denytest and privileges
tridge at samba.org
tridge at samba.org
Thu Oct 15 17:14:40 MDT 2009
Hi Aravind,
The denytest extensions you recently added are interesting, but I
think you may have neglected to take into account the impact of
privileges on ACLs.
For example, the 'correct' answers you have encoded in
BASE-MAXIMUM_ALLOWED need to depend on whether the user has the
'backup' and/or 'restore' privilege.
I've added the correct set of bits to security.idl so we have them in
a central location.
Could you please check over your other recently committed tests and
fix them too?
I suspect you did a lot of your testing with an administrator account,
which has a lot of privileges. The danger in this is that Samba
developers may then look at the test results and make Samba start to
match them for non-administrators. This means that Samba will end up
starting to grant administrator-like privileges to everyone. That is a
very bad idea.
Cheers, Tridge
More information about the samba-technical
mailing list