svn commit: samba r3885 - in branches/SAMBA_4_0/source:
libcli/security librpc/idl rpc_server/samr torture/rpc
abartlet at samba.org
abartlet at samba.org
Sat Nov 20 00:29:04 GMT 2004
Author: abartlet
Date: 2004-11-20 00:29:04 +0000 (Sat, 20 Nov 2004)
New Revision: 3885
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3885
Log:
Add security descriptor comparison to our RPC-SAMSYNC test. We now
verify that the security descriptor found in the SamSync is the same
as what is available over SAMR.
Unfortunately, the administrator seems unable to retrieve the SACL on
the security descriptor, so I've added a new function to compare with
a mask.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/libcli/security/security_descriptor.c
branches/SAMBA_4_0/source/librpc/idl/lsa.idl
branches/SAMBA_4_0/source/librpc/idl/samr.idl
branches/SAMBA_4_0/source/librpc/idl/security.idl
branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c
branches/SAMBA_4_0/source/torture/rpc/samsync.c
Changeset:
Modified: branches/SAMBA_4_0/source/libcli/security/security_descriptor.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/security/security_descriptor.c 2004-11-19 21:02:15 UTC (rev 3884)
+++ branches/SAMBA_4_0/source/libcli/security/security_descriptor.c 2004-11-20 00:29:04 UTC (rev 3885)
@@ -224,3 +224,24 @@
return True;
}
+
+/*
+ compare two security descriptors, but allow certain (missing) parts
+ to be masked out of the comparison
+*/
+BOOL security_descriptor_mask_equal(const struct security_descriptor *sd1,
+ const struct security_descriptor *sd2,
+ uint32 mask)
+{
+ if (sd1 == sd2) return True;
+ if (!sd1 || !sd2) return False;
+ if (sd1->revision != sd2->revision) return False;
+ if ((sd1->type & mask) != (sd2->type & mask)) return False;
+
+ if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
+ if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
+ if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl)) return False;
+ if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl)) return False;
+
+ return True;
+}
Modified: branches/SAMBA_4_0/source/librpc/idl/lsa.idl
===================================================================
--- branches/SAMBA_4_0/source/librpc/idl/lsa.idl 2004-11-19 21:02:15 UTC (rev 3884)
+++ branches/SAMBA_4_0/source/librpc/idl/lsa.idl 2004-11-20 00:29:04 UTC (rev 3885)
@@ -56,11 +56,6 @@
/******************/
/* Function: 0x03 */
- typedef [public] struct {
- uint32 size;
- [subcontext(4)] security_descriptor *sd;
- } sec_desc_buf;
-
NTSTATUS lsa_QuerySecObj (
[in,ref] policy_handle *handle,
[in] uint32 sec_info,
Modified: branches/SAMBA_4_0/source/librpc/idl/samr.idl
===================================================================
--- branches/SAMBA_4_0/source/librpc/idl/samr.idl 2004-11-19 21:02:15 UTC (rev 3884)
+++ branches/SAMBA_4_0/source/librpc/idl/samr.idl 2004-11-20 00:29:04 UTC (rev 3885)
@@ -48,15 +48,10 @@
/******************/
/* Function: 0x02 */
- typedef struct {
- [range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
- [subcontext(4)] security_descriptor *sd;
- } samr_SdBuf;
-
NTSTATUS samr_SetSecurity (
[in,ref] policy_handle *handle,
[in] uint32 sec_info,
- [in,ref] samr_SdBuf *sdbuf
+ [in,ref] sec_desc_buf *sdbuf
);
/******************/
@@ -65,7 +60,7 @@
NTSTATUS samr_QuerySecurity (
[in,ref] policy_handle *handle,
[in] uint32 sec_info,
- [out] samr_SdBuf *sdbuf
+ [out] sec_desc_buf *sdbuf
);
/******************/
Modified: branches/SAMBA_4_0/source/librpc/idl/security.idl
===================================================================
--- branches/SAMBA_4_0/source/librpc/idl/security.idl 2004-11-19 21:02:15 UTC (rev 3884)
+++ branches/SAMBA_4_0/source/librpc/idl/security.idl 2004-11-20 00:29:04 UTC (rev 3885)
@@ -120,6 +120,11 @@
[relative] security_acl *dacl; /* user (discretionary) ACL */
