[PATCHES] BUG 11324: sharesec output

Christof Schmitt cs at samba.org
Tue Jun 16 13:18:01 MDT 2015


This is hopefully the last change required to get the output of sharesec
back to match the output in 4.1 and earlier releases. To prevent another
regression, i also added a new test.

Christof
-------------- next part --------------
From cb9c6f9c85fe01cf2fbf2c18578371092b0f1a5f Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 9 Jun 2015 09:50:18 -0700
Subject: [PATCH 1/3] sharesec: Use non-numerical output for sharesec

This is an easy change to get the sharesec output back to the format
used before. It is also easier to understand than the output of the
flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11324

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/utils/sharesec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
index 941b3a4..d9f8158 100644
--- a/source3/utils/sharesec.c
+++ b/source3/utils/sharesec.c
@@ -182,7 +182,7 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th
 		/* should not happen */
 		return 0;
 	case SMB_ACL_VIEW:
-		sec_desc_print(NULL, stdout, old, true);
+		sec_desc_print(NULL, stdout, old, false);
 		return 0;
 	case SMB_ACL_DELETE:
 	    for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
@@ -203,7 +203,7 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th
 
 		if (!found) {
 			printf("ACL for ACE:");
-			print_ace(NULL, stdout, &sd->dacl->aces[i], true);
+			print_ace(NULL, stdout, &sd->dacl->aces[i], false);
 			printf(" not found\n");
 		}
 	    }
-- 
1.7.1


From abffdc1de67e4fe69e6f322ef598f94159812f75 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 9 Jun 2015 10:28:17 -0700
Subject: [PATCH 2/3] selftest: Add test for sharesec command

Add a test for the sharesec command to ensure that it works, and to also
verify that the output does not change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11324

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/script/tests/test_sharesec.sh |  111 +++++++++++++++++++++++++++++++++
 source3/selftest/tests.py             |    3 +
 2 files changed, 114 insertions(+), 0 deletions(-)
 create mode 100755 source3/script/tests/test_sharesec.sh

diff --git a/source3/script/tests/test_sharesec.sh b/source3/script/tests/test_sharesec.sh
new file mode 100755
index 0000000..ef207ff
--- /dev/null
+++ b/source3/script/tests/test_sharesec.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# Test sharesec command.
+#
+# Verify that changing and querying the security descriptor works. Also
+# ensure that the output format for ACL entries does not change.
+#
+# The test uses well-known SIDs to not require looking up names and SIDs
+#
+# Copyright (C) 2015 Christof Schmitt
+
+if [ $# -lt 3 ]; then
+Usage: test_sharesec.sh SERVERCONFFILE SHARESEC SHARE
+exit 1
+fi
+
+CONF=$1
+SHARESEC=$2
+SHARE=$3
+
+CMD="$SHARESEC $CONF $SHARE"
+
+incdir=$(dirname $0)/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+testit "Set new ACL" $CMD --replace  S-1-1-0:ALLOWED/0x0/READ || \
+	failed=$(expr $failed + 1)
+testit "Query new ACL" $CMD --view || failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify new ACL count" test $COUNT -eq 1 || failed=$(expr $failed + 1)
+ACL=$($CMD --view | grep ACL: | sed -e 's/^ACL://')
+testit "Verify new ACL" test $ACL = S-1-1-0:ALLOWED/0x0/READ
+
+OWNER=$($CMD --view | grep OWNER:)
+testit "Verify empty OWNER" test "$OWNER" = "OWNER:" || \
+	failed=$(expr $failed + 1)
+GROUP=$($CMD --view | grep GROUP:)
+testit "Verify empty GROUP" test "$GROUP" = "GROUP:" || \
+	failed=$(expr $failed + 1)
+CONTROL=$($CMD --view | grep CONTROL: | sed -e 's/^CONTROL://')
+testit "Verify control flags" test "$CONTROL" = "SR|DP" || \
+	failed=$(expr $failed + 1)
+
+testit "Add second ACL entry" $CMD --add S-1-5-32-544:ALLOWED/0x0/FULL || \
+	failed=$(expr $failed + 1)
+testit "Query ACL with two entries" $CMD --view || \
+	failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify ACL count with two entries" test $COUNT -eq 2 || \
+	failed=$(expr $failed + 1)
+ACL=$($CMD --view | grep S-1-5-32-544 | sed -e 's/^ACL://')
+testit "Verify second ACL entry" test $ACL = S-1-5-32-544:ALLOWED/0x0/FULL || \
+	failed=$(expr $failed + 1)
+
+testit "Modify ACL entry" $CMD --modify S-1-5-32-544:ALLOWED/0x0/CHANGE || \
+	failed=$(expr $failed + 1)
+testit "Verify ACL with two entries after modify" $CMD --view || \
+	failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify ACL count with two entries after modify" test $COUNT -eq 2 || \
+	failed=$(expr $failed + 1)
+ACL=$($CMD --view | grep S-1-5-32-544 | sed -e 's/^ACL://')
+testit "Verify modified entry" test $ACL = S-1-5-32-544:ALLOWED/0x0/CHANGE || \
+	failed=$(expr $failed + 1)
+
+testit "Add deny ACL entry" $CMD --add S-1-5-32-545:DENIED/0x0/CHANGE || \
+	failed=$(expr $failed + 1)
+testit "Query ACL with three entries" $CMD --view || \
+	failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify ACL count with three entries" test $COUNT -eq 3 || \
+	failed=$(expr $failed + 1)
+ACL=$($CMD --view | grep S-1-5-32-545 | sed -e 's/^ACL://')
+testit "Verify DENIED ACL entry" test $ACL = S-1-5-32-545:DENIED/0x0/CHANGE || \
+	failed=$(expr $failed + 1)
+
+testit "Add special ACL entry" $CMD --add S-1-5-32-546:ALLOWED/0x0/RWXDP || \
+	failed=$(expr $failed + 1)
+testit "Query ACL with four entries" $CMD --view || \
+	failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify ACL count with four entries" test $COUNT -eq 4 || \
+	failed=$(expr $failed + 1)
+ACL=$($CMD --view | grep S-1-5-32-546 | sed -e 's/^ACL://')
+testit "Verify special entry" test $ACL = S-1-5-32-546:ALLOWED/0x0/RWXDP || \
+	failed=$(expr $failed + 1)
+
+testit "Remove ACL entry" $CMD --remove S-1-5-32-546:ALLOWED/0x0/RWXDP || \
+	failed=$(expr $failed + 1)
+testit "Query ACL with three entries after removal" $CMD --view || \
+	failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify ACL count after removal" test $COUNT -eq 3 || \
+	failed=$(expr $failed + 1)
+ACL="$($CMD --view | grep S-1-5-32-546')"
+testit "Verify removal" test -e "$ACL" || failed=$(expr $failed + 1)
+
+testit "Set back to default ACL " $CMD --replace  S-1-1-0:ALLOWED/0x0/FULL || \
+	failed=$(expr $failed + 1)
+testit "Query standard ACL" $CMD --view || \
+	failed=$(expr $failed + 1)
+COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l)
+testit "Verify standard ACL count" test $COUNT -eq 1 || \
+	failed=$(expr $failed + 1)
+ACL=$($CMD --view | grep ACL: | sed -e 's/^ACL://')
+testit "Verify standard ACL" test $ACL = S-1-1-0:ALLOWED/0x0/FULL || \
+	failed=$(expr $failed + 1)
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d6e6869..0c49b02 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -424,6 +424,9 @@ for s in signseal_options:
 
