svn commit: samba r25264 - in
branches/SAMBA_4_0/source/torture/rpc: .
sahlberg at samba.org
sahlberg at samba.org
Thu Sep 20 23:27:28 GMT 2007
Author: sahlberg
Date: 2007-09-20 23:27:28 +0000 (Thu, 20 Sep 2007)
New Revision: 25264
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25264
Log:
add a test to verify that the ACLs are checked when a normal user connects to SAMR
Modified:
branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c
Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c
===================================================================
--- branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c 2007-09-20 22:57:57 UTC (rev 25263)
+++ branches/SAMBA_4_0/source/torture/rpc/samr_accessmask.c 2007-09-20 23:27:28 UTC (rev 25264)
@@ -332,6 +332,47 @@
return ret;
}
+/*
+ * test if the ACLs are enforced for users.
+ * a normal testuser only gets the rights provided in hte ACL for
+ * Everyone which does not include the SAMR_ACCESS_SHUTDOWN_SERVER
+ * right. If the ACLs are checked when a user connects
+ * a testuser that requests the accessmask with only this bit set
+ * the connect should fail.
+ */
+static bool test_samr_connect_user_acl_enforced(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *test_credentials,
+ const struct dom_sid *test_sid)
+
+{
+ NTSTATUS status;
+ struct policy_handle uch;
+ bool ret = True;
+ struct dcerpc_pipe *test_p;
+ const char *binding = torture_setting_string(tctx, "binding", NULL);
+
+ printf("testing if ACLs are enforced for non domain admin users when connecting to SAMR");
+
+
+ status = dcerpc_pipe_connect(tctx,
+ &test_p, binding, &ndr_table_samr,
+ test_credentials, NULL);
+
+ /* connect to SAMR as the user */
+ status = torture_samr_Connect5(tctx, test_p, SAMR_ACCESS_SHUTDOWN_SERVER, &uch);
+ if (NT_STATUS_IS_OK(status)) {
+ printf("Connect5 failed - %s\n", nt_errstr(status));
+ return False;
+ }
+ printf(" OK\n");
+
+ /* disconnec the user */
+ talloc_free(test_p);
+
+ return ret;
+}
+
/* check which bits in accessmask allows us to LookupDomain()
by default we must specify at least one of :
in the access mask to Connect5() in order to be allowed to perform
@@ -579,6 +620,22 @@
ret = False;
}
+ /* test if the ACLs that are reported from the Connect5
+ * policy handle is enforced.
+ * i.e. an ordinary user only has the same rights as Everybody
+ * ReadControl
+ * Samr/OpenDomain
+ * Samr/EnumDomains
+ * Samr/ConnectToServer
+ * is granted and should therefore not be able to connect when
+ * requesting SAMR_ACCESS_SHUTDOWN_SERVER
+ */
+ if (!test_samr_connect_user_acl_enforced(tctx, p, test_credentials, test_sid)) {
+ ret = False;
+ }
+
+
+
/* remove the test user */
torture_leave_domain(testuser);
More information about the samba-cvs
mailing list