source4/torture/raw/acls.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    test security descriptor operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "libcli/raw/libcliraw.h"
  25 #include "librpc/gen_ndr/ndr_security.h"
  26
  27 #define BASEDIR "\\testsd"
  28
  29 #define CHECK_STATUS(status, correct) do { \
  30         if (!NT_STATUS_EQUAL(status, correct)) { \
  31                 printf("(%s) Incorrect status %s - should be %s\n", \
  32                        __location__, nt_errstr(status), nt_errstr(correct)); \
  33                 ret = False; \
  34                 goto done; \
  35         }} while (0)
  36
  37
  38 static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
  39 {
  40         NTSTATUS status;
  41         union smb_open io;
  42         const char *fname = BASEDIR "\\sd.txt";
  43         BOOL ret = True;
  44         int fnum = -1;
  45         union smb_fileinfo q;
  46         union smb_setfileinfo set;
  47         struct security_ace ace;
  48         struct security_descriptor *sd;
  49         struct dom_sid *test_sid;
  50
  51         printf("TESTING SETFILEINFO EA_SET\n");
  52
  53         io.generic.level = RAW_OPEN_NTCREATEX;
  54         io.ntcreatex.in.root_fid = 0;
  55         io.ntcreatex.in.flags = 0;
  56         io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
  57         io.ntcreatex.in.create_options = 0;
  58         io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
  59         io.ntcreatex.in.share_access =
  60                 NTCREATEX_SHARE_ACCESS_READ |
  61                 NTCREATEX_SHARE_ACCESS_WRITE;
  62         io.ntcreatex.in.alloc_size = 0;
  63         io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
  64         io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
  65         io.ntcreatex.in.security_flags = 0;
  66         io.ntcreatex.in.fname = fname;
  67         status = smb_raw_open(cli->tree, mem_ctx, &io);
  68         CHECK_STATUS(status, NT_STATUS_OK);
  69         fnum = io.ntcreatex.out.fnum;
  70
  71         q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
  72         q.query_secdesc.in.fnum = fnum;
  73         q.query_secdesc.in.secinfo_flags =
  74                 SECINFO_OWNER |
  75                 SECINFO_GROUP |
  76                 SECINFO_DACL;
  77         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
  78         CHECK_STATUS(status, NT_STATUS_OK);
  79         sd = q.query_secdesc.out.sd;
  80
  81         printf("add a new ACE to the DACL\n");
  82
  83         test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432");
  84
  85         ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
  86         ace.flags = 0;
  87         ace.access_mask = SEC_STD_ALL;
  88         ace.trustee = *test_sid;
  89
  90         status = security_descriptor_dacl_add(sd, &ace);
  91         CHECK_STATUS(status, NT_STATUS_OK);
  92
  93         set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
  94         set.set_secdesc.file.fnum = fnum;
  95         set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
  96         set.set_secdesc.in.sd = sd;
  97
  98         status = smb_raw_setfileinfo(cli->tree, &set);
  99         CHECK_STATUS(status, NT_STATUS_OK);
 100
 101         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 102         CHECK_STATUS(status, NT_STATUS_OK);
 103
 104         if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
 105                 printf("security descriptors don't match!\n");
 106                 printf("got:\n");
 107                 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 108                 printf("expected:\n");
 109                 NDR_PRINT_DEBUG(security_descriptor, sd);
 110         }
 111
 112         printf("remove it again\n");
 113
 114         status = security_descriptor_dacl_del(sd, test_sid);
 115         CHECK_STATUS(status, NT_STATUS_OK);
 116
 117         status = smb_raw_setfileinfo(cli->tree, &set);
 118         CHECK_STATUS(status, NT_STATUS_OK);
 119
 120         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 121         CHECK_STATUS(status, NT_STATUS_OK);
 122
 123         if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
 124                 printf("security descriptors don't match!\n");
 125                 printf("got:\n");
 126                 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 127                 printf("expected:\n");
 128                 NDR_PRINT_DEBUG(security_descriptor, sd);
 129         }
 130
 131 done:
 132         smbcli_close(cli->tree, fnum);
 133         return ret;
 134 }
 135
 136
 137 /*
 138   test using NTTRANS CREATE to create a file with an initial ACL set
 139 */
 140 static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 141 {
 142         NTSTATUS status;
 143         union smb_open io;
