[PATCH 0/3] Fix master to pass smbtorture smb2.acls and raw.acls tests - v2 - with Simo fixes.

Stefan (metze) Metzmacher metze at samba.org
Tue Nov 20 00:21:12 MST 2012


Am 20.11.2012 00:44, schrieb Jeremy Allison:
> On Tue, Nov 20, 2012 at 12:15:15AM +0100, Michael Adam wrote:
>> For a start, I pushed the first two patches to autobuild.
> 
> Thanks !
> 
>> The change to the smb2.acls test, I have not yet quite
>> understood, especially since that code path is not
>> run at all in any tests I see. We should re-discuss this one.
> 
> Ok, let me try and explain better. In the raw.acl SMB1
> test code that is the basis for the smb2.acl test code
> (file source4/torture/raw/acls.c) in the inheritance
> test we have a specific change in the default ACL
> creation to code with the Samba4 file server.
> 
> In source4/torture/raw/acls.c it looks like this:
> 
> 1509         if (torture_setting_bool(tctx, "samba4", false)) {
> 1510                 /* the default ACL in Samba4 includes the group and
> 1511                    other permissions */
> 1512                 sd_def1 = security_descriptor_dacl_create(tctx,
> 1513                                                          0, owner_sid, NULL,
> 1514                                                          owner_sid,
> 1515                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1516                                                          SEC_RIGHTS_FILE_ALL,
> 1517                                                          0,
> 1518                                                          group_sid,
> 1519                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1520                                                          SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
> 1521                                                          0,
> 1522                                                          SID_WORLD,
> 1523                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1524                                                          SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
> 1525                                                          0,
> 1526                                                          SID_NT_SYSTEM,
> 1527                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1528                                                          SEC_RIGHTS_FILE_ALL,
> 1529                                                          0,
> 1530                                                          NULL);
> 1531         } else {
> 1532                 /*
> 1533                  * The Windows Default ACL for a new file, when there is no ACL to be
> 1534                  * inherited: FullControl for the owner and SYSTEM.
> 1535                  */
> 1536                 sd_def1 = security_descriptor_dacl_create(tctx,
> 1537                                                          0, owner_sid, NULL,
> 1538                                                          owner_sid,
> 1539                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1540                                                          SEC_RIGHTS_FILE_ALL,
> 1541                                                          0,
> 1542                                                          SID_NT_SYSTEM,
> 1543                                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1544                                                          SEC_RIGHTS_FILE_ALL,
> 1545                                                          0,
> 1546                                                          NULL);
> 1547         }
> 
> The reason for this is that the default Windows ACL on a new
> file that is created inside a directory with no inheritance
> from the parent directory, and no provided security descriptor
> is:
> 
> owner-sid: Full control
> SYSTEM: full control
> 
> When we're doing the same on a POSIX file system we don't
> emulate that - it makes no sense on a file system that needs
> to have underlying POSIX permissions underneath.
> 
> The patch we're discussing adds the same default ACL to
> the smb2 ACL tests as we're using in the smb1 ACL tests,
> as we'll get the same value back.
> 
> The question I'd like to discuss is that now we have
> a unified file server, we really should remove the
> distinctions saying :
> 
> if (torture_setting_bool(tctx, "samba4", false)) and
> if (torture_setting_bool(tctx, "samba3", false))
> 
> and make the tests pass by using:
> 
> if (torture_setting_bool(tctx, "samba_smbd", false))
> and
> if (torture_setting_bool(tctx, "samba_ntfs", false))
> 
> to differentiate the tests against the smbd and ntvfs
> fileserver code.

I'd prefer to remove this completely (and only expect windows behavior)
and add failing tests to the knowfail file.

If this behavior test is part of a larger test, we should isolate it
as a separate test.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121120/adc6ee67/attachment.pgp>


More information about the samba-technical mailing list