denytest and privileges

tridge at tridge at
Thu Oct 15 17:14:40 MDT 2009

Hi Aravind,

The denytest extensions you recently added are interesting, but I
think you may have neglected to take into account the impact of
privileges on ACLs.

For example, the 'correct' answers you have encoded in
BASE-MAXIMUM_ALLOWED need to depend on whether the user has the
'backup' and/or 'restore' privilege. 

I've added the correct set of bits to security.idl so we have them in
a central location.

Could you please check over your other recently committed tests and
fix them too? 

I suspect you did a lot of your testing with an administrator account,
which has a lot of privileges. The danger in this is that Samba
developers may then look at the test results and make Samba start to
match them for non-administrators. This means that Samba will end up
starting to grant administrator-like privileges to everyone. That is a
very bad idea.

Cheers, Tridge

More information about the samba-technical mailing list