[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Tue Apr 21 20:18:03 UTC 2020


The branch, master has been updated
       via  1ebec7056bd s3: smbd: Refuse open in create_file_unixpath() with only SEC_FLAG_SYSTEM_SECURITY set.
       via  d53c3f2b837 s3: smbd: Reformat code in SEC_FLAG_SYSTEM_SECURITY check in create_file_unixpath().
       via  21b8857919d smbd: Ensure SEC_FLAG_SYSTEM_SECURITY also opens the underlying fd.
       via  fff86ad49a1 smbd: use helper variables in open_file()
       via  81b26559cdc s3: smbd: When writing a security descriptor SACL, ensure both SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC are set.
       via  b338636a1e8 s3: torture: Call the smbtorture3 SMB2-SACL test.
       via  ad5f6b82c39 s3: torture: Add a basic SMB2 SACL test.
       via  3f7821c98da s3: torture: Run the SMB1-SYSTEM-SECURITY test.
       via  f3f81e8f28a s3: torture: Add an SMB1-specific test SMB1-SYSTEM-SECURITY.
      from  5651fafe985 dbwrap_watch: Set rec->value_valid while returning nested share_mode_do_locked()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1ebec7056bdf4b268b0a070d70b5a94093147f19
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 14:23:07 2020 -0700

    s3: smbd: Refuse open in create_file_unixpath() with only SEC_FLAG_SYSTEM_SECURITY set.
    
    We now pass smbtorture3 SMB2-SACL like Windows 10 does.
    Note this is an SMB2-only behavior. SMB1 allows an open
    with only SEC_FLAG_SYSTEM_SECURITY set as tested in
    smbtorture3 SMB1-SYSTEM-SECURITY.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Apr 21 20:17:10 UTC 2020 on sn-devel-184

commit d53c3f2b8376ffc743455e3300f38c15d9b87335
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 14:20:13 2020 -0700

    s3: smbd: Reformat code in SEC_FLAG_SYSTEM_SECURITY check in create_file_unixpath().
    
    No logic change but uses modern formatting and will
    make it easier to add another clause in the next commit.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 21b8857919d7a023d31c2e75221517727178f69f
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 14:16:36 2020 -0700

    smbd: Ensure SEC_FLAG_SYSTEM_SECURITY also opens the underlying fd.
    
    smbtorture3 SMB2-SAL test shows this is needed as we store the SACL in the same
    data store as the DACL.
    
    Without this, opening a file with SEC_FLAG_SYSTEM_SECURITY | READ_ATTRIBUTES
    would do a stat open, meaning when we call SMB_VFS_FGET_NT_ACL()
    on the fsp we have no open fd to work on.
    
    Pair-Programmed-With: Jeremy Allison <jra at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit fff86ad49a1b50c8d74ede4a66a90add1d338d76
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Mar 4 10:54:18 2020 +0100

    smbd: use helper variables in open_file()
    
    Simplify an if expression by using helper variables, no change in behaviour.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 81b26559cdc4aac974c2f98571f9a6d24a0d795d
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 14:14:38 2020 -0700

    s3: smbd: When writing a security descriptor SACL, ensure both SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC are set.
    
    smbtorture3 SMB2-SACL tests this against Windows10 (and Samba).
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit b338636a1e8a5d426728c5fea1515642ef7ca881
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 17:39:22 2020 -0700

    s3: torture: Call the smbtorture3 SMB2-SACL test.
    
    Calls the test in the previous commit by adding
    SeSecurityPrivilege first, running the SMB2-SACL test
    then removing SeSecurityPrivilege.
    
    Demonstrates the difference between server behavior
    with SEC_FLAG_SYSTEM_SECURITY against SMB1 and SMB2 servers.
    
    Mark as knownfail for now.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit ad5f6b82c39bd0905aa26514ef239f6161612b11
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 11:46:49 2020 -0700

    s3: torture: Add a basic SMB2 SACL test.
    
    Shows bits needed to set/get a SACL.  We need a script within Samba to run this
    as it depends on a user with SeSecurityPrivilege to work.
    
