[SCM] Samba Shared Repository - branch v4-5-test updated
Karolin Seeger
kseeger at samba.org
Wed Dec 14 15:38:12 UTC 2016
The branch, v4-5-test has been updated
via 80185ce s3: ntlm_auth: Don't corrupt the output stream with debug messages.
via 234de87 s3: torture: Adds regression test case for se_access_check() owner rights issue.
via 0b4e710 lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries
via 692f7d0 s3: torture: Regression test case for permissions check on rename.
via 55fb639 s3: smbd: Add missing permissions check on destination folder.
via b6d53b6 s3: smbd: Make check_parent_access() available to rename code.
via f66b4b0 s3: smbd: rename - missing early error exit if source and destination prefixes are different.
from bcc2c63 manpages/vfs_fruit: add warning to fruit:resoure=stream
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit 80185ce75bf1e12dd810fccada63f8eef331c709
Author: Jeremy Allison <jra at samba.org>
Date: Sat Dec 10 13:56:18 2016 -0800
s3: ntlm_auth: Don't corrupt the output stream with debug messages.
Calling programs expect to cleanly read from STDOUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12467
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 9fbd544b90c2b27985637a9bb3fa520f891f8696)
Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Wed Dec 14 16:37:10 CET 2016 on sn-devel-144
commit 234de8727ee36197c2a73e7fae38fe4da17cf160
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 8 10:40:27 2016 -0800
s3: torture: Adds regression test case for se_access_check() owner rights issue.
This test passes against Win2K12 but fails against smbd
without the previous commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Dec 10 10:11:10 CET 2016 on sn-devel-144
(cherry picked from commit b5c0745b0c99d6cef21b5e7eb695e15aae5d4e38)
commit 0b4e710f9baa35def3e1e9457ea16b900ce9ffca
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 8 10:40:18 2016 -0800
lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries
Reported and proposed fix by Shilpa K <shilpa.krishnareddy at gmail.com>.
When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.
E.g. The current logic has:
An ACL containining:
[0] SID: S-1-3-4
TYPE: DENY
MASK: WRITE_DATA
[1] SID: S-1-3-4
TYPE: ALLOW
MASK: ALLOW_ALL
prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.
Furthermore a non-canonical ACL containing:
[0] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: READ_DATA
[1] SID: S-1-3-4
TYPE: DENY
MASK: READ_DATA
[2] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: WRITE_DATA
prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 29b02cf22f3c0f2d556408e9e768d68c1efc3b96)
commit 692f7d080d5ae8dd85e1201d886a0e89bdacfde2
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 5 14:34:18 2016 -0800
s3: torture: Regression test case for permissions check on rename.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Dec 7 11:52:03 CET 2016 on sn-devel-144
(cherry picked from commit 52fad16f1c20109f352c25832d841ff778b2518a)
commit 55fb639a617f81e74771c69cfbae0c4398206bbe
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 5 14:32:55 2016 -0800
s3: smbd: Add missing permissions check on destination folder.
Based on code from Michael Zeis <mzeis.quantum at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 91b591224ab7f8ea7b4594da9f61efef14353f7f)
commit b6d53b69b390ffeb6f2aafd917c21601301969e4
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 5 14:32:03 2016 -0800
s3: smbd: Make check_parent_access() available to rename code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit beb8a73e95e768565760f79c2a16586bafb4e58c)
commit f66b4b06fac16ae3ec6880da529aa63c75388408
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 5 14:13:14 2016 -0800
s3: smbd: rename - missing early error exit if source and destination prefixes are different.