 144         const char *fname = BASEDIR "\\acl2.txt";
 145         BOOL ret = True;
 146         int fnum = -1;
 147         union smb_fileinfo q;
 148         struct security_ace ace;
 149         struct security_descriptor *sd;
 150         struct dom_sid *test_sid;
 151
 152         printf("TESTING NTTRANS CREATE WITH SEC_DESC\n");
 153
 154         io.generic.level = RAW_OPEN_NTTRANS_CREATE;
 155         io.ntcreatex.in.root_fid = 0;
 156         io.ntcreatex.in.flags = 0;
 157         io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 158         io.ntcreatex.in.create_options = 0;
 159         io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
 160         io.ntcreatex.in.share_access =
 161                 NTCREATEX_SHARE_ACCESS_READ |
 162                 NTCREATEX_SHARE_ACCESS_WRITE;
 163         io.ntcreatex.in.alloc_size = 0;
 164         io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
 165         io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
 166         io.ntcreatex.in.security_flags = 0;
 167         io.ntcreatex.in.fname = fname;
 168         io.ntcreatex.in.sec_desc = NULL;
 169         io.ntcreatex.in.ea_list = NULL;
 170
 171         printf("creating normal file\n");
 172
 173         status = smb_raw_open(cli->tree, mem_ctx, &io);
 174         CHECK_STATUS(status, NT_STATUS_OK);
 175         fnum = io.ntcreatex.out.fnum;
 176
 177         printf("querying ACL\n");
 178
 179         q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
 180         q.query_secdesc.in.fnum = fnum;
 181         q.query_secdesc.in.secinfo_flags =
 182                 SECINFO_OWNER |
 183                 SECINFO_GROUP |
 184                 SECINFO_DACL;
 185         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 186         CHECK_STATUS(status, NT_STATUS_OK);
 187         sd = q.query_secdesc.out.sd;
 188
 189         smbcli_close(cli->tree, fnum);
 190         smbcli_unlink(cli->tree, fname);
 191
 192         printf("adding a new ACE\n");
 193         test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-54321");
 194
 195         ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
 196         ace.flags = 0;
 197         ace.access_mask = SEC_STD_ALL;
 198         ace.trustee = *test_sid;
 199
 200         status = security_descriptor_dacl_add(sd, &ace);
 201         CHECK_STATUS(status, NT_STATUS_OK);
 202
 203         printf("creating a file with an initial ACL\n");
 204
 205         io.ntcreatex.in.sec_desc = sd;
 206         status = smb_raw_open(cli->tree, mem_ctx, &io);
 207         CHECK_STATUS(status, NT_STATUS_OK);
 208         fnum = io.ntcreatex.out.fnum;
 209
 210         q.query_secdesc.in.fnum = fnum;
 211         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 212         CHECK_STATUS(status, NT_STATUS_OK);
 213
 214         if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
 215                 printf("security descriptors don't match!\n");
 216                 printf("got:\n");
 217                 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 218                 printf("expected:\n");
 219                 NDR_PRINT_DEBUG(security_descriptor, sd);
 220         }
 221
 222 done:
 223         smbcli_close(cli->tree, fnum);
 224         return ret;
 225 }
 226
 227 #define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
 228         union smb_fileinfo _q; \
 229         _q.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION; \
 230         _q.access_information.in.fnum = (_fnum); \
 231         status = smb_raw_fileinfo(cli->tree, mem_ctx, &_q); \
 232         CHECK_STATUS(status, NT_STATUS_OK); \
 233         if (_q.access_information.out.access_flags != (flags)) { \
 234                 printf("(%s) Incorrect access_flags 0x%08x - should be 0x%08x\n", \
 235                        __location__, _q.access_information.out.access_flags, (flags)); \
 236                 ret = False; \
 237                 goto done; \
 238         } \
 239 } while (0)
 240
 241
 242 /*
 243   test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic
 244   mapping bits
 245 */
 246 static BOOL test_creator_sid(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 247 {
 248         NTSTATUS status;
 249         union smb_open io;
 250         const char *fname = BASEDIR "\\creator.txt";
 251         BOOL ret = True;
 252         int fnum = -1;
 253         union smb_fileinfo q;
 254         union smb_setfileinfo set;
 255         struct security_descriptor *sd, *sd_orig, *sd2;
 256         const char *owner_sid;
 257
 258         printf("TESTING SID_CREATOR_OWNER\n");
 259
 260         io.generic.level = RAW_OPEN_NTCREATEX;
 261         io.ntcreatex.in.root_fid = 0;
 262         io.ntcreatex.in.flags = 0;
 263         io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER;
 264         io.ntcreatex.in.create_options = 0;
