2 Unix SMB/CIFS implementation.
4 test security descriptor operations
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/raw/libcliraw.h"
25 #include "librpc/gen_ndr/ndr_security.h"
27 #define BASEDIR "\\testsd"
29 #define CHECK_STATUS(status, correct) do { \
30 if (!NT_STATUS_EQUAL(status, correct)) { \
31 printf("(%s) Incorrect status %s - should be %s\n", \
32 __location__, nt_errstr(status), nt_errstr(correct)); \
38 static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
42 const char *fname = BASEDIR "\\sd.txt";
46 union smb_setfileinfo set;
47 struct security_ace ace;
48 struct security_descriptor *sd;
49 struct dom_sid *test_sid;
51 printf("TESTING SETFILEINFO EA_SET\n");
53 io.generic.level = RAW_OPEN_NTCREATEX;
54 io.ntcreatex.in.root_fid = 0;
55 io.ntcreatex.in.flags = 0;
56 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
57 io.ntcreatex.in.create_options = 0;
58 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
59 io.ntcreatex.in.share_access =
60 NTCREATEX_SHARE_ACCESS_READ |
61 NTCREATEX_SHARE_ACCESS_WRITE;
62 io.ntcreatex.in.alloc_size = 0;
63 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
64 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
65 io.ntcreatex.in.security_flags = 0;
66 io.ntcreatex.in.fname = fname;
67 status = smb_raw_open(cli->tree, mem_ctx, &io);
68 CHECK_STATUS(status, NT_STATUS_OK);
69 fnum = io.ntcreatex.out.fnum;
71 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
72 q.query_secdesc.in.fnum = fnum;
73 q.query_secdesc.in.secinfo_flags =
77 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
78 CHECK_STATUS(status, NT_STATUS_OK);
79 sd = q.query_secdesc.out.sd;
81 printf("add a new ACE to the DACL\n");
83 test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432");
85 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
87 ace.access_mask = SEC_STD_ALL;
88 ace.trustee = *test_sid;
90 status = security_descriptor_dacl_add(sd, &ace);
91 CHECK_STATUS(status, NT_STATUS_OK);
93 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
94 set.set_secdesc.file.fnum = fnum;
95 set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
96 set.set_secdesc.in.sd = sd;
98 status = smb_raw_setfileinfo(cli->tree, &set);
99 CHECK_STATUS(status, NT_STATUS_OK);
101 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
102 CHECK_STATUS(status, NT_STATUS_OK);
104 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
105 printf("security descriptors don't match!\n");
107 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
108 printf("expected:\n");
109 NDR_PRINT_DEBUG(security_descriptor, sd);
112 printf("remove it again\n");
114 status = security_descriptor_dacl_del(sd, test_sid);
115 CHECK_STATUS(status, NT_STATUS_OK);
117 status = smb_raw_setfileinfo(cli->tree, &set);
118 CHECK_STATUS(status, NT_STATUS_OK);
120 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
121 CHECK_STATUS(status, NT_STATUS_OK);
123 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
124 printf("security descriptors don't match!\n");
126 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
127 printf("expected:\n");
128 NDR_PRINT_DEBUG(security_descriptor, sd);
132 smbcli_close(cli->tree, fnum);
138 test using NTTRANS CREATE to create a file with an initial ACL set
140 static BOOL test_nttrans_create(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
144 const char *fname = BASEDIR "\\acl2.txt";
147 union smb_fileinfo q;
148 struct security_ace ace;
149 struct security_descriptor *sd;
150 struct dom_sid *test_sid;
152 printf("TESTING NTTRANS CREATE WITH SEC_DESC\n");
154 io.generic.level = RAW_OPEN_NTTRANS_CREATE;
155 io.ntcreatex.in.root_fid = 0;
156 io.ntcreatex.in.flags = 0;
157 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