Noticed by Michael Zeis <mzeis.quantum at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 2bfad1c9d3237ad8d174b7dc2d1e6e3c53fdb8dc)
-----------------------------------------------------------------------
Summary of changes:
libcli/security/access_check.c | 2 +-
selftest/skip | 2 +
source3/selftest/tests.py | 7 +-
source3/smbd/open.c | 2 +-
source3/smbd/proto.h | 3 +
source3/smbd/reply.c | 18 ++
source3/torture/torture.c | 578 +++++++++++++++++++++++++++++++++++++++++
source3/utils/ntlm_auth.c | 6 +-
8 files changed, 612 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 2be5928..b4c850b 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -220,7 +220,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
owner_rights_allowed |= ace->access_mask;
owner_rights_default = false;
} else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
- owner_rights_denied |= ace->access_mask;
+ owner_rights_denied |= (bits_remaining & ace->access_mask);
owner_rights_default = false;
}
continue;
diff --git a/selftest/skip b/selftest/skip
index ba6718a..a61e970 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -48,6 +48,8 @@
^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-SYMLINK-EA # Fails against the s4 ntvfs server
^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-OFD-LOCK # Fails against the s4 ntvfs server
^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-STREAM-DELETE # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).RENAME-ACCESS # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).OWNER-RIGHTS # Don't test against the s4 ntvfs server anymore
^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).PIDHIGH # Fails against the s4 ntvfs server
^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).NTTRANS-FSCTL # Fails against the s4 ntvfs server
^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).SMB2-NEGPROT # Fails against the s4 ntvfs server
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 7cfebd6..9a2d586 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -49,7 +49,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7"
"OPLOCK1", "OPLOCK2", "OPLOCK4", "STREAMERROR",
"DIR", "DIR1", "DIR-CREATETIME", "TCON", "TCONDEV", "RW1", "RW2", "RW3", "LARGE_READX", "RW-SIGNING",
"OPEN", "XCOPY", "RENAME", "DELETE", "DELETE-LN", "WILDDELETE", "PROPERTIES", "W2K",
- "TCON2", "IOCTL", "CHKPATH", "FDSESS", "CHAIN1", "CHAIN2",
+ "TCON2", "IOCTL", "CHKPATH", "FDSESS", "CHAIN1", "CHAIN2", "OWNER-RIGHTS",
"CHAIN3", "PIDHIGH",
"GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST",
"CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT",
@@ -68,6 +68,11 @@ for t in tests:
plantestsuite("samba3.smbtorture_s3.crypt_server(nt4_dc).%s" % t, "nt4_dc", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/tmpenc', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
plantestsuite("samba3.smbtorture_s3.plain(ad_dc_ntvfs).%s" % t, "ad_dc_ntvfs", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/tmp', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
+#
+# RENAME-ACCESS needs to run against a special share - acl_xattr_ign_sysacl_windows
+#
+plantestsuite("samba3.smbtorture_s3.plain(nt4_dc).%s" % "RENAME-ACCESS","nt4_dc", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), "RENAME-ACCESS", '//$SERVER_IP/acl_xattr_ign_sysacl_windows', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
+plantestsuite("samba3.smbtorture_s3.crypt_client(nt4_dc).%s" % "RENAME-ACCESS", "nt4_dc", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), "RENAME-ACCESS", '//$SERVER_IP/acl_xattr_ign_sysacl_windows', '$USERNAME', '$PASSWORD', smbtorture3, "-e", "-l $LOCAL_PATH"])