 265         io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
 266         io.ntcreatex.in.share_access =
 267                 NTCREATEX_SHARE_ACCESS_READ |
 268                 NTCREATEX_SHARE_ACCESS_WRITE;
 269         io.ntcreatex.in.alloc_size = 0;
 270         io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
 271         io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
 272         io.ntcreatex.in.security_flags = 0;
 273         io.ntcreatex.in.fname = fname;
 274         status = smb_raw_open(cli->tree, mem_ctx, &io);
 275         CHECK_STATUS(status, NT_STATUS_OK);
 276         fnum = io.ntcreatex.out.fnum;
 277
 278         printf("get the original sd\n");
 279         q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
 280         q.query_secdesc.in.fnum = fnum;
 281         q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 282         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 283         CHECK_STATUS(status, NT_STATUS_OK);
 284         sd_orig = q.query_secdesc.out.sd;
 285
 286         owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
 287
 288         printf("set a sec desc allowing no write by CREATOR_OWNER\n");
 289         sd = security_descriptor_create(mem_ctx,
 290                                         NULL, NULL,
 291                                         SID_CREATOR_OWNER,
 292                                         SEC_ACE_TYPE_ACCESS_ALLOWED,
 293                                         SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
 294                                         NULL);
 295
 296         set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 297         set.set_secdesc.file.fnum = fnum;
 298         set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
 299         set.set_secdesc.in.sd = sd;
 300
 301         status = smb_raw_setfileinfo(cli->tree, &set);
 302         CHECK_STATUS(status, NT_STATUS_OK);
 303
 304         printf("try open for write\n");
 305         io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
 306         status = smb_raw_open(cli->tree, mem_ctx, &io);
 307         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 308
 309         printf("try open for read\n");
 310         io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
 311         status = smb_raw_open(cli->tree, mem_ctx, &io);
 312         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 313
 314         printf("try open for generic write\n");
 315         io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
 316         status = smb_raw_open(cli->tree, mem_ctx, &io);
 317         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 318
 319         printf("try open for generic read\n");
 320         io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
 321         status = smb_raw_open(cli->tree, mem_ctx, &io);
 322         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 323
 324         printf("set a sec desc allowing no write by owner\n");
 325         sd = security_descriptor_create(mem_ctx,
 326                                         owner_sid, NULL,
 327                                         owner_sid,
 328                                         SEC_ACE_TYPE_ACCESS_ALLOWED,
 329                                         SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
 330                                         NULL);
 331
 332         set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 333         set.set_secdesc.file.fnum = fnum;
 334         set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
 335         set.set_secdesc.in.sd = sd;
 336         status = smb_raw_setfileinfo(cli->tree, &set);
 337         CHECK_STATUS(status, NT_STATUS_OK);
 338
 339         printf("check that sd has been mapped correctly\n");
 340         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 341         CHECK_STATUS(status, NT_STATUS_OK);
 342         if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
 343                 printf("security descriptors don't match!\n");
 344                 printf("got:\n");
 345                 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 346                 printf("expected:\n");
 347                 NDR_PRINT_DEBUG(security_descriptor, sd);
 348         }
 349
 350         printf("try open for write\n");
 351         io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
 352         status = smb_raw_open(cli->tree, mem_ctx, &io);
 353         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 354
 355         printf("try open for read\n");
 356         io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
 357         status = smb_raw_open(cli->tree, mem_ctx, &io);
 358         CHECK_STATUS(status, NT_STATUS_OK);
 359         CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
 360                            SEC_FILE_READ_DATA|