158 io.ntcreatex.in.create_options = 0;
159 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
160 io.ntcreatex.in.share_access =
161 NTCREATEX_SHARE_ACCESS_READ |
162 NTCREATEX_SHARE_ACCESS_WRITE;
163 io.ntcreatex.in.alloc_size = 0;
164 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE;
165 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
166 io.ntcreatex.in.security_flags = 0;
167 io.ntcreatex.in.fname = fname;
168 io.ntcreatex.in.sec_desc = NULL;
169 io.ntcreatex.in.ea_list = NULL;
171 printf("creating normal file\n");
173 status = smb_raw_open(cli->tree, mem_ctx, &io);
174 CHECK_STATUS(status, NT_STATUS_OK);
175 fnum = io.ntcreatex.out.fnum;
177 printf("querying ACL\n");
179 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
180 q.query_secdesc.in.fnum = fnum;
181 q.query_secdesc.in.secinfo_flags =
185 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
186 CHECK_STATUS(status, NT_STATUS_OK);
187 sd = q.query_secdesc.out.sd;
189 smbcli_close(cli->tree, fnum);
190 smbcli_unlink(cli->tree, fname);
192 printf("adding a new ACE\n");
193 test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-54321");
195 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
197 ace.access_mask = SEC_STD_ALL;
198 ace.trustee = *test_sid;
200 status = security_descriptor_dacl_add(sd, &ace);
201 CHECK_STATUS(status, NT_STATUS_OK);
203 printf("creating a file with an initial ACL\n");
205 io.ntcreatex.in.sec_desc = sd;
206 status = smb_raw_open(cli->tree, mem_ctx, &io);
207 CHECK_STATUS(status, NT_STATUS_OK);
208 fnum = io.ntcreatex.out.fnum;
210 q.query_secdesc.in.fnum = fnum;
211 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
212 CHECK_STATUS(status, NT_STATUS_OK);
214 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
215 printf("security descriptors don't match!\n");
217 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
218 printf("expected:\n");
219 NDR_PRINT_DEBUG(security_descriptor, sd);
223 smbcli_close(cli->tree, fnum);
227 #define CHECK_ACCESS_FLAGS(_fnum, flags) do { \
228 union smb_fileinfo _q; \
229 _q.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION; \
230 _q.access_information.in.fnum = (_fnum); \
231 status = smb_raw_fileinfo(cli->tree, mem_ctx, &_q); \
232 CHECK_STATUS(status, NT_STATUS_OK); \
233 if (_q.access_information.out.access_flags != (flags)) { \
234 printf("(%s) Incorrect access_flags 0x%08x - should be 0x%08x\n", \
235 __location__, _q.access_information.out.access_flags, (flags)); \
243 test the behaviour of the well known SID_CREATOR_OWNER sid, and some generic
246 static BOOL test_creator_sid(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
250 const char *fname = BASEDIR "\\creator.txt";
253 union smb_fileinfo q;
254 union smb_setfileinfo set;
255 struct security_descriptor *sd, *sd_orig, *sd2;
256 const char *owner_sid;
258 printf("TESTING SID_CREATOR_OWNER\n");
260 io.generic.level = RAW_OPEN_NTCREATEX;
261 io.ntcreatex.in.root_fid = 0;
262 io.ntcreatex.in.flags = 0;
263 io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC | SEC_STD_WRITE_OWNER;
264 io.ntcreatex.in.create_options = 0;
265 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
266 io.ntcreatex.in.share_access =
267 NTCREATEX_SHARE_ACCESS_READ |
268 NTCREATEX_SHARE_ACCESS_WRITE;
269 io.ntcreatex.in.alloc_size = 0;
270 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
271 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
272 io.ntcreatex.in.security_flags = 0;
273 io.ntcreatex.in.fname = fname;
274 status = smb_raw_open(cli->tree, mem_ctx, &io);
275 CHECK_STATUS(status, NT_STATUS_OK);
276 fnum = io.ntcreatex.out.fnum;
278 printf("get the original sd\n");
279 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
280 q.query_secdesc.in.fnum = fnum;