    Test does the following:
    
    1). Create a test file.
    2). Open with SEC_FLAG_SYSTEM_SECURITY *only*. ACCESS_DENIED.
        NB. SMB2-only behavior. SMB1 allows this as tested in SMB1-SYSTEM-SECURITY.
    3). Open with SEC_FLAG_SYSTEM_SECURITY|FILE_WRITE_ATTRIBUTES.
    4). Write SACL. Should fail with ACCESS_DENIED (seems to need WRITE_DAC).
    5). Close (3).
    6). Open with SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC.
    7). Write SACL. Success.
    8). Close (4).
    9). Open with SEC_FLAG_SYSTEM_SECURITY|READ_ATTRIBUTES.
    10). Read SACL. Success.
    11). Read DACL. Should fail with ACCESS_DENIED (no READ_CONTROL).
    12). Close (9).
    13 - and on error). Delete test file.
    
    Passes against Windows 10.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 3f7821c98da962db053f075df6619ba0e6a54e90
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 17:36:10 2020 -0700

    s3: torture: Run the SMB1-SYSTEM-SECURITY test.
    
    Calls the test in the previous commit by adding
    SeSecurityPrivilege first, running the SMB1-SYSTEM-SECURITY
    test then removing SeSecurityPrivilege.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit f3f81e8f28afa524fddb8308382cce590c049de2
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Apr 17 15:48:09 2020 -0700

    s3: torture: Add an SMB1-specific test SMB1-SYSTEM-SECURITY.
    
    NB. This is also tested in samba3.base.createx_access
    but this makes it very explicit what we're looking for.
    
    Shows SMB1 allows explicit open of a file with only
    he SEC_FLAG_SYSTEM_SECURITY access mask requested.
    SMB2 doesn't.
    
    Requires a Windows 10 system with a user with
    SeSecurityPrivilege set. Passes against Windows 10
    with SMB1 enabled.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/script/tests/test_sacl_set_get.sh         |  44 +++
 source3/script/tests/test_smb1_system_security.sh |  43 +++
 source3/selftest/tests.py                         |   6 +
 source3/smbd/nttrans.c                            |   7 +
 source3/smbd/open.c                               |  54 +++-
 source3/torture/proto.h                           |   1 +
 source3/torture/test_smb2.c                       | 336 ++++++++++++++++++++++
 source3/torture/torture.c                         | 102 +++++++
 8 files changed, 579 insertions(+), 14 deletions(-)
 create mode 100755 source3/script/tests/test_sacl_set_get.sh
 create mode 100755 source3/script/tests/test_smb1_system_security.sh


Changeset truncated at 500 lines:

diff --git a/source3/script/tests/test_sacl_set_get.sh b/source3/script/tests/test_sacl_set_get.sh
new file mode 100755
index 00000000000..68a9057d4ce
--- /dev/null
+++ b/source3/script/tests/test_sacl_set_get.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Runs the smbtorture3 SMB2-SACL test
+# that requres SeSecurityPrivilege
+# against Samba.
+#
+
+if [ $# -lt 7 ]; then
+    echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SMBTORTURE3 NET SHARE"
+    exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+SMBTORTURE3="$5"
+NET="$6"
+SHARE="$7"
+
+failed=0
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+sacl_set_get() {
+    out=$($SMBTORTURE3 //$SERVER_IP/$SHARE -U $USERNAME%$PASSWORD SMB2-SACL)
+    if [ $? -ne 0 ] ; then
+	echo "SMB2-SACL failed"
+	echo "$out"
+	return 1
+    fi
+}
+
+# Grant SeSecurityPrivilege to the user
+testit "grant SeSecurityPrivilege" $NET rpc rights grant $USERNAME SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
+
+# Run the tests.
+testit "SACL set_get" sacl_set_get || failed=`expr $failed + 1`
+
+# Revoke SeSecurityPrivilege
+testit "revoke SeSecurityPrivilege" $NET rpc rights revoke $USERNAME SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/source3/script/tests/test_smb1_system_security.sh b/source3/script/tests/test_smb1_system_security.sh
new file mode 100755
index 00000000000..4c678b364f4
--- /dev/null
+++ b/source3/script/tests/test_smb1_system_security.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# Runs the smbtorture3 SMB1-SYSTEM-SECURITY test
+# that requres SeSecurityPrivilege against Samba.
+#
+
+if [ $# -lt 7 ]; then
+    echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SMBTORTURE3 NET SHARE"
+    exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+SMBTORTURE3="$5"
+NET="$6"
+SHARE="$7"
+
+failed=0
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+smb1_system_security() {
+    out=$($SMBTORTURE3 //$SERVER_IP/$SHARE -U $USERNAME%$PASSWORD -mNT1 SMB1-SYSTEM-SECURITY)
+    if [ $? -ne 0 ] ; then
+	echo "SMB1-SYSTEM-SECURITY failed"
+	echo "$out"
+	return 1
+    fi
+}
+
+# Grant SeSecurityPrivilege to the user
+testit "grant SeSecurityPrivilege" $NET rpc rights grant $USERNAME SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
+
+# Run the test.
+testit "smb1-system-secuirity" smb1_system_security || failed=`expr $failed + 1`
+
+# Revoke SeSecurityPrivilege
+testit "revoke SeSecurityPrivilege" $NET rpc rights revoke $USERNAME SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 568434a208c..a536a473cb5 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -412,6 +412,12 @@ for env in ["fileserver"]:
     plantestsuite("samba3.blackbox.timestamps", env,
                   [os.path.join(samba3srcdir, "script/tests/test_timestamps.sh"),
                    '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', smbclient3])
+    plantestsuite("samba3.blackbox.smb1_system_security", env + "_smb1_done",
+                  [os.path.join(samba3srcdir, "script/tests/test_smb1_system_security.sh"),
+                   '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbtorture3, net, 'tmp'])
+    plantestsuite("samba3.blackbox.sacl_get_set", env,
+                  [os.path.join(samba3srcdir, "script/tests/test_sacl_set_get.sh"),
+                   '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbtorture3, net, 'tmp'])
 
     #
     # tar command tests
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index f7e313d6edf..66bcebf1313 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -950,6 +950,13 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
 		if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
 			return NT_STATUS_ACCESS_DENIED;
 		}
+		/*
+		 * Setting a SACL also requires WRITE_DAC.
+		 * See the smbtorture3 SMB2-SACL test.
+		 */
+		if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
+			return NT_STATUS_ACCESS_DENIED;
+		}
 		/* Convert all the generic bits. */
 		if (psd->sacl) {
 			security_acl_map_generic(psd->sacl, &file_generic_mapping);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index b2d0455ba43..ecb46d75215 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1150,6 +1150,17 @@ static NTSTATUS open_file(files_struct *fsp,
 	int accmode = (flags & O_ACCMODE);
 	int local_flags = flags;
 	bool file_existed = VALID_STAT(fsp->fsp_name->st);
+	uint32_t need_fd_mask =
+		FILE_READ_DATA |
+		FILE_WRITE_DATA |
+		FILE_APPEND_DATA |
+		FILE_EXECUTE |
+		WRITE_DAC_ACCESS |
+		WRITE_OWNER_ACCESS |
+		SEC_FLAG_SYSTEM_SECURITY |
+		READ_CONTROL_ACCESS;
+	bool creating = !file_existed && (flags & O_CREAT);
+	bool truncating = (flags & O_TRUNC);
 
 	fsp->fh->fd = -1;
 	errno = EPERM;
@@ -1201,12 +1212,7 @@ static NTSTATUS open_file(files_struct *fsp,
 		local_flags = (flags & ~O_ACCMODE)|O_RDWR;
 	}
 
-	if ((open_access_mask & (FILE_READ_DATA|FILE_WRITE_DATA|
-				 FILE_APPEND_DATA|FILE_EXECUTE|
-				 WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|
-				 READ_CONTROL_ACCESS))||
-	    (!file_existed && (local_flags & O_CREAT)) ||
-	    ((local_flags & O_TRUNC) == O_TRUNC) ) {
+	if ((open_access_mask & need_fd_mask) || creating || truncating) {
 		const char *wild;
 		int ret;
 