 361                            SEC_FILE_READ_ATTRIBUTE);
 362         smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 363
 364         printf("try open for generic write\n");
 365         io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
 366         status = smb_raw_open(cli->tree, mem_ctx, &io);
 367         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 368
 369         printf("try open for generic read\n");
 370         io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
 371         status = smb_raw_open(cli->tree, mem_ctx, &io);
 372         CHECK_STATUS(status, NT_STATUS_OK);
 373         CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
 374                            SEC_RIGHTS_FILE_READ);
 375         smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 376
 377         printf("set a sec desc allowing generic read by owner\n");
 378         sd = security_descriptor_create(mem_ctx,
 379                                         NULL, NULL,
 380                                         owner_sid,
 381                                         SEC_ACE_TYPE_ACCESS_ALLOWED,
 382                                         SEC_GENERIC_READ | SEC_STD_ALL,
 383                                         NULL);
 384
 385         set.set_secdesc.in.sd = sd;
 386         status = smb_raw_setfileinfo(cli->tree, &set);
 387         CHECK_STATUS(status, NT_STATUS_OK);
 388
 389         printf("check that generic read has been mapped correctly\n");
 390         sd2 = security_descriptor_create(mem_ctx,
 391                                          owner_sid, NULL,
 392                                          owner_sid,
 393                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
 394                                          SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
 395                                          NULL);
 396
 397         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 398         CHECK_STATUS(status, NT_STATUS_OK);
 399         if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
 400                 printf("security descriptors don't match!\n");
 401                 printf("got:\n");
 402                 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 403                 printf("expected:\n");
 404                 NDR_PRINT_DEBUG(security_descriptor, sd2);
 405         }
 406
 407
 408         printf("try open for write\n");
 409         io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
 410         status = smb_raw_open(cli->tree, mem_ctx, &io);
 411         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 412
 413         printf("try open for read\n");
 414         io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
 415         status = smb_raw_open(cli->tree, mem_ctx, &io);
 416         CHECK_STATUS(status, NT_STATUS_OK);
 417         CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
 418                            SEC_FILE_READ_DATA |
 419                            SEC_FILE_READ_ATTRIBUTE);
 420         smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 421
 422         printf("try open for generic write\n");
 423         io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
 424         status = smb_raw_open(cli->tree, mem_ctx, &io);
 425         CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
 426
 427         printf("try open for generic read\n");
 428         io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
 429         status = smb_raw_open(cli->tree, mem_ctx, &io);
 430         CHECK_STATUS(status, NT_STATUS_OK);
 431         CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, SEC_RIGHTS_FILE_READ);
 432         smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 433
 434
 435         printf("put back original sd\n");
 436         set.set_secdesc.in.sd = sd_orig;
 437         status = smb_raw_setfileinfo(cli->tree, &set);
 438         CHECK_STATUS(status, NT_STATUS_OK);
 439
 440
 441 done:
 442         smbcli_close(cli->tree, fnum);
 443         return ret;
 444 }
 445
 446
 447 /*
 448   test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
 449   SEC_FILE_xx bits
 450 */
 451 static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
 452 {
 453         NTSTATUS status;
 454         union smb_open io;
 455         const char *fname = BASEDIR "\\generic.txt";
 456         BOOL ret = True;
 457         int fnum = -1, i;
 458         union smb_fileinfo q;
 459         union smb_setfileinfo set;
 460         struct security_descriptor *sd, *sd_orig, *sd2;
 461         const char *owner_sid;
 462         const struct {
 463                 uint32_t gen_bits;
 464                 uint32_t specific_bits;
 465         } file_mappings[] = {
 466                 { 0,                       0 },
 467                 { SEC_GENERIC_READ,        SEC_RIGHTS_FILE_READ },
