[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Thu Oct 15 17:13:21 MDT 2009
The branch, master has been updated
via 70b020c... s4-pvfs: fixed mask handling for SEC_FLAG_MAXIMUM_ALLOWED
via 29929a3... s4-torture: take privileges into account in BASE-MAXIMUM_ALLOWED
via 068e098... idl: added bit definition for privilege masks
from c35f185... s4:dcerpc_server - Read the generic session key out from "dcerpc_generic_session_key"
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 70b020ca7698c30f3c0647f620d690aba7674022
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Oct 16 10:05:02 2009 +1100
s4-pvfs: fixed mask handling for SEC_FLAG_MAXIMUM_ALLOWED
This matches the sec_access_check() code
commit 29929a3c463f0e4a0ade9e351ce86ec3bbf59035
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Oct 16 10:04:26 2009 +1100
s4-torture: take privileges into account in BASE-MAXIMUM_ALLOWED
The correct answer depends on the users privileges.
commit 068e09847ad3e494a8b5176980b3c0d46ddf4618
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Oct 16 10:01:28 2009 +1100
idl: added bit definition for privilege masks
When you have backup or restore privileges, you automatically get
extra access bits in ACL interpretation. This adds definitions for the
bits you get.
-----------------------------------------------------------------------
Summary of changes:
librpc/gen_ndr/security.h | 4 ++
librpc/idl/security.idl | 15 ++++++++++
source4/ntvfs/posix/pvfs_acl.c | 4 +-
source4/torture/basic/denytest.c | 58 +++++++++++++++++++++++++++++++------
4 files changed, 69 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/gen_ndr/security.h b/librpc/gen_ndr/security.h
index 05df02a..297ba18 100644
--- a/librpc/gen_ndr/security.h
+++ b/librpc/gen_ndr/security.h
@@ -70,6 +70,10 @@
#define SEC_RIGHTS_DIR_WRITE ( SEC_RIGHTS_FILE_WRITE )
#define SEC_RIGHTS_DIR_EXECUTE ( SEC_RIGHTS_FILE_EXECUTE )
#define SEC_RIGHTS_DIR_ALL ( SEC_RIGHTS_FILE_ALL )
+#define SEC_RIGHTS_PRIV_BACKUP ( SEC_STD_READ_CONTROL|SEC_FLAG_SYSTEM_SECURITY|SEC_GENERIC_READ )
+#define SEC_RIGHTS_DIR_PRIV_BACKUP ( SEC_RIGHTS_PRIV_BACKUP|SEC_DIR_TRAVERSE )
+#define SEC_RIGHTS_PRIV_RESTORE ( SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_FLAG_SYSTEM_SECURITY|SEC_STD_DELETE )
+#define SEC_RIGHTS_DIR_PRIV_RESTORE ( SEC_RIGHTS_PRIV_RESTORE|SEC_DIR_ADD_FILE|SEC_DIR_ADD_SUBDIR )
#define STANDARD_RIGHTS_ALL_ACCESS ( SEC_STD_ALL )
#define STANDARD_RIGHTS_MODIFY_ACCESS ( SEC_STD_READ_CONTROL )
#define STANDARD_RIGHTS_EXECUTE_ACCESS ( SEC_STD_READ_CONTROL )
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 96d24b6..c24dc64 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -144,6 +144,21 @@ interface security
const int SEC_RIGHTS_DIR_EXECUTE = SEC_RIGHTS_FILE_EXECUTE;
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
+ /* rights granted by some specific privileges */
+ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
+ SEC_FLAG_SYSTEM_SECURITY |
+ SEC_GENERIC_READ;
+ const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
+ | SEC_DIR_TRAVERSE;
+
+ const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER |
+ SEC_FLAG_SYSTEM_SECURITY |
+ SEC_STD_DELETE;
+ const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
+ SEC_DIR_ADD_FILE |
+ SEC_DIR_ADD_SUBDIR;
+
/* combinations of standard masks. */
const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
const int STANDARD_RIGHTS_MODIFY_ACCESS = SEC_STD_READ_CONTROL; /* 0x00020000 */
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 7a204b4..4680b17 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -517,8 +517,8 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