# non-crypt only
tests = ["OPLOCK-CANCEL"]
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 9d10d19..e9bfdec 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -235,7 +235,7 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
return NT_STATUS_OK;
}
-static NTSTATUS check_parent_access(struct connection_struct *conn,
+NTSTATUS check_parent_access(struct connection_struct *conn,
struct smb_filename *smb_fname,
uint32_t access_mask)
{
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 352d28c..50ede9d 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -642,6 +642,9 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
const struct smb_filename *smb_fname,
bool use_privs,
uint32_t access_mask);
+NTSTATUS check_parent_access(struct connection_struct *conn,
+ struct smb_filename *smb_fname,
+ uint32_t access_mask);
NTSTATUS fd_open(struct connection_struct *conn, files_struct *fsp,
int flags, mode_t mode);
NTSTATUS fd_close(files_struct *fsp);
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 0aec433..6acbaca 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -6615,6 +6615,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
struct smb_filename *smb_fname_dst = NULL;
NTSTATUS status = NT_STATUS_OK;
struct share_mode_lock *lck = NULL;
+ uint32_t access_mask = SEC_DIR_ADD_FILE;
bool dst_exists, old_is_stream, new_is_stream;
status = check_name(conn, smb_fname_dst_in->base_name);
@@ -6812,6 +6813,23 @@ NTSTATUS rename_internals_fsp(connection_struct *conn,
if (rename_path_prefix_equal(fsp->fsp_name, smb_fname_dst)) {
status = NT_STATUS_ACCESS_DENIED;
+ goto out;
+ }
+
+ /* Do we have rights to move into the destination ? */
+ if (S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+ /* We're moving a directory. */
+ access_mask = SEC_DIR_ADD_SUBDIR;
+ }
+ status = check_parent_access(conn,
+ smb_fname_dst,
+ access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_INFO("check_parent_access on "
+ "dst %s returned %s\n",
+ smb_fname_str_dbg(smb_fname_dst),
+ nt_errstr(status));
+ goto out;
}
lck = get_existing_share_mode_lock(talloc_tos(), fsp->file_id);
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index ecacd1a..c978741 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -4898,6 +4898,582 @@ static bool run_rename(int dummy)
return correct;
}
+/*
+ Test rename into a directory with an ACL denying it.
+ */
+static bool run_rename_access(int dummy)
+{
+ static struct cli_state *cli = NULL;
+ static struct cli_state *posix_cli = NULL;
+ const char *src = "test.txt";
+ const char *dname = "dir";
+ const char *dst = "dir\\test.txt";
+ const char *dsrc = "test.dir";
+ const char *ddst = "dir\\test.dir";
+ uint16_t fnum = (uint16_t)-1;
+ struct security_descriptor *sd = NULL;
+ struct security_descriptor *newsd = NULL;
+ NTSTATUS status;
+ TALLOC_CTX *frame = NULL;
+
+ frame = talloc_stackframe();
+ printf("starting rename access test\n");
+
+ /* Windows connection. */
+ if (!torture_open_connection(&cli, 0)) {
+ goto fail;
+ }
+
+ smbXcli_conn_set_sockopt(cli->conn, sockops);
+
+ /* Posix connection. */
+ if (!torture_open_connection(&posix_cli, 0)) {
+ goto fail;
+ }
+
+ smbXcli_conn_set_sockopt(posix_cli->conn, sockops);
+
+ status = torture_setup_unix_extensions(posix_cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ /* Start with a clean slate. */
+ cli_unlink(cli, src, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+ cli_unlink(cli, dst, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+ cli_rmdir(cli, dsrc);
+ cli_rmdir(cli, ddst);
+ cli_rmdir(cli, dname);
+
+ /*
+ * Setup the destination directory with a DENY ACE to
+ * prevent new files within it.