 468                 { SEC_GENERIC_WRITE,       SEC_RIGHTS_FILE_WRITE },
 469                 { SEC_GENERIC_EXECUTE,     SEC_RIGHTS_FILE_EXECUTE },
 470                 { SEC_GENERIC_ALL,         SEC_RIGHTS_FILE_ALL },
 471                 { SEC_FILE_READ_DATA,      SEC_FILE_READ_DATA },
 472                 { SEC_FILE_READ_ATTRIBUTE, SEC_FILE_READ_ATTRIBUTE }
 473         };
 474         const struct {
 475                 uint32_t gen_bits;
 476                 uint32_t specific_bits;
 477         } dir_mappings[] = {
 478                 { 0,                   0 },
 479                 { SEC_GENERIC_READ,    SEC_RIGHTS_DIR_READ },
 480                 { SEC_GENERIC_WRITE,   SEC_RIGHTS_DIR_WRITE },
 481                 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
 482                 { SEC_GENERIC_ALL,     SEC_RIGHTS_DIR_ALL }
 483         };
 484         BOOL has_restore_privilege;
 485         BOOL has_take_ownership_privilege;
 486
 487         printf("TESTING FILE GENERIC BITS\n");
 488
 489         io.generic.level = RAW_OPEN_NTCREATEX;
 490         io.ntcreatex.in.root_fid = 0;
 491         io.ntcreatex.in.flags = 0;
 492         io.ntcreatex.in.access_mask =
 493                 SEC_STD_READ_CONTROL |
 494                 SEC_STD_WRITE_DAC |
 495                 SEC_STD_WRITE_OWNER;
 496         io.ntcreatex.in.create_options = 0;
 497         io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
 498         io.ntcreatex.in.share_access =
 499                 NTCREATEX_SHARE_ACCESS_READ |
 500                 NTCREATEX_SHARE_ACCESS_WRITE;
 501         io.ntcreatex.in.alloc_size = 0;
 502         io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
 503         io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
 504         io.ntcreatex.in.security_flags = 0;
 505         io.ntcreatex.in.fname = fname;
 506         status = smb_raw_open(cli->tree, mem_ctx, &io);
 507         CHECK_STATUS(status, NT_STATUS_OK);
 508         fnum = io.ntcreatex.out.fnum;
 509
 510         printf("get the original sd\n");
 511         q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
 512         q.query_secdesc.in.fnum = fnum;
 513         q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 514         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 515         CHECK_STATUS(status, NT_STATUS_OK);
 516         sd_orig = q.query_secdesc.out.sd;
 517
 518         owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
 519
 520         status = smblsa_sid_check_privilege(cli,
 521                                             owner_sid,
 522                                             sec_privilege_name(SEC_PRIV_RESTORE));
 523         has_restore_privilege = NT_STATUS_IS_OK(status);
 524         if (!NT_STATUS_IS_OK(status)) {
 525                 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
 526         }
 527         printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
 528
 529         status = smblsa_sid_check_privilege(cli,
 530                                             owner_sid,
 531                                             sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
 532         has_take_ownership_privilege = NT_STATUS_IS_OK(status);
 533         if (!NT_STATUS_IS_OK(status)) {
 534                 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
 535         }
 536         printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No");
 537
 538         for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
 539                 uint32_t expected_mask =
 540                         SEC_STD_WRITE_DAC |
 541                         SEC_STD_READ_CONTROL |
 542                         SEC_FILE_READ_ATTRIBUTE |
 543                         SEC_STD_DELETE;
 544                 uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
 545
 546                 if (has_restore_privilege) {
 547                         expected_mask_anon |= SEC_STD_DELETE;
 548                 }
 549
 550                 printf("testing generic bits 0x%08x\n",
 551                        file_mappings[i].gen_bits);
 552                 sd = security_descriptor_create(mem_ctx,
 553                                                 owner_sid, NULL,
 554                                                 owner_sid,
 555                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
 556                                                 file_mappings[i].gen_bits,
 557                                                 NULL);
 558
 559                 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 560                 set.set_secdesc.file.fnum = fnum;
 561                 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 562                 set.set_secdesc.in.sd = sd;
 563
 564                 status = smb_raw_setfileinfo(cli->tree, &set);