@@ -1220,6 +1226,7 @@ static NTSTATUS open_file(files_struct *fsp,
 		if (file_existed && S_ISFIFO(smb_fname->st.st_ex_mode)) {
 			local_flags &= ~O_TRUNC; /* Can't truncate a FIFO. */
 			local_flags |= O_NONBLOCK;
+			truncating = false;
 		}
 #endif
 
@@ -5413,14 +5420,33 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
 		}
 	}
 
-	if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
-			!security_token_has_privilege(get_current_nttok(conn),
-					SEC_PRIV_SECURITY)) {
-		DEBUG(10, ("create_file_unixpath: open on %s "
-			"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
-			smb_fname_str_dbg(smb_fname)));
-		status = NT_STATUS_PRIVILEGE_NOT_HELD;
-		goto fail;
+	if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+		bool ok;
+
+		ok = security_token_has_privilege(get_current_nttok(conn),
+						  SEC_PRIV_SECURITY);
+		if (!ok) {
+			DBG_DEBUG("open on %s failed - "
+				"SEC_FLAG_SYSTEM_SECURITY denied.\n",
+				smb_fname_str_dbg(smb_fname));
+			status = NT_STATUS_PRIVILEGE_NOT_HELD;
+			goto fail;
+		}
+
+		if (conn->sconn->using_smb2 &&
+		    (access_mask == SEC_FLAG_SYSTEM_SECURITY))
+		{
+			/*
+			 * No other bits set. Windows SMB2 refuses this.
+			 * See smbtorture3 SMB2-SACL test.
+			 *
+			 * Note this is an SMB2-only behavior,
+			 * smbtorture3 SMB1-SYSTEM-SECURITY already tests
+			 * that SMB1 allows this.
+			 */
+			status = NT_STATUS_ACCESS_DENIED;
+			goto fail;
+		}
 	}
 
 	/*
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index 73a28991735..bae58ef9659 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -103,6 +103,7 @@ bool run_smb2_session_reauth(int dummy);
 bool run_smb2_ftruncate(int dummy);
 bool run_smb2_dir_fsync(int dummy);
 bool run_smb2_path_slash(int dummy);
+bool run_smb2_sacl(int dummy);
 bool run_chain3(int dummy);
 bool run_local_conv_auth_info(int dummy);
 bool run_local_sprintf_append(int dummy);
diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
index 4e6d103b339..52f1c397623 100644
--- a/source3/torture/test_smb2.c
+++ b/source3/torture/test_smb2.c
@@ -29,6 +29,7 @@
 #include "auth_generic.h"
 #include "../librpc/ndr/libndr.h"
 #include "libsmb/clirap.h"
+#include "libsmb/cli_smb2_fnum.h"
 