281 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
282 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
283 CHECK_STATUS(status, NT_STATUS_OK);
284 sd_orig = q.query_secdesc.out.sd;
286 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
288 printf("set a sec desc allowing no write by CREATOR_OWNER\n");
289 sd = security_descriptor_create(mem_ctx,
292 SEC_ACE_TYPE_ACCESS_ALLOWED,
293 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
296 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
297 set.set_secdesc.file.fnum = fnum;
298 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
299 set.set_secdesc.in.sd = sd;
301 status = smb_raw_setfileinfo(cli->tree, &set);
302 CHECK_STATUS(status, NT_STATUS_OK);
304 printf("try open for write\n");
305 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
306 status = smb_raw_open(cli->tree, mem_ctx, &io);
307 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
309 printf("try open for read\n");
310 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
311 status = smb_raw_open(cli->tree, mem_ctx, &io);
312 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
314 printf("try open for generic write\n");
315 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
316 status = smb_raw_open(cli->tree, mem_ctx, &io);
317 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
319 printf("try open for generic read\n");
320 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
321 status = smb_raw_open(cli->tree, mem_ctx, &io);
322 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
324 printf("set a sec desc allowing no write by owner\n");
325 sd = security_descriptor_create(mem_ctx,
328 SEC_ACE_TYPE_ACCESS_ALLOWED,
329 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
332 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
333 set.set_secdesc.file.fnum = fnum;
334 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
335 set.set_secdesc.in.sd = sd;
336 status = smb_raw_setfileinfo(cli->tree, &set);
337 CHECK_STATUS(status, NT_STATUS_OK);
339 printf("check that sd has been mapped correctly\n");
340 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
341 CHECK_STATUS(status, NT_STATUS_OK);
342 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
343 printf("security descriptors don't match!\n");
345 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
346 printf("expected:\n");
347 NDR_PRINT_DEBUG(security_descriptor, sd);
350 printf("try open for write\n");
351 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
352 status = smb_raw_open(cli->tree, mem_ctx, &io);
353 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
355 printf("try open for read\n");
356 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
357 status = smb_raw_open(cli->tree, mem_ctx, &io);
358 CHECK_STATUS(status, NT_STATUS_OK);
359 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
361 SEC_FILE_READ_ATTRIBUTE);
362 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
364 printf("try open for generic write\n");
365 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
366 status = smb_raw_open(cli->tree, mem_ctx, &io);
367 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
369 printf("try open for generic read\n");
370 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
371 status = smb_raw_open(cli->tree, mem_ctx, &io);
372 CHECK_STATUS(status, NT_STATUS_OK);
373 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
374 SEC_RIGHTS_FILE_READ);
375 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
377 printf("set a sec desc allowing generic read by owner\n");
378 sd = security_descriptor_create(mem_ctx,
381 SEC_ACE_TYPE_ACCESS_ALLOWED,
382 SEC_GENERIC_READ | SEC_STD_ALL,
385 set.set_secdesc.in.sd = sd;