 565                 CHECK_STATUS(status, NT_STATUS_OK);
 566
 567                 sd2 = security_descriptor_create(mem_ctx,
 568                                                  owner_sid, NULL,
 569                                                  owner_sid,
 570                                                  SEC_ACE_TYPE_ACCESS_ALLOWED,
 571                                                  file_mappings[i].specific_bits,
 572                                                  NULL);
 573
 574                 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 575                 CHECK_STATUS(status, NT_STATUS_OK);
 576                 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
 577                         printf("security descriptors don't match!\n");
 578                         printf("got:\n");
 579                         NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 580                         printf("expected:\n");
 581                         NDR_PRINT_DEBUG(security_descriptor, sd2);
 582                 }
 583
 584                 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 585                 status = smb_raw_open(cli->tree, mem_ctx, &io);
 586                 CHECK_STATUS(status, NT_STATUS_OK);
 587                 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
 588                                    expected_mask | file_mappings[i].specific_bits);
 589                 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 590
 591                 if (!has_take_ownership_privilege) {
 592                         continue;
 593                 }
 594
 595                 printf("testing generic bits 0x%08x (anonymous)\n",
 596                        file_mappings[i].gen_bits);
 597                 sd = security_descriptor_create(mem_ctx,
 598                                                 SID_NT_ANONYMOUS, NULL,
 599                                                 owner_sid,
 600                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
 601                                                 file_mappings[i].gen_bits,
 602                                                 NULL);
 603
 604                 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 605                 set.set_secdesc.file.fnum = fnum;
 606                 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 607                 set.set_secdesc.in.sd = sd;
 608
 609                 status = smb_raw_setfileinfo(cli->tree, &set);
 610                 CHECK_STATUS(status, NT_STATUS_OK);
 611
 612                 sd2 = security_descriptor_create(mem_ctx,
 613                                                  SID_NT_ANONYMOUS, NULL,
 614                                                  owner_sid,
 615                                                  SEC_ACE_TYPE_ACCESS_ALLOWED,
 616                                                  file_mappings[i].specific_bits,
 617                                                  NULL);
 618
 619                 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 620                 CHECK_STATUS(status, NT_STATUS_OK);
 621                 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
 622                         printf("security descriptors don't match!\n");
 623                         printf("got:\n");
 624                         NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 625                         printf("expected:\n");
 626                         NDR_PRINT_DEBUG(security_descriptor, sd2);
 627                 }
 628
 629                 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 630                 status = smb_raw_open(cli->tree, mem_ctx, &io);
 631                 CHECK_STATUS(status, NT_STATUS_OK);
 632                 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
 633                                    expected_mask_anon | file_mappings[i].specific_bits);
 634                 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 635         }
 636
 637         printf("put back original sd\n");
 638         set.set_secdesc.in.sd = sd_orig;
 639         status = smb_raw_setfileinfo(cli->tree, &set);
 640         CHECK_STATUS(status, NT_STATUS_OK);
 641
 642         smbcli_close(cli->tree, fnum);
 643         smbcli_unlink(cli->tree, fname);
 644
 645
 646         printf("TESTING DIR GENERIC BITS\n");
 647
 648         io.generic.level = RAW_OPEN_NTCREATEX;
 649         io.ntcreatex.in.root_fid = 0;
 650         io.ntcreatex.in.flags = 0;
 651         io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC;
 652         io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
 653         io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
 654         io.ntcreatex.in.share_access =
 655                 NTCREATEX_SHARE_ACCESS_READ |
 656                 NTCREATEX_SHARE_ACCESS_WRITE;
 657         io.ntcreatex.in.alloc_size = 0;