 extern fstring host, workgroup, share, password, username, myname;
 extern struct cli_credentials *torture_creds;
@@ -2540,3 +2541,338 @@ bool run_smb2_path_slash(int dummy)
 	(void)cli_unlink(cli, fname_noslash, 0);
 	return true;
 }
+
+/*
+ * NB. This can only work against a server where
+ * the connecting user has been granted SeSecurityPrivilege.
+ *
+ *  1). Create a test file.
+ *  2). Open with SEC_FLAG_SYSTEM_SECURITY *only*. ACCESS_DENIED -
+ *             NB. SMB2-only behavior.
+ *  3). Open with SEC_FLAG_SYSTEM_SECURITY|FILE_WRITE_ATTRIBUTES.
+ *  4). Write SACL. Should fail with ACCESS_DENIED (seems to need WRITE_DAC).
+ *  5). Close (3).
+ *  6). Open with SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC.
+ *  7). Write SACL. Success.
+ *  8). Close (4).
+ *  9). Open with SEC_FLAG_SYSTEM_SECURITY|READ_ATTRIBUTES.
+ *  10). Read SACL. Success.
+ *  11). Read DACL. Should fail with ACCESS_DENIED (no READ_CONTROL).
+ *  12). Close (9).
+ */
+
+bool run_smb2_sacl(int dummy)
+{
+	struct cli_state *cli = NULL;
+	NTSTATUS status;
+	struct security_descriptor *sd_dacl = NULL;
+	struct security_descriptor *sd_sacl = NULL;
+	const char *fname = "sacl_test_file";
+	uint16_t fnum = (uint16_t)-1;
+
+	printf("Starting SMB2-SACL\n");
+
+	if (!torture_init_connection(&cli)) {
+		return false;
+	}
+
+	status = smbXcli_negprot(cli->conn,
+				cli->timeout,
+				PROTOCOL_SMB2_02,
+				PROTOCOL_SMB3_11);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+		return false;
+	}
+
+	status = cli_session_setup_creds(cli, torture_creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("cli_session_setup returned %s\n", nt_errstr(status));
+		return false;
+	}
+
+	status = cli_tree_connect(cli, share, "?????", NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("cli_tree_connect returned %s\n", nt_errstr(status));
+		return false;
+	}
+
+	(void)cli_unlink(cli, fname, 0);
+
+	/* First create a file. */
+	status = cli_ntcreate(cli,
+				fname,
+				0,
+				GENERIC_ALL_ACCESS,
+				FILE_ATTRIBUTE_NORMAL,
+				FILE_SHARE_NONE,
+				FILE_CREATE,
+				0,
+				0,
+				&fnum,
+				NULL);
+
+        if (!NT_STATUS_IS_OK(status)) {
+		printf("Create of %s failed (%s)\n",
+			fname,
+			nt_errstr(status));
+                goto fail;
+        }
+
+	cli_close(cli, fnum);
+	fnum = (uint16_t)-1;
+
+	/*
+	 * Now try to open with *only* SEC_FLAG_SYSTEM_SECURITY.
+	 * This should fail with NT_STATUS_ACCESS_DENIED - but
+	 * only against an SMB2 server. SMB1 allows this as tested
+	 * in SMB1-SYSTEM-SECURITY.
+	 */
+
+	status = cli_smb2_create_fnum(cli,
+			fname,
+			SMB2_OPLOCK_LEVEL_NONE,
+			SMB2_IMPERSONATION_IMPERSONATION,
+			SEC_FLAG_SYSTEM_SECURITY, /* desired access */
+			0, /* file_attributes, */
+			FILE_SHARE_READ|
+				FILE_SHARE_WRITE|
+				FILE_SHARE_DELETE, /* share_access, */
+			FILE_OPEN, /* create_disposition, */
+			FILE_NON_DIRECTORY_FILE, /* create_options, */
+			NULL, /* in_cblobs. */
+			&fnum, /* fnum */
+			NULL, /* smb_create_returns  */
+			talloc_tos(), /* mem_ctx */
+			NULL); /* out_cblobs */
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_PRIVILEGE_NOT_HELD)) {
+		printf("SMB2-SACL-TEST can only work with a user "
+			"who has been granted SeSecurityPrivilege.\n"
+			"This is the "
+			"\"Manage auditing and security log\""
+			"privilege setting on Windows\n");
+		goto fail;
+	}
+
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+		printf("open file %s with SEC_FLAG_SYSTEM_SECURITY only: "
