[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Mon Feb 26 18:36:02 UTC 2024


The branch, master has been updated
       via  5a0fce58650 source4/torture: Add SEC_STD_DELETE to enable proper cleanup
      from  e4c3c61302b python:gp: Implement client site lookup in site_dn_for_machine()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5a0fce58650770bc7701d1be72492637c2ced63c
Author: Anoop C S <anoopcs at samba.org>
Date:   Thu Feb 22 19:26:08 2024 +0530

    source4/torture: Add SEC_STD_DELETE to enable proper cleanup
    
    basic.maximum_allowed and smb2.maximum_allowed attempt to unlink the
    files created by those tests. But the restrictive SD with which they
    were created prohibits the deletion inside shares where vfs_acl_xattr
    is configured including "ignore system acls". The very same file will
    otherwise cause problems while progressing with remaining sub tests.
    SEC_STD_DELETE could be the minimum required additional access mask
    to successfully delete the file under the said configuration using
    vfs_acl_xattr and "ignore system acls" option without loosing the
    integrity of the overall test.
    
    Signed-off-by: Anoop C S <anoopcs at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Mon Feb 26 18:35:43 UTC 2024 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source4/torture/basic/denytest.c   | 30 ++++++++++++++++++++++++++-
 source4/torture/smb2/max_allowed.c | 42 +++++++++++++++++++++++++++++++++-----
 2 files changed, 66 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index c9f4a97743e..ba636fe2a95 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2680,10 +2680,11 @@ bool torture_maximum_allowed(struct torture_context *tctx,
 	struct security_descriptor *sd, *sd_orig;
 	union smb_open io;
 	static TALLOC_CTX *mem_ctx;
-	int fnum, i;
+	int fnum, fnum1 = -1, i;
 	bool ret = true;
 	NTSTATUS status;
 	union smb_fileinfo q;
+	union smb_setfileinfo set;
 	const char *owner_sid;
 	bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
 
@@ -2813,7 +2814,34 @@ bool torture_maximum_allowed(struct torture_context *tctx,
 		smbcli_close(cli->tree, fnum);
 	}
 
+	io.generic.level = RAW_OPEN_NTTRANS_CREATE;
+	io.ntcreatex.in.access_mask = SEC_STD_WRITE_DAC;
+	io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
+	io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
+	io.ntcreatex.in.fname = MAXIMUM_ALLOWED_FILE;
+
+	status = smb_raw_open(cli->tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	fnum1 = io.ntcreatex.out.file.fnum;
+
+	sd = security_descriptor_dacl_create(tctx,
+					0, NULL, NULL,
+					SID_NT_AUTHENTICATED_USERS,
+					SEC_ACE_TYPE_ACCESS_ALLOWED,
+					SEC_STD_DELETE,
+					0,
+					NULL);
+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+	set.set_secdesc.in.file.fnum = fnum1;
+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+	set.set_secdesc.in.sd = sd;
+
+	status = smb_raw_setfileinfo(cli->tree, &set);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
  done:
+	smbcli_close(cli->tree, fnum1);
 	smbcli_unlink(cli->tree, MAXIMUM_ALLOWED_FILE);
 	return ret;
 }
diff --git a/source4/torture/smb2/max_allowed.c b/source4/torture/smb2/max_allowed.c
index af8b08ac9a9..6d69b84fbe6 100644
--- a/source4/torture/smb2/max_allowed.c
+++ b/source4/torture/smb2/max_allowed.c
@@ -33,11 +33,12 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
 	struct security_descriptor *sd = NULL, *sd_orig = NULL;
 	struct smb2_create io = {0};
 	TALLOC_CTX *mem_ctx = NULL;
-	struct smb2_handle fnum = {{0}};
+	struct smb2_handle fnum = {{0}}, fnum1 = {{0}};
 	int i;
 	bool ret = true;
 	NTSTATUS status;
 	union smb_fileinfo q;
+	union smb_setfileinfo set;
 	const char *owner_sid = NULL;
 	bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
 
@@ -82,7 +83,7 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
 	q.query_secdesc.in.file.handle = fnum;
 	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 	status = smb2_getinfo_file(tree, tctx, &q);
-	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, set_sd,
 		talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
 				nt_errstr(status), nt_errstr(NT_STATUS_OK)));
 	sd_orig = q.query_secdesc.out.sd;
@@ -159,21 +160,21 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
 		if (mask & ok_mask ||
 		    mask == SEC_FLAG_MAXIMUM_ALLOWED) {
 			torture_assert_ntstatus_ok_goto(tctx, status, ret,
-				done, talloc_asprintf(tctx,
+				set_sd, talloc_asprintf(tctx,
 				"Incorrect status %s - should be %s\n",
 				nt_errstr(status), nt_errstr(NT_STATUS_OK)));
 		} else {
 			if (mask & SEC_FLAG_SYSTEM_SECURITY) {
 				torture_assert_ntstatus_equal_goto(tctx,
 					status, NT_STATUS_PRIVILEGE_NOT_HELD,
-					ret, done, talloc_asprintf(tctx,
+					ret, set_sd, talloc_asprintf(tctx,
 					"Incorrect status %s - should be %s\n",
 					nt_errstr(status),
 					nt_errstr(NT_STATUS_PRIVILEGE_NOT_HELD)));
 			} else {
 				torture_assert_ntstatus_equal_goto(tctx,
 					status, NT_STATUS_ACCESS_DENIED,
-					ret, done, talloc_asprintf(tctx,
+					ret, set_sd, talloc_asprintf(tctx,
 					"Incorrect status %s - should be %s\n",
 					nt_errstr(status),
 					nt_errstr(NT_STATUS_ACCESS_DENIED)));
@@ -185,7 +186,38 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
 		smb2_util_close(tree, fnum);
 	}
 
+set_sd:
+	io.in.desired_access = SEC_STD_WRITE_DAC;
+	io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+	io.in.create_disposition = NTCREATEX_DISP_OPEN;
+	io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
+	io.in.fname = MAXIMUM_ALLOWED_FILE;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+		talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
+				nt_errstr(status), nt_errstr(NT_STATUS_OK)));
+	fnum1 = io.out.file.handle;
+
+	sd = security_descriptor_dacl_create(tctx,
+					0, NULL, NULL,
+					SID_NT_AUTHENTICATED_USERS,
+					SEC_ACE_TYPE_ACCESS_ALLOWED,
+					SEC_STD_DELETE,
+					0,
+					NULL);
+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+	set.set_secdesc.in.file.handle = fnum1;
+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+	set.set_secdesc.in.sd = sd;
+
+	status = smb2_setinfo_file(tree, &set);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+		talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
+				nt_errstr(status), nt_errstr(NT_STATUS_OK)));
+
  done:
+	smb2_util_close(tree, fnum1);
 	smb2_util_unlink(tree, MAXIMUM_ALLOWED_FILE);
 	talloc_free(mem_ctx);
 	return ret;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list