[PATCH 0/3] Fix master to pass smbtorture smb2.acls and raw.acls tests - v2 - with Simo fixes.

Jeremy Allison jra at samba.org
Mon Nov 19 16:44:11 MST 2012

On Tue, Nov 20, 2012 at 12:15:15AM +0100, Michael Adam wrote:
> For a start, I pushed the first two patches to autobuild.

Thanks !

> The change to the smb2.acls test, I have not yet quite
> understood, especially since that code path is not
> run at all in any tests I see. We should re-discuss this one.

Ok, let me try and explain better. In the raw.acl SMB1
test code that is the basis for the smb2.acl test code
(file source4/torture/raw/acls.c) in the inheritance
test we have a specific change in the default ACL
creation to code with the Samba4 file server.

In source4/torture/raw/acls.c it looks like this:

1509         if (torture_setting_bool(tctx, "samba4", false)) {
1510                 /* the default ACL in Samba4 includes the group and
1511                    other permissions */
1512                 sd_def1 = security_descriptor_dacl_create(tctx,
1513                                                          0, owner_sid, NULL,
1514                                                          owner_sid,
1515                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
1516                                                          SEC_RIGHTS_FILE_ALL,
1517                                                          0,
1518                                                          group_sid,
1519                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
1520                                                          SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
1521                                                          0,
1522                                                          SID_WORLD,
1523                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
1524                                                          SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
1525                                                          0,
1526                                                          SID_NT_SYSTEM,
1527                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
1528                                                          SEC_RIGHTS_FILE_ALL,
1529                                                          0,
1530                                                          NULL);
1531         } else {
1532                 /*
1533                  * The Windows Default ACL for a new file, when there is no ACL to be
1534                  * inherited: FullControl for the owner and SYSTEM.
1535                  */
1536                 sd_def1 = security_descriptor_dacl_create(tctx,
1537                                                          0, owner_sid, NULL,
1538                                                          owner_sid,
1539                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
1540                                                          SEC_RIGHTS_FILE_ALL,
1541                                                          0,
1542                                                          SID_NT_SYSTEM,
1543                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
1544                                                          SEC_RIGHTS_FILE_ALL,
1545                                                          0,
1546                                                          NULL);
1547         }

The reason for this is that the default Windows ACL on a new
file that is created inside a directory with no inheritance
from the parent directory, and no provided security descriptor

owner-sid: Full control
SYSTEM: full control

When we're doing the same on a POSIX file system we don't
emulate that - it makes no sense on a file system that needs
to have underlying POSIX permissions underneath.

The patch we're discussing adds the same default ACL to
the smb2 ACL tests as we're using in the smb1 ACL tests,
as we'll get the same value back.

The question I'd like to discuss is that now we have
a unified file server, we really should remove the
distinctions saying :

if (torture_setting_bool(tctx, "samba4", false)) and
if (torture_setting_bool(tctx, "samba3", false))

and make the tests pass by using:

if (torture_setting_bool(tctx, "samba_smbd", false))
if (torture_setting_bool(tctx, "samba_ntfs", false))

to differentiate the tests against the smbd and ntvfs
fileserver code.


More information about the samba-technical mailing list