSTEM_SECURITY) {
torture_assert_ntstatus_equal_goto(tctx,
status, NT_STATUS_PRIVILEGE_NOT_HELD,
- ret, done, talloc_asprintf(tctx,
+ ret, set_sd, talloc_asprintf(tctx,
"Incorrect status %s - should be %s\n",
nt_errstr(status),
nt_errstr(NT_STATUS_PRIVILEGE_NOT_HELD)));
} else {
torture_assert_ntstatus_equal_goto(tctx,
status, NT_STATUS_ACCESS_DENIED,
- ret, done, talloc_asprintf(tctx,
+ ret, set_sd, talloc_asprintf(tctx,
"Incorrect status %s - should be %s\n",
nt_errstr(status),
nt_errstr(NT_STATUS_ACCESS_DENIED)));
@@ -185,7 +186,38 @@ static bool torture_smb2_maximum_allowed(struct
torture_context *tctx,
smb2_util_close(tree, fnum);
}
+set_sd:
+ io.in.desired_access = SEC_STD_WRITE_DAC;
+ io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+ io.in.create_disposition = NTCREATEX_DISP_OPEN;
+ io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
+ io.in.fname = MAXIMUM_ALLOWED_FILE;
+
+ status = smb2_create(tree, mem_ctx, &io);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
+ nt_errstr(status), nt_errstr(NT_STATUS_OK)));
+ fnum1 = io.out.file.handle;
+
+ sd = security_descriptor_dacl_create(tctx,
+ 0, NULL, NULL,
+ SID_NT_AUTHENTICATED_USERS,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_STD_DELETE,
+ 0,
+ NULL);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = fnum1;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
+ nt_errstr(status), nt_errstr(NT_STATUS_OK)));
+
done:
+ smb2_util_close(tree, fnum1);
smb2_util_unlink(tree, MAXIMUM_ALLOWED_FILE);
talloc_free(mem_ctx);
return ret;
--
Samba Shared Repository
