static bool test_hive_security(struct torture_context *tctx, const void *_data)
{
struct hive_key *subkey = NULL;
const struct hive_key *root = _data;
WERROR error;
struct security_descriptor *osd, *nsd;
osd = security_descriptor_dacl_create(tctx,
0,
NULL, NULL,
SID_NT_AUTHENTICATED_USERS,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_GENERIC_ALL,
SEC_ACE_FLAG_OBJECT_INHERIT,
NULL);
error = hive_key_add_name(tctx, root, "SecurityKey", NULL,
osd, &subkey);
torture_assert_werr_ok(tctx, error, "hive_key_add_name");
error = hive_get_sec_desc(tctx, subkey, &nsd);
torture_assert_werr_ok (tctx, error, "getting security descriptor");
torture_assert(tctx, security_descriptor_equal(osd, nsd),
"security descriptor changed!");
/* Create a fresh security descriptor */
talloc_free(osd);
osd = security_descriptor_dacl_create(tctx,
0,
NULL, NULL,
SID_NT_AUTHENTICATED_USERS,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_GENERIC_ALL,
SEC_ACE_FLAG_OBJECT_INHERIT,
NULL);
error = hive_set_sec_desc(subkey, osd);
torture_assert_werr_ok(tctx, error, "setting security descriptor");
error = hive_get_sec_desc(tctx, subkey, &nsd);
torture_assert_werr_ok (tctx, error, "getting security descriptor");
torture_assert(tctx, security_descriptor_equal(osd, nsd),
"security descriptor changed!");
return true;
}
static bool test_default_acl_posix(struct torture_context *tctx,
struct smb2_tree *tree_unused)
{
struct smb2_tree *tree = NULL;
NTSTATUS status;
bool ok;
bool ret = true;
const char *dname = BASEDIR "\\testdir";
const char *fname = BASEDIR "\\testdir\\testfile";
struct smb2_handle fhandle = {{0}};
struct smb2_handle dhandle = {{0}};
union smb_fileinfo q;
union smb_setfileinfo set;
struct security_descriptor *sd = NULL;
struct security_descriptor *exp_sd = NULL;
char *owner_sid = NULL;
char *group_sid = NULL;
ok = torture_smb2_con_share(tctx, "acl_xattr_ign_sysacl_posix", &tree);
torture_assert_goto(tctx, ok == true, ret, done,
"Unable to connect to 'acl_xattr_ign_sysacl_posix'\n");
ok = smb2_util_setup_dir(tctx, tree, BASEDIR);
torture_assert_goto(tctx, ok == true, ret, done, "Unable to setup testdir\n");
ZERO_STRUCT(dhandle);
status = torture_smb2_testdir(tree, dname, &dhandle);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "torture_smb2_testdir\n");
torture_comment(tctx, "Get the original sd\n");
ZERO_STRUCT(q);
q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
q.query_secdesc.in.file.handle = dhandle;
q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER | SECINFO_GROUP;
status = smb2_getinfo_file(tree, tctx, &q);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_getinfo_file\n");
sd = q.query_secdesc.out.sd;
owner_sid = dom_sid_string(tctx, sd->owner_sid);
group_sid = dom_sid_string(tctx, sd->group_sid);
torture_comment(tctx, "owner [%s] group [%s]\n", owner_sid, group_sid);
torture_comment(tctx, "Set ACL with no inheritable ACE\n");
sd = security_descriptor_dacl_create(tctx,
0, NULL, NULL,
owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_RIGHTS_DIR_ALL,
0,
NULL);
ZERO_STRUCT(set);
set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
set.set_secdesc.in.file.handle = dhandle;
set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
set.set_secdesc.in.sd = sd;
status = smb2_setinfo_file(tree, &set);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_setinfo_file\n");
TALLOC_FREE(sd);
smb2_util_close(tree, dhandle);
torture_comment(tctx, "Create file\n");
ZERO_STRUCT(fhandle);
status = torture_smb2_testfile(tree, fname, &fhandle);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_create_complex_file\n");
torture_comment(tctx, "Query file SD\n");
ZERO_STRUCT(q);
q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
q.query_secdesc.in.file.handle = fhandle;
q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER | SECINFO_GROUP;
status = smb2_getinfo_file(tree, tctx, &q);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_getinfo_file\n");
sd = q.query_secdesc.out.sd;
smb2_util_close(tree, fhandle);
ZERO_STRUCT(fhandle);
torture_comment(tctx, "Checking actual file SD against expected SD\n");
exp_sd = security_descriptor_dacl_create(
tctx, 0, owner_sid, group_sid,
owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
NULL);
CHECK_SECURITY_DESCRIPTOR(sd, exp_sd);
done:
if (!smb2_util_handle_empty(fhandle)) {
smb2_util_close(tree, fhandle);
}
if (!smb2_util_handle_empty(dhandle)) {
smb2_util_close(tree, dhandle);
}
if (tree != NULL) {
smb2_deltree(tree, BASEDIR);
smb2_tdis(tree);
}
return ret;
}
/*
try creating with acls
*/
static bool test_create_acl_ext(struct torture_context *tctx, struct smb2_tree *tree, bool test_dir)
{
bool ret = true;
struct smb2_create io;
NTSTATUS status;
struct security_ace ace;
struct security_descriptor *sd;
struct dom_sid *test_sid;
union smb_fileinfo q = {};
uint32_t attrib =
FILE_ATTRIBUTE_HIDDEN |
FILE_ATTRIBUTE_SYSTEM |
(test_dir ? FILE_ATTRIBUTE_DIRECTORY : 0);
NTSTATUS (*delete_func)(struct smb2_tree *, const char *) =
test_dir ? smb2_util_rmdir : smb2_util_unlink;
smb2_deltree(tree, FNAME);
ZERO_STRUCT(io);
io.in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED;
io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
io.in.create_disposition = NTCREATEX_DISP_CREATE;
io.in.share_access =
NTCREATEX_SHARE_ACCESS_DELETE |
NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE;
io.in.create_options = NTCREATEX_OPTIONS_ASYNC_ALERT | 0x00200000 |
(test_dir ? NTCREATEX_OPTIONS_DIRECTORY :
(NTCREATEX_OPTIONS_NON_DIRECTORY_FILE));
io.in.fname = FNAME;
torture_comment(tctx, "basic create\n");
status = smb2_create(tree, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
q.query_secdesc.in.file.handle = io.out.file.handle;
q.query_secdesc.in.secinfo_flags =
SECINFO_OWNER |
SECINFO_GROUP |
SECINFO_DACL;
status = smb2_getinfo_file(tree, tctx, &q);
CHECK_STATUS(status, NT_STATUS_OK);
sd = q.query_secdesc.out.sd;
status = smb2_util_close(tree, io.out.file.handle);
CHECK_STATUS(status, NT_STATUS_OK);
status = delete_func(tree, FNAME);
CHECK_STATUS(status, NT_STATUS_OK);
torture_comment(tctx, "adding a new ACE\n");
test_sid = dom_sid_parse_talloc(tctx, SID_NT_AUTHENTICATED_USERS);
ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
ace.flags = 0;
ace.access_mask = SEC_STD_ALL;
ace.trustee = *test_sid;
status = security_descriptor_dacl_add(sd, &ace);
CHECK_STATUS(status, NT_STATUS_OK);
torture_comment(tctx, "creating a file with an initial ACL\n");
io.in.sec_desc = sd;
status = smb2_create(tree, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
FAIL_UNLESS(smb2_util_verify_sd(tctx, tree, io.out.file.handle, sd));
status = smb2_util_close(tree, io.out.file.handle);
CHECK_STATUS(status, NT_STATUS_OK);
status = delete_func(tree, FNAME);
CHECK_STATUS(status, NT_STATUS_OK);
torture_comment(tctx, "creating with attributes\n");
io.in.sec_desc = NULL;
io.in.file_attributes = attrib;
status = smb2_create(tree, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
FAIL_UNLESS(smb2_util_verify_attrib(tctx, tree, io.out.file.handle, attrib));
status = smb2_util_close(tree, io.out.file.handle);
CHECK_STATUS(status, NT_STATUS_OK);
status = delete_func(tree, FNAME);
CHECK_STATUS(status, NT_STATUS_OK);
torture_comment(tctx, "creating with attributes and ACL\n");
io.in.sec_desc = sd;
io.in.file_attributes = attrib;
status = smb2_create(tree, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
FAIL_UNLESS(smb2_util_verify_sd(tctx, tree, io.out.file.handle, sd));
FAIL_UNLESS(smb2_util_verify_attrib(tctx, tree, io.out.file.handle, attrib));
status = smb2_util_close(tree, io.out.file.handle);
CHECK_STATUS(status, NT_STATUS_OK);
status = delete_func(tree, FNAME);
CHECK_STATUS(status, NT_STATUS_OK);
torture_comment(tctx, "creating with attributes, ACL and owner\n");
sd = security_descriptor_dacl_create(tctx,
0, SID_WORLD, SID_BUILTIN_USERS,
SID_WORLD,
SEC_ACE_TYPE_ACCESS_ALLOWED,
SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
0,
NULL);
io.in.sec_desc = sd;
io.in.file_attributes = attrib;
status = smb2_create(tree, tctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
FAIL_UNLESS(smb2_util_verify_sd(tctx, tree, io.out.file.handle, sd));
FAIL_UNLESS(smb2_util_verify_attrib(tctx, tree, io.out.file.handle, attrib));
done:
status = smb2_util_close(tree, io.out.file.handle);
CHECK_STATUS(status, NT_STATUS_OK);
status = delete_func(tree, FNAME);
CHECK_STATUS(status, NT_STATUS_OK);
return ret;
}