}
if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
- *access_mask = max_bits;
- return NT_STATUS_OK;
+ *access_mask |= max_bits;
+ *access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
}
if (uid != 0 && (*access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 8decf09..3414edf 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -25,6 +25,7 @@
#include "libcli/security/security.h"
#include "torture/util.h"
#include "torture/smbtorture.h"
+#include "libcli/util/clilsa.h"
#include "cxd_known.h"
extern int torture_failures;
@@ -2663,12 +2664,15 @@ bool torture_createx_access_exhaustive(struct torture_context *tctx,
bool torture_maximum_allowed(struct torture_context *tctx,
struct smbcli_state *cli)
{
- struct security_descriptor *sd;
+ struct security_descriptor *sd, *sd_orig;
union smb_open io = {};
static TALLOC_CTX *mem_ctx;
int fnum, i;
bool ret = true;
NTSTATUS status;
+ union smb_fileinfo q;
+ const char *owner_sid;
+ bool has_restore_privilege, has_backup_privilege;
mem_ctx = talloc_init("torture_maximum_allowed");
@@ -2698,10 +2702,44 @@ bool torture_maximum_allowed(struct torture_context *tctx,
CHECK_STATUS(status, NT_STATUS_OK);
fnum = io.ntcreatex.out.file.fnum;
+ /* the correct answers for this test depends on whether the
+ user has restore privileges. To find that out we first need
+ to know our SID - get it from the owner_sid of the file we
+ just created */
+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+ q.query_secdesc.in.file.fnum = fnum;
+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+ status = smb_raw_fileinfo(cli->tree, tctx, &q);
+ CHECK_STATUS(status, NT_STATUS_OK);
+ sd_orig = q.query_secdesc.out.sd;
+
+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+ status = smblsa_sid_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_RESTORE));
+ has_restore_privilege = NT_STATUS_IS_OK(status);
+ torture_comment(tctx, "Checked SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
+
+ status = smblsa_sid_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_BACKUP));
+ has_backup_privilege = NT_STATUS_IS_OK(status);
+ torture_comment(tctx, "Checked SEC_PRIV_BACKUP - %s\n", has_backup_privilege?"Yes":"No");
+
smbcli_close(cli->tree, fnum);
for (i = 0; i < 32; i++) {
uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i);
+ uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ |
+ SEC_STD_DELETE | SEC_STD_WRITE_DAC;
+
+ if (has_restore_privilege) {
+ ok_mask |= SEC_RIGHTS_PRIV_RESTORE;
+ }
+ if (has_backup_privilege) {
+ ok_mask |= SEC_RIGHTS_PRIV_BACKUP;
+ }
/* Skip all SACL related tests. */
if ((!torture_setting_bool(tctx, "sacl_support", true)) &&
@@ -2718,16 +2756,16 @@ bool torture_maximum_allowed(struct torture_context *tctx,
io.ntcreatex.in.fname = MAXIMUM_ALLOWED_FILE;
status = smb_raw_open(cli->tree, mem_ctx, &io);
- if (mask & SEC_RIGHTS_FILE_READ ||
- mask & SEC_GENERIC_READ ||
- mask & SEC_STD_DELETE || /* owner gets delete */
- mask & SEC_STD_WRITE_DAC || /* and write_dac */
- mask & SEC_STD_WRITE_OWNER ||
- mask & SEC_FLAG_SYSTEM_SECURITY ||
- mask == SEC_FLAG_MAXIMUM_ALLOWED)
+ if (mask & ok_mask ||
+ mask == SEC_FLAG_MAXIMUM_ALLOWED) {
CHECK_STATUS(status, NT_STATUS_OK);
- else
- CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+ } else {
+ if (mask & SEC_FLAG_SYSTEM_SECURITY) {
+ CHECK_STATUS(status, NT_STATUS_PRIVILEGE_NOT_HELD);
+ } else {
+ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+ }
+ }
fnum = io.ntcreatex.out.file.fnum;
--
Samba Shared Repository
More information about the samba-cvs
mailing list