+			"got %s - should fail with ACCESS_DENIED\n",
+			fname,
+			nt_errstr(status));
+		goto fail;
+	}
+
+	/*
+	 * Open with SEC_FLAG_SYSTEM_SECURITY|FILE_WRITE_ATTRIBUTES.
+	 */
+
+	status = cli_smb2_create_fnum(cli,
+			fname,
+			SMB2_OPLOCK_LEVEL_NONE,
+			SMB2_IMPERSONATION_IMPERSONATION,
+			SEC_FLAG_SYSTEM_SECURITY|
+				FILE_WRITE_ATTRIBUTES, /* desired access */
+			0, /* file_attributes, */
+			FILE_SHARE_READ|
+				FILE_SHARE_WRITE|
+				FILE_SHARE_DELETE, /* share_access, */
+			FILE_OPEN, /* create_disposition, */
+			FILE_NON_DIRECTORY_FILE, /* create_options, */
+			NULL, /* in_cblobs. */
+			&fnum, /* fnum */
+			NULL, /* smb_create_returns  */
+			talloc_tos(), /* mem_ctx */
+			NULL); /* out_cblobs */
+
+        if (!NT_STATUS_IS_OK(status)) {
+		printf("Open of %s with (SEC_FLAG_SYSTEM_SECURITY|"
+			"FILE_WRITE_ATTRIBUTES) failed (%s)\n",
+			fname,
+			nt_errstr(status));
+		goto fail;
+        }
+
+	/* Create an SD with a SACL. */
+	sd_sacl = security_descriptor_sacl_create(talloc_tos(),
+				0,
+				NULL, /* owner. */
+				NULL, /* group. */
+				/* first ACE. */
+				SID_WORLD,
+				SEC_ACE_TYPE_SYSTEM_AUDIT,
+				SEC_GENERIC_ALL,
+				SEC_ACE_FLAG_FAILED_ACCESS,
+				NULL);
+
+	if (sd_sacl == NULL) {
+		printf("Out of memory creating SACL\n");
+		goto fail;
+	}
+
+	/*
+	 * Write the SACL SD. This should fail
+	 * even though we have SEC_FLAG_SYSTEM_SECURITY,
+	 * as it seems to also need WRITE_DAC access.
+	 */
+	status = cli_smb2_set_security_descriptor(cli,
+				fnum,
+				SECINFO_DACL|SECINFO_SACL,
+				sd_sacl);
+
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+		printf("Writing SACL on file %s got (%s) "
+			"should have failed with ACCESS_DENIED.\n",
+			fname,
+			nt_errstr(status));
+		goto fail;
+        }
+
+	/* And close. */
+	cli_smb2_close_fnum(cli, fnum);
+	fnum = (uint16_t)-1;
+
+	/*
+	 * Open with SEC_FLAG_SYSTEM_SECURITY|SEC_STD_WRITE_DAC.
+	 */
+
+	status = cli_smb2_create_fnum(cli,
+			fname,
+			SMB2_OPLOCK_LEVEL_NONE,
+			SMB2_IMPERSONATION_IMPERSONATION,
+			SEC_FLAG_SYSTEM_SECURITY|
+				SEC_STD_WRITE_DAC, /* desired access */
+			0, /* file_attributes, */
+			FILE_SHARE_READ|
+				FILE_SHARE_WRITE|
+				FILE_SHARE_DELETE, /* share_access, */
+			FILE_OPEN, /* create_disposition, */
+			FILE_NON_DIRECTORY_FILE, /* create_options, */
+			NULL, /* in_cblobs. */
+			&fnum, /* fnum */
+			NULL, /* smb_create_returns  */
+			talloc_tos(), /* mem_ctx */
+			NULL); /* out_cblobs */
+
+        if (!NT_STATUS_IS_OK(status)) {
+		printf("Open of %s with (SEC_FLAG_SYSTEM_SECURITY|"
+			"FILE_WRITE_ATTRIBUTES) failed (%s)\n",
+			fname,
+			nt_errstr(status));
+		goto fail;
+        }
+
+	/*
+	 * Write the SACL SD. This should now succeed
+	 * as we have both SEC_FLAG_SYSTEM_SECURITY
+	 * and WRITE_DAC access.
+	 */
+	status = cli_smb2_set_security_descriptor(cli,
+				fnum,
+				SECINFO_DACL|SECINFO_SACL,
+				sd_sacl);
+
+        if (!NT_STATUS_IS_OK(status)) {
+		printf("cli_smb2_set_security_descriptor SACL "
+			"on file %s failed (%s)\n",
+			fname,
+			nt_errstr(status));
+		goto fail;
+        }
+
+	/* And close. */
+	cli_smb2_close_fnum(cli, fnum);
+	fnum = (uint16_t)-1;
+
+	/* We're done with the sacl we made. */
+	TALLOC_FREE(sd_sacl);
+
+	/*
+	 * Now try to open with SEC_FLAG_SYSTEM_SECURITY|READ_ATTRIBUTES.
+	 * This gives us access to the SACL.
+	 */
+
+	status = cli_smb2_create_fnum(cli,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list