 plantestsuite("samba3.blackbox.rpcclient_samlogon", "ad_member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
 								       "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
+plantestsuite("samba3.blackbox.sharesec", "simpleserver:local",
+              [os.path.join(samba3srcdir, "script/tests/test_sharesec.sh"),
+               configuration, os.path.join(bindir(), "sharesec"), "tmp"])
 
 plantestsuite("samba3.blackbox.net_dom_join_fail_dc", "nt4_dc",
               [os.path.join(samba3srcdir, "script/tests/test_net_dom_join_fail_dc.sh"),
-- 
1.7.1


From 023b8023bd5ba974a02ef3399154f7cd761fccca Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 9 Jun 2015 10:29:21 -0700
Subject: [PATCH 3/3] docs-xml: Update sharesec manpage to reflect current output

Update the sharesec man page to reflect the output currently used, and
also add a note that the OWNER and GROUP fields are not used for share
ACLs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11324

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 docs-xml/manpages/sharesec.1.xml |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs-xml/manpages/sharesec.1.xml b/docs-xml/manpages/sharesec.1.xml
index 6a201cc..7e13d49 100644
--- a/docs-xml/manpages/sharesec.1.xml
+++ b/docs-xml/manpages/sharesec.1.xml
@@ -154,10 +154,9 @@
 	If not specified it defaults to 1. Using values other than 1 may
 	cause strange behaviour.</para>
 
-	<para>The owner and group specify the owner and group SIDs for the
-	object. If a SID in the format S-1-x-y-z is specified this is used,
-	otherwise the name specified is resolved using the server on which
-	the file or directory resides.</para>
+	<para>The owner and group specify the owner and group SIDs for
+	the object. Share ACLs do not specify an owner or a group, so
+	these fields are empty.</para>
 
 	<para>ACLs specify permissions granted to the SID. This SID
 	can be specified in S-1-x-y-z format or as a name in which case
@@ -227,10 +226,11 @@
 	<programlisting>
 	host:~ # sharesec share -v
 	REVISION:1
-	OWNER:(NULL SID)
-	GROUP:(NULL SID)
-	ACL:S-1-1-0:ALLOWED/0/0x101f01ff
-	ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL
+	CONTROL:SR|DP
+	OWNER:
+	GROUP:
+	ACL:S-1-1-0:ALLOWED/0x0/FULL
+	ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0x0/FULL
 	</programlisting>
 </refsect1>
 
-- 
1.7.1



More information about the samba-technical mailing list