386 status = smb_raw_setfileinfo(cli->tree, &set);
387 CHECK_STATUS(status, NT_STATUS_OK);
389 printf("check that generic read has been mapped correctly\n");
390 sd2 = security_descriptor_create(mem_ctx,
393 SEC_ACE_TYPE_ACCESS_ALLOWED,
394 SEC_RIGHTS_FILE_READ | SEC_STD_ALL,
397 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
398 CHECK_STATUS(status, NT_STATUS_OK);
399 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
400 printf("security descriptors don't match!\n");
402 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
403 printf("expected:\n");
404 NDR_PRINT_DEBUG(security_descriptor, sd2);
408 printf("try open for write\n");
409 io.ntcreatex.in.access_mask = SEC_FILE_WRITE_DATA;
410 status = smb_raw_open(cli->tree, mem_ctx, &io);
411 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
413 printf("try open for read\n");
414 io.ntcreatex.in.access_mask = SEC_FILE_READ_DATA;
415 status = smb_raw_open(cli->tree, mem_ctx, &io);
416 CHECK_STATUS(status, NT_STATUS_OK);
417 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
419 SEC_FILE_READ_ATTRIBUTE);
420 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
422 printf("try open for generic write\n");
423 io.ntcreatex.in.access_mask = SEC_GENERIC_WRITE;
424 status = smb_raw_open(cli->tree, mem_ctx, &io);
425 CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
427 printf("try open for generic read\n");
428 io.ntcreatex.in.access_mask = SEC_GENERIC_READ;
429 status = smb_raw_open(cli->tree, mem_ctx, &io);
430 CHECK_STATUS(status, NT_STATUS_OK);
431 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum, SEC_RIGHTS_FILE_READ);
432 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
435 printf("put back original sd\n");
436 set.set_secdesc.in.sd = sd_orig;
437 status = smb_raw_setfileinfo(cli->tree, &set);
438 CHECK_STATUS(status, NT_STATUS_OK);
442 smbcli_close(cli->tree, fnum);
448 test the mapping of the SEC_GENERIC_xx bits to SEC_STD_xx and
451 static BOOL test_generic_bits(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
455 const char *fname = BASEDIR "\\generic.txt";
458 union smb_fileinfo q;
459 union smb_setfileinfo set;
460 struct security_descriptor *sd, *sd_orig, *sd2;
461 const char *owner_sid;
464 uint32_t specific_bits;
465 } file_mappings[] = {
467 { SEC_GENERIC_READ, SEC_RIGHTS_FILE_READ },
468 { SEC_GENERIC_WRITE, SEC_RIGHTS_FILE_WRITE },
469 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_FILE_EXECUTE },
470 { SEC_GENERIC_ALL, SEC_RIGHTS_FILE_ALL },
471 { SEC_FILE_READ_DATA, SEC_FILE_READ_DATA },
472 { SEC_FILE_READ_ATTRIBUTE, SEC_FILE_READ_ATTRIBUTE }
476 uint32_t specific_bits;
479 { SEC_GENERIC_READ, SEC_RIGHTS_DIR_READ },
480 { SEC_GENERIC_WRITE, SEC_RIGHTS_DIR_WRITE },
481 { SEC_GENERIC_EXECUTE, SEC_RIGHTS_DIR_EXECUTE },
482 { SEC_GENERIC_ALL, SEC_RIGHTS_DIR_ALL }
484 BOOL has_restore_privilege;
485 BOOL has_take_ownership_privilege;
487 printf("TESTING FILE GENERIC BITS\n");
489 io.generic.level = RAW_OPEN_NTCREATEX;
490 io.ntcreatex.in.root_fid = 0;
491 io.ntcreatex.in.flags = 0;
492 io.ntcreatex.in.access_mask =
493 SEC_STD_READ_CONTROL |
496 io.ntcreatex.in.create_options = 0;
497 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
498 io.ntcreatex.in.share_access =
499 NTCREATEX_SHARE_ACCESS_READ |
500 NTCREATEX_SHARE_ACCESS_WRITE;
501 io.ntcreatex.in.alloc_size = 0;
502 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
503 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
504 io.ntcreatex.in.security_flags = 0;
505 io.ntcreatex.in.fname = fname;
506 status = smb_raw_open(cli->tree, mem_ctx, &io);
507 CHECK_STATUS(status, NT_STATUS_OK);
508 fnum = io.ntcreatex.out.fnum;
510 printf("get the original sd\n");
511 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
