Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic...

Mark samba4.base.maximum_allowed knownfail until we implement NTCREATEX_OPTIONS_BACKUP_INTENT.

diff --git a/selftest/knownfail b/selftest/knownfail
index 93f1dfc732e43cbdf6ad462a39ff4c13e1aabf5b..4e6eb43add7640d8da97de129bb3e371f649125c 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -93,6 +93,7 @@
 ^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet
 ^samba4.rpc.samr.passwords.lockout
 ^samba4.base.charset.*.Testing partial surrogate
+^samba4.*.base.maximum_allowed         # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
 .*net.api.delshare.*                           # DelShare isn't implemented yet
 ^samba4.rap.*netservergetinfo
 ^samba4.rap.*netsessionenum

diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 2e21c83fadbf179cfe50b561eb2f02365292801d..69717be3ba8eb1a3e184416b639e109a72a5182b 100644 (file)
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2687,7 +2687,7 @@ bool torture_maximum_allowed(struct torture_context *tctx,
        NTSTATUS status;
        union smb_fileinfo q;
        const char *owner_sid;
-       bool has_restore_privilege, has_backup_privilege;
+       bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
 
        mem_ctx = talloc_init("torture_maximum_allowed");
 
@@ -2747,18 +2747,41 @@ bool torture_maximum_allowed(struct torture_context *tctx,
                        owner_sid,
                        has_backup_privilege?"Yes":"No");
 
+       status = torture_check_privilege(cli,
+                                        owner_sid,
+                                        sec_privilege_name(SEC_PRIV_SECURITY));
+       has_system_security_privilege = NT_STATUS_IS_OK(status);
+       torture_comment(tctx, "Checked SEC_PRIV_SECURITY for %s - %s\n",
+                       owner_sid,
+                       has_system_security_privilege?"Yes":"No");
+
        smbcli_close(cli->tree, fnum);
 
        for (i = 0; i < 32; i++) {
                uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i);
-               uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | 
+               /*
+                * SEC_GENERIC_EXECUTE is a complete subset of
+                * SEC_GENERIC_READ when mapped to specific bits,
+                * so we need to include it in the basic OK mask.
+                */
+               uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | SEC_GENERIC_EXECUTE |
                        SEC_STD_DELETE | SEC_STD_WRITE_DAC;
 
+               /*
+                * Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP
+                * don't include any generic bits (they're used directly
+                * in the fileserver where the generic bits have already
+                * been mapped into file specific bits) we need to add the
+                * generic bits to the ok_mask when we have these privileges.
+                */
                if (has_restore_privilege) {
-                       ok_mask |= SEC_RIGHTS_PRIV_RESTORE;
+                       ok_mask |= SEC_RIGHTS_PRIV_RESTORE|SEC_GENERIC_WRITE;
                }
                if (has_backup_privilege) {
-                       ok_mask |= SEC_RIGHTS_PRIV_BACKUP;
+                       ok_mask |= SEC_RIGHTS_PRIV_BACKUP|SEC_GENERIC_READ;
+               }
+               if (has_system_security_privilege) {
+                       ok_mask |= SEC_FLAG_SYSTEM_SECURITY;
                }
 
                /* Skip all SACL related tests. */