+ */
+ status = cli_ntcreate(cli,
+ dname,
+ 0,
+ FILE_READ_ATTRIBUTES|READ_CONTROL_ACCESS|
+ WRITE_DAC_ACCESS|FILE_READ_DATA|
+ WRITE_OWNER_ACCESS,
+ FILE_ATTRIBUTE_DIRECTORY,
+ FILE_SHARE_READ|FILE_SHARE_WRITE,
+ FILE_CREATE,
+ FILE_DIRECTORY_FILE,
+ 0,
+ &fnum,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Create of %s - %s\n", dname, nt_errstr(status));
+ goto fail;
+ }
+
+ status = cli_query_secdesc(cli,
+ fnum,
+ frame,
+ &sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_query_secdesc failed for %s (%s)\n",
+ dname, nt_errstr(status));
+ goto fail;
+ }
+
+ newsd = security_descriptor_dacl_create(frame,
+ 0,
+ NULL,
+ NULL,
+ SID_WORLD,
+ SEC_ACE_TYPE_ACCESS_DENIED,
+ SEC_DIR_ADD_FILE|SEC_DIR_ADD_SUBDIR,
+ 0,
+ NULL);
+ if (newsd == NULL) {
+ goto fail;
+ }
+ sd->dacl = security_acl_concatenate(frame,
+ newsd->dacl,
+ sd->dacl);
+ if (sd->dacl == NULL) {
+ goto fail;
+ }
+ status = cli_set_secdesc(cli, fnum, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_set_secdesc failed for %s (%s)\n",
+ dname, nt_errstr(status));
+ goto fail;
+ }
+ status = cli_close(cli, fnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("close failed for %s (%s)\n",
+ dname, nt_errstr(status));
+ goto fail;
+ }
+ /* Now go around the back and chmod to 777 via POSIX. */
+ status = cli_posix_chmod(posix_cli, dname, 0777);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_posix_chmod failed for %s (%s)\n",
+ dname, nt_errstr(status));
+ goto fail;
+ }
+
+ /* Check we can't create a file within dname via Windows. */
+ status = cli_openx(cli, dst, O_RDWR|O_CREAT|O_EXCL, DENY_NONE, &fnum);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ cli_close(posix_cli, fnum);
+ printf("Create of %s should be ACCESS denied, was %s\n",
+ dst, nt_errstr(status));
+ goto fail;
+ }
+
+ /* Make the sample file/directory. */
+ status = cli_openx(cli, src, O_RDWR|O_CREAT|O_EXCL, DENY_NONE, &fnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("open of %s failed (%s)\n", src, nt_errstr(status));
+ goto fail;
+ }
+ status = cli_close(cli, fnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_close failed (%s)\n", nt_errstr(status));
+ goto fail;
+ }
+
+ status = cli_mkdir(cli, dsrc);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_mkdir of %s failed (%s)\n",
+ dsrc, nt_errstr(status));
+ goto fail;
+ }
+
+ /*
+ * OK - renames of the new file and directory into the
+ * dst directory should fail.
+ */
+
+ status = cli_rename(cli, src, dst);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("rename of %s -> %s should be ACCESS denied, was %s\n",
+ src, dst, nt_errstr(status));
+ goto fail;
+ }
+ status = cli_rename(cli, dsrc, ddst);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("rename of %s -> %s should be ACCESS denied, was %s\n",
+ src, dst, nt_errstr(status));
+ goto fail;
+ }
+
+ TALLOC_FREE(frame);
+ return true;
+
+ fail:
+
+ if (posix_cli) {
+ torture_close_connection(posix_cli);
+ }
+
+ if (cli) {
+ if (fnum != -1) {
+ cli_close(cli, fnum);
+ }
+ cli_unlink(cli, src,
+ FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+ cli_unlink(cli, dst,
+ FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+ cli_rmdir(cli, dsrc);
+ cli_rmdir(cli, ddst);
+ cli_rmdir(cli, dname);
+
+ torture_close_connection(cli);
+ }
+
+ TALLOC_FREE(frame);
+ return false;
+}
+
+/*
+ Test owner rights ACE.
+ */
+static bool run_owner_rights(int dummy)
+{
+ static struct cli_state *cli = NULL;
+ const char *fname = "owner_rights.txt";
+ uint16_t fnum = (uint16_t)-1;
+ struct security_descriptor *sd = NULL;
+ struct security_descriptor *newsd = NULL;
+ NTSTATUS status;
+ TALLOC_CTX *frame = NULL;
+
+ frame = talloc_stackframe();
+ printf("starting owner rights test\n");
+
+ /* Windows connection. */
+ if (!torture_open_connection(&cli, 0)) {
+ goto fail;
+ }
+
+ smbXcli_conn_set_sockopt(cli->conn, sockops);
+
+ /* Start with a clean slate. */
+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+
+ /* Create the test file. */
+ /* Now try and open for read and write-dac. */
+ status = cli_ntcreate(cli,
+ fname,
+ 0,
+ GENERIC_ALL_ACCESS,
+ FILE_ATTRIBUTE_NORMAL,
+ FILE_SHARE_READ|FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE,
+ FILE_CREATE,
+ 0,
+ 0,
+ &fnum,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Create of %s - %s\n", fname, nt_errstr(status));
+ goto fail;
+ }
+
+ /* Get the original SD. */
+ status = cli_query_secdesc(cli,
+ fnum,
+ frame,
+ &sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_query_secdesc failed for %s (%s)\n",
+ fname, nt_errstr(status));
+ goto fail;
+ }
+
+ /*
+ * Add an "owner-rights" ACE denying WRITE_DATA,
+ * and an "owner-rights" ACE allowing READ_DATA.
