svn commit: samba r25264 - in branches/SAMBA_4_0/source/torture/rpc: .

sahlberg at samba.org sahlberg at samba.org
Thu Sep 20 23:27:28 GMT 2007


Author: sahlberg
Date: 2007-09-20 23:27:28 +0000 (Thu, 20 Sep 2007)
New Revision: 25264

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25264

Log:
add a test to verify that the ACLs are checked when a normal user connects to SAMR


Modified:
   branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c	2007-09-20 22:57:57 UTC (rev 25263)
+++ branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c	2007-09-20 23:27:28 UTC (rev 25264)
@@ -332,6 +332,47 @@
 	return ret;
 }
 
+/*
+ * test if the ACLs are enforced for users.
+ * a normal testuser only gets the rights provided in hte ACL for
+ * Everyone   which does not include the SAMR_ACCESS_SHUTDOWN_SERVER
+ * right.  If the ACLs are checked when a user connects   
+ * a testuser that requests the accessmask with only this bit set
+ * the connect should fail.
+ */
+static bool test_samr_connect_user_acl_enforced(struct torture_context *tctx, 
+				   struct dcerpc_pipe *p,
+				   struct cli_credentials *test_credentials,
+				   const struct dom_sid *test_sid)
+
+{
+	NTSTATUS status;
+	struct policy_handle uch;
+	bool ret = True;
+	struct dcerpc_pipe *test_p;
+	const char *binding = torture_setting_string(tctx, "binding", NULL);
+
+	printf("testing if ACLs are enforced for non domain admin users when connecting to SAMR");
+
+
+	status = dcerpc_pipe_connect(tctx, 
+			     &test_p, binding, &ndr_table_samr,
+			     test_credentials, NULL);
+
+	/* connect to SAMR as the user */
+	status = torture_samr_Connect5(tctx, test_p, SAMR_ACCESS_SHUTDOWN_SERVER, &uch);
+	if (NT_STATUS_IS_OK(status)) {
+		printf("Connect5 failed - %s\n", nt_errstr(status));
+		return False;
+	}
+	printf(" OK\n");
+
+	/* disconnec the user */
+	talloc_free(test_p);
+
+	return ret;
+}
+
 /* check which bits in accessmask allows us to LookupDomain()
    by default we must specify at least one of :
    in the access mask to Connect5() in order to be allowed to perform
@@ -579,6 +620,22 @@
 		ret = False;
 	}
 
+	/* test if the ACLs that are reported from the Connect5 
+	 * policy handle is enforced.
+	 * i.e. an ordinary user only has the same rights as Everybody
+	 *   ReadControl
+	 *   Samr/OpenDomain
+	 *   Samr/EnumDomains
+	 *   Samr/ConnectToServer
+	 * is granted and should therefore not be able to connect when
+	 * requesting SAMR_ACCESS_SHUTDOWN_SERVER
+	 */
+	if (!test_samr_connect_user_acl_enforced(tctx, p, test_credentials, test_sid)) {
+		ret = False;
+	}
+
+
+
 	/* remove the test user */
 	torture_leave_domain(testuser);
 



More information about the samba-cvs mailing list