512 q.query_secdesc.in.fnum = fnum;
513 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
514 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
515 CHECK_STATUS(status, NT_STATUS_OK);
516 sd_orig = q.query_secdesc.out.sd;
518 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
520 status = smblsa_sid_check_privilege(cli,
522 sec_privilege_name(SEC_PRIV_RESTORE));
523 has_restore_privilege = NT_STATUS_IS_OK(status);
524 if (!NT_STATUS_IS_OK(status)) {
525 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
527 printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
529 status = smblsa_sid_check_privilege(cli,
531 sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
532 has_take_ownership_privilege = NT_STATUS_IS_OK(status);
533 if (!NT_STATUS_IS_OK(status)) {
534 printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
536 printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_restore_privilege?"Yes":"No");
538 for (i=0;i<ARRAY_SIZE(file_mappings);i++) {
539 uint32_t expected_mask =
541 SEC_STD_READ_CONTROL |
542 SEC_FILE_READ_ATTRIBUTE |
544 uint32_t expected_mask_anon = SEC_FILE_READ_ATTRIBUTE;
546 if (has_restore_privilege) {
547 expected_mask_anon |= SEC_STD_DELETE;
550 printf("testing generic bits 0x%08x\n",
551 file_mappings[i].gen_bits);
552 sd = security_descriptor_create(mem_ctx,
555 SEC_ACE_TYPE_ACCESS_ALLOWED,
556 file_mappings[i].gen_bits,
559 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
560 set.set_secdesc.file.fnum = fnum;
561 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
562 set.set_secdesc.in.sd = sd;
564 status = smb_raw_setfileinfo(cli->tree, &set);
565 CHECK_STATUS(status, NT_STATUS_OK);
567 sd2 = security_descriptor_create(mem_ctx,
570 SEC_ACE_TYPE_ACCESS_ALLOWED,
571 file_mappings[i].specific_bits,
574 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
575 CHECK_STATUS(status, NT_STATUS_OK);
576 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
577 printf("security descriptors don't match!\n");
579 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
580 printf("expected:\n");
581 NDR_PRINT_DEBUG(security_descriptor, sd2);
584 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
585 status = smb_raw_open(cli->tree, mem_ctx, &io);
586 CHECK_STATUS(status, NT_STATUS_OK);
587 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
588 expected_mask | file_mappings[i].specific_bits);
589 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
591 if (!has_take_ownership_privilege) {
595 printf("testing generic bits 0x%08x (anonymous)\n",
596 file_mappings[i].gen_bits);
597 sd = security_descriptor_create(mem_ctx,
598 SID_NT_ANONYMOUS, NULL,
600 SEC_ACE_TYPE_ACCESS_ALLOWED,
601 file_mappings[i].gen_bits,
604 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
605 set.set_secdesc.file.fnum = fnum;
606 set.set_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
607 set.set_secdesc.in.sd = sd;
609 status = smb_raw_setfileinfo(cli->tree, &set);
610 CHECK_STATUS(status, NT_STATUS_OK);
612 sd2 = security_descriptor_create(mem_ctx,
613 SID_NT_ANONYMOUS, NULL,
615 SEC_ACE_TYPE_ACCESS_ALLOWED,
616 file_mappings[i].specific_bits,
619 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
620 CHECK_STATUS(status, NT_STATUS_OK);
621 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
622 printf("security descriptors don't match!\n");
624 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
625 printf("expected:\n");
626 NDR_PRINT_DEBUG(security_descriptor, sd2);
629 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
630 status = smb_raw_open(cli->tree, mem_ctx, &io);
631 CHECK_STATUS(status, NT_STATUS_OK);
632 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
