[Samba] RAW_ACLS smbtorture test
Nagaraj Shyam
Nagaraj_Shyam at symantec.com
Wed Jul 14 15:01:23 MDT 2010
Test results inline as the mailserver pulled out the attachment. Please
read the first post about the thread to get context.
===========================================samba test
results=================================================================
test: ACLS
TESTING SETFILEINFO EA_SET
add a new ACE to the DACL
torture/raw/acls.c:111: security descriptors don't match!
got:
expected:
remove it again
testing nttrans create with sec_desc
creating normal file
querying ACL
adding a new ACE
creating a file with an initial ACL
torture/raw/acls.c:224: security descriptors don't match!
got:
expected:
TESTING SEC_DESC WITH A NULL DACL
creating a file with a empty sd
get the original sd
set NULL DACL
(torture/raw/acls.c:325) Incorrect status NT_STATUS_NO_MEMORY - should
be
NT_STATUS_OK
TESTING SID_CREATOR_OWNER
get the original sd
set a sec desc allowing no write by CREATOR_OWNER
try open for write
(torture/raw/acls.c:562) Incorrect status NT_STATUS_OK - should be
NT_STATUS_ACCESS_DENIED
TESTING FILE GENERIC BITS
get the original sd
smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND
SEC_PRIV_RESTORE - No
smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND
SEC_PRIV_TAKE_OWNERSHIP - No
testing generic bits 0x00000000
torture/raw/acls.c:840: security descriptors don't match!
got:
expected:
(torture/raw/acls.c:852) Incorrect access_flags 0x00170089 - should be
0x00070080
TESTING FILE OWNER BITS
get the original sd
smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND
SEC_PRIV_RESTORE - No
smblsa_sid_check_privilege - NT_STATUS_OBJECT_NAME_NOT_FOUND
SEC_PRIV_TAKE_OWNERSHIP - No
open succeeded with access mask 0x00000001 of expected 0x00000082 -
should fail
(torture/raw/acls.c:1189) Incorrect status NT_STATUS_OK - should be
NT_STATUS_ACCESS_DENIED
TESTING ACL INHERITANCE
get the original sd
owner_sid is S-1-5-21-385505261-2069261775-1913586636-500
Expected default sd:
at 0 - got:
Expected default sd for dir at 0:
got:
Bad sd in child file at 1
(0) Bad sd in child dir at 1 (parent 0x1)
Expected default sd:
at 2 - got:
(CI) Bad sd in child dir at 2 (parent 0x2)
Bad sd in child file at 3
(CI) Bad sd in child dir at 3 (parent 0x3)
Expected default sd:
at 4 - got:
Expected default sd for dir at 4:
got:
Bad sd in child file at 5
Expected default sd for dir at 5:
got:
Expected default sd:
at 6 - got:
(CI & NP) Bad sd in child dir at 6 (parent 0x6)
Bad sd in child file at 7
(CI & NP) Bad sd in child dir at 7 (parent 0x7)
Expected default sd:
at 8 - got:
Expected default sd for dir at 8:
got:
Bad sd in child file at 9
(0) Bad sd in child dir at 9 (parent 0x9)
Expected default sd:
at 10 - got:
(CI) Bad sd in child dir at 10 (parent 0xa)
Bad sd in child file at 11
(CI) Bad sd in child dir at 11 (parent 0xb)
Expected default sd:
at 12 - got:
Expected default sd