+ */
+
+ newsd = security_descriptor_dacl_create(frame,
+ 0,
+ NULL,
+ NULL,
+ SID_OWNER_RIGHTS,
+ SEC_ACE_TYPE_ACCESS_DENIED,
+ FILE_WRITE_DATA,
+ 0,
+ SID_OWNER_RIGHTS,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ FILE_READ_DATA,
+ 0,
+ NULL);
+ if (newsd == NULL) {
+ goto fail;
+ }
+ sd->dacl = security_acl_concatenate(frame,
+ newsd->dacl,
+ sd->dacl);
+ if (sd->dacl == NULL) {
+ goto fail;
+ }
+ status = cli_set_secdesc(cli, fnum, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_set_secdesc failed for %s (%s)\n",
+ fname, nt_errstr(status));
+ goto fail;
+ }
+ status = cli_close(cli, fnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("close failed for %s (%s)\n",
+ fname, nt_errstr(status));
+ goto fail;
+ }
+ fnum = (uint16_t)-1;
+
+ /* Try and open for FILE_WRITE_DATA */
+ status = cli_ntcreate(cli,
+ fname,
+ 0,
+ FILE_WRITE_DATA,
+ FILE_ATTRIBUTE_NORMAL,
+ FILE_SHARE_READ|FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE,
+ FILE_OPEN,
+ 0,
+ 0,
+ &fnum,
+ NULL);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ printf("Open of %s - %s\n", fname, nt_errstr(status));
+ goto fail;
+ }
+
+ /* Now try and open for FILE_READ_DATA */
+ status = cli_ntcreate(cli,
+ fname,
+ 0,
+ FILE_READ_DATA,
+ FILE_ATTRIBUTE_NORMAL,
+ FILE_SHARE_READ|FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE,
+ FILE_OPEN,
+ 0,
+ 0,
+ &fnum,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Open of %s - %s\n", fname, nt_errstr(status));
+ goto fail;
+ }
+
+ status = cli_close(cli, fnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("close failed for %s (%s)\n",
+ fname, nt_errstr(status));
+ goto fail;
+ }
+
+ /* Restore clean slate. */
+ TALLOC_FREE(sd);
+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+
+ /* Create the test file. */
+ status = cli_ntcreate(cli,
+ fname,
+ 0,
+ GENERIC_ALL_ACCESS,
+ FILE_ATTRIBUTE_NORMAL,
+ FILE_SHARE_READ|FILE_SHARE_WRITE|
+ FILE_SHARE_DELETE,
+ FILE_CREATE,
+ 0,
+ 0,
+ &fnum,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Create of %s - %s\n", fname, nt_errstr(status));
+ goto fail;
+ }
+
+ /* Get the original SD. */
+ status = cli_query_secdesc(cli,
+ fnum,
+ frame,
+ &sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_query_secdesc failed for %s (%s)\n",
+ fname, nt_errstr(status));
+ goto fail;
+ }
+
+ /*
+ * Add an "owner-rights ACE denying WRITE_DATA,
+ * and an "owner-rights ACE allowing READ_DATA|WRITE_DATA.
+ */
+
+ newsd = security_descriptor_dacl_create(frame,
+ 0,
+ NULL,
+ NULL,
+ SID_OWNER_RIGHTS,
+ SEC_ACE_TYPE_ACCESS_DENIED,
+ FILE_WRITE_DATA,
+ 0,
+ SID_OWNER_RIGHTS,
--
Samba Shared Repository
More information about the samba-cvs
mailing list