633 expected_mask_anon | file_mappings[i].specific_bits);
634 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
637 printf("put back original sd\n");
638 set.set_secdesc.in.sd = sd_orig;
639 status = smb_raw_setfileinfo(cli->tree, &set);
640 CHECK_STATUS(status, NT_STATUS_OK);
642 smbcli_close(cli->tree, fnum);
643 smbcli_unlink(cli->tree, fname);
646 printf("TESTING DIR GENERIC BITS\n");
648 io.generic.level = RAW_OPEN_NTCREATEX;
649 io.ntcreatex.in.root_fid = 0;
650 io.ntcreatex.in.flags = 0;
651 io.ntcreatex.in.access_mask = SEC_STD_READ_CONTROL | SEC_STD_WRITE_DAC;
652 io.ntcreatex.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
653 io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_DIRECTORY;
654 io.ntcreatex.in.share_access =
655 NTCREATEX_SHARE_ACCESS_READ |
656 NTCREATEX_SHARE_ACCESS_WRITE;
657 io.ntcreatex.in.alloc_size = 0;
658 io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF;
659 io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
660 io.ntcreatex.in.security_flags = 0;
661 io.ntcreatex.in.fname = fname;
662 status = smb_raw_open(cli->tree, mem_ctx, &io);
663 CHECK_STATUS(status, NT_STATUS_OK);
664 fnum = io.ntcreatex.out.fnum;
666 printf("get the original sd\n");
667 q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
668 q.query_secdesc.in.fnum = fnum;
669 q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
670 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
671 CHECK_STATUS(status, NT_STATUS_OK);
672 sd_orig = q.query_secdesc.out.sd;
674 owner_sid = dom_sid_string(mem_ctx, sd_orig->owner_sid);
677 for (i=0;i<ARRAY_SIZE(dir_mappings);i++) {
678 uint32_t expected_mask =
680 SEC_STD_READ_CONTROL |
681 SEC_FILE_READ_ATTRIBUTE |
684 printf("testing generic bits 0x%08x\n",
685 file_mappings[i].gen_bits);
686 sd = security_descriptor_create(mem_ctx,
689 SEC_ACE_TYPE_ACCESS_ALLOWED,
690 dir_mappings[i].gen_bits,
693 set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
694 set.set_secdesc.file.fnum = fnum;
695 set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
696 set.set_secdesc.in.sd = sd;
698 status = smb_raw_setfileinfo(cli->tree, &set);
699 CHECK_STATUS(status, NT_STATUS_OK);
701 sd2 = security_descriptor_create(mem_ctx,
704 SEC_ACE_TYPE_ACCESS_ALLOWED,
705 dir_mappings[i].specific_bits,
708 status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
709 CHECK_STATUS(status, NT_STATUS_OK);
710 if (!security_descriptor_equal(q.query_secdesc.out.sd, sd2)) {
711 printf("security descriptors don't match!\n");
713 NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
714 printf("expected:\n");
715 NDR_PRINT_DEBUG(security_descriptor, sd2);
718 io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
719 status = smb_raw_open(cli->tree, mem_ctx, &io);
720 CHECK_STATUS(status, NT_STATUS_OK);
721 CHECK_ACCESS_FLAGS(io.ntcreatex.out.fnum,
722 expected_mask | dir_mappings[i].specific_bits);
723 smbcli_close(cli->tree, io.ntcreatex.out.fnum);
726 printf("put back original sd\n");
727 set.set_secdesc.in.sd = sd_orig;
728 status = smb_raw_setfileinfo(cli->tree, &set);
729 CHECK_STATUS(status, NT_STATUS_OK);
731 smbcli_close(cli->tree, fnum);
732 smbcli_unlink(cli->tree, fname);
735 smbcli_close(cli->tree, fnum);
741 basic testing of security descriptor calls
743 BOOL torture_raw_acls(void)
745 struct smbcli_state *cli;
749 if (!torture_open_connection(&cli)) {
753 mem_ctx = talloc_init("torture_raw_acls");
755 if (!torture_setup_dir(cli, BASEDIR)) {
759 ret &= test_sd(cli, mem_ctx);
760 ret &= test_nttrans_create(cli, mem_ctx);
761 ret &= test_creator_sid(cli, mem_ctx);
762 ret &= test_generic_bits(cli, mem_ctx);
764 smb_raw_exit(cli->session);
765 smbcli_deltree(cli->tree, BASEDIR);
767 torture_close_connection(cli);
768 talloc_destroy(mem_ctx);