} security_descriptor;
+ typedef [public] struct {
+ [range(0,0x40000),value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
+ [subcontext(4)] security_descriptor *sd;
+ } sec_desc_buf;
+
typedef [public,printonly] struct {
/* TODO */
uint32 flags;
Modified: branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c 2004-11-19 21:02:15 UTC (rev 3884)
+++ branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c 2004-11-20 00:29:04 UTC (rev 3885)
@@ -118,13 +118,13 @@
struct samr_QuerySecurity *r)
{
struct dcesrv_handle *h;
- struct samr_SdBuf *sd;
+ struct sec_desc_buf *sd;
r->out.sdbuf = NULL;
DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
- sd = talloc_p(mem_ctx, struct samr_SdBuf);
+ sd = talloc_p(mem_ctx, struct sec_desc_buf);
if (sd == NULL) {
return NT_STATUS_NO_MEMORY;
}
Modified: branches/SAMBA_4_0/source/torture/rpc/samsync.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rpc/samsync.c 2004-11-19 21:02:15 UTC (rev 3884)
+++ branches/SAMBA_4_0/source/torture/rpc/samsync.c 2004-11-20 00:29:04 UTC (rev 3885)
@@ -164,7 +164,25 @@
return domain_handle;
}
+static struct sec_desc_buf *samsync_query_sec_desc(TALLOC_CTX *mem_ctx,
+ struct samsync_state *samsync_state,
+ struct policy_handle *handle)
+{
+ struct samr_QuerySecurity r;
+ NTSTATUS status;
+ r.in.handle = handle;
+ r.in.sec_info = 0x7;
+
+ status = dcerpc_samr_QuerySecurity(samsync_state->p_samr, mem_ctx, &r);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("QuerySecurity failed - %s\n", nt_errstr(status));
+ return NULL;
+ }
+
+ return r.out.sdbuf;
+}
+
#define TEST_UINT64_EQUAL(i1, i2) do {\
if (i1 != i2) {\
printf("uint64 mismatch: " #i1 ": 0x%08x%08x (%lld) != " #i2 ": 0x%08x%08x (%lld)\n", \
@@ -187,6 +205,7 @@
ret = False;\
} \
} while (0)
+
#define TEST_STRING_EQUAL(s1, s2) do {\
if (!((!s1.string || s1.string[0]=='\0') && (!s2.string || s2.string[0]=='\0')) \
&& strcmp_safe(s1.string, s2.string) != 0) {\
@@ -196,6 +215,25 @@
} \
} while (0)
+/* The ~SEC_DESC_SACL_PRESENT is because we don't, as administrator,
+ * get back the SACL part of the SD when we ask over SAMR */
+
+#define TEST_SEC_DESC_EQUAL(sd1, handle) do {\
+ struct sec_desc_buf *sdbuf = samsync_query_sec_desc(mem_ctx, samsync_state, \
+ handle); \
+ if (!sdbuf || !sdbuf->sd) { \
+ ret = False; \
+ } else {\
+ if (!security_descriptor_mask_equal(sd1.sd, sdbuf->sd, \
+ ~SEC_DESC_SACL_PRESENT)) {\
+ printf("Security Descriptor Mismatch for %s:\n", #sd1);\
+ ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamSync", sd1.sd);\
+ ndr_print_debug((ndr_print_fn_t)ndr_print_security_descriptor, "SamR", sdbuf->sd);\
+ ret = False;\
+ }\
+ }\
+} while (0)
+
static BOOL samsync_handle_domain(TALLOC_CTX *mem_ctx, struct samsync_state *samsync_state,
int database_id, struct netr_DELTA_ENUM *delta)
{
@@ -279,6 +317,8 @@
TEST_TIME_EQUAL(q[13].out.info->info13.domain_create_time,
domain->domain_create_time);
+ TEST_SEC_DESC_EQUAL(domain->sdbuf, samsync_state->domain_handle[database_id]);
+
return ret;
}
@@ -351,6 +391,8 @@
q.in.user_handle = &user_handle;
q.in.level = 21;
+ TEST_SEC_DESC_EQUAL(user->sdbuf, &user_handle);
+
nt_status = dcerpc_samr_QueryUserInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &user_handle)) {
return False;
@@ -546,6 +588,8 @@
q.in.alias_handle = &alias_handle;
q.in.level = 1;
+ TEST_SEC_DESC_EQUAL(alias->sdbuf, &alias_handle);
+
nt_status = dcerpc_samr_QueryAliasInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &alias_handle)) {
return False;
@@ -593,6 +637,8 @@
q.in.group_handle = &group_handle;
q.in.level = 1;
+ TEST_SEC_DESC_EQUAL(group->sdbuf, &group_handle);
+
nt_status = dcerpc_samr_QueryGroupInfo(samsync_state->p_samr, mem_ctx, &q);
if (!test_samr_handle_Close(samsync_state->p_samr, mem_ctx, &group_handle)) {
return False;
More information about the samba-cvs
mailing list