Regression tests for ACLs and Privileges in Samba: Feedback requested

Richard Sharpe realrichardsharpe at
Tue Mar 6 17:48:25 MST 2012

Hi folks,

Here is what I think is needed to ensure that we do not cause
regressions to the correct functioning of these areas:

1. Tests must be performed via SMB (or SMB 2.x) against a Samba server.

2. They must test ALLOW ACEs and DENY ACEs in an ACL and that they
correctly allow access or deny access to the correct principals.

3. They must test that IO, CI, and OI entries work correctly when new
objects are created in a container.

4. They must test that Creator Owner and Creator Group SIDs do the
correct thing (that is, that they are inherited correctly as long as
marked as inheritable ACEs and that the correct SID ends up in the ACL
on the new object.)

5. They must test that Privileges correctly allow access when an ACL
does not explicitly allow access, and that they even allow access when
there is an explicit deny entry for a permission that a privilege
would allow, and that Owner Rights works correctly.

I would be interested in feedback on these requirements ...

Richard Sharpe

More information about the samba-technical mailing list