 658         io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
 659         io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
 660         io.ntcreatex.in.security_flags = 0;
 661         io.ntcreatex.in.fname = fname;
 662         status = smb_raw_open(cli->tree, mem_ctx, &io);
 663         CHECK_STATUS(status, NT_STATUS_OK);
 664         fnum = io.ntcreatex.out.fnum;
 665
 666         printf("get the original sd\n");
 667         q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
 668         q.query_secdesc.in.fnum = fnum;
 669         q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 670         status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 671         CHECK_STATUS(status, NT_STATUS_OK);
 672         sd_orig = q.query_secdesc.out.sd;
 673
 674         owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
 675
 676
 677         for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
 678                 uint32_t expected_mask =
 679                         SEC_STD_WRITE_DAC |
 680                         SEC_STD_READ_CONTROL |
 681                         SEC_FILE_READ_ATTRIBUTE |
 682                         SEC_STD_DELETE;
 683
 684                 printf("testing generic bits 0x%08x\n",
 685                        file_mappings[i].gen_bits);
 686                 sd = security_descriptor_create(mem_ctx,
 687                                                 NULL, NULL,
 688                                                 owner_sid,
 689                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
 690                                                 dir_mappings[i].gen_bits,
 691                                                 NULL);
 692
 693                 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 694                 set.set_secdesc.file.fnum = fnum;
 695                 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
 696                 set.set_secdesc.in.sd = sd;
 697
 698                 status = smb_raw_setfileinfo(cli->tree, &set);
 699                 CHECK_STATUS(status, NT_STATUS_OK);
 700
 701                 sd2 = security_descriptor_create(mem_ctx,
 702                                                  owner_sid, NULL,
 703                                                  owner_sid,
 704                                                  SEC_ACE_TYPE_ACCESS_ALLOWED,
 705                                                  dir_mappings[i].specific_bits,
 706                                                  NULL);
 707
 708                 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
 709                 CHECK_STATUS(status, NT_STATUS_OK);
 710                 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
 711                         printf("security descriptors don't match!\n");
 712                         printf("got:\n");
 713                         NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
 714                         printf("expected:\n");
 715                         NDR_PRINT_DEBUG(security_descriptor, sd2);
 716                 }
 717
 718                 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 719                 status = smb_raw_open(cli->tree, mem_ctx, &io);
 720                 CHECK_STATUS(status, NT_STATUS_OK);
 721                 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
 722                                    expected_mask | dir_mappings[i].specific_bits);
 723                 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
 724         }
 725
 726         printf("put back original sd\n");
 727         set.set_secdesc.in.sd = sd_orig;
 728         status = smb_raw_setfileinfo(cli->tree, &set);
 729         CHECK_STATUS(status, NT_STATUS_OK);
 730
 731         smbcli_close(cli->tree, fnum);
 732         smbcli_unlink(cli->tree, fname);
 733
 734 done:
 735         smbcli_close(cli->tree, fnum);
 736         return ret;
 737 }
 738
 739
 740 /*
 741    basic testing of security descriptor calls
 742 */
 743 BOOL torture_raw_acls(void)
 744 {
 745         struct smbcli_state *cli;
 746         BOOL ret = True;
 747         TALLOC_CTX *mem_ctx;
 748
 749         if (!torture_open_connection(&cli)) {
 750                 return False;
 751         }
 752
 753         mem_ctx = talloc_init("torture_raw_acls");
 754
 755         if (!torture_setup_dir(cli, BASEDIR)) {
 756                 return False;
 757         }
 758
 759         ret &= test_sd(cli, mem_ctx);
 760         ret &= test_nttrans_create(cli, mem_ctx);
 761         ret &= test_creator_sid(cli, mem_ctx);
 762         ret &= test_generic_bits(cli, mem_ctx);
 763
 764         smb_raw_exit(cli->session);
 765         smbcli_deltree(cli->tree, BASEDIR);
 766
 767         torture_close_connection(cli);
 768         talloc_destroy(mem_ctx);
 769         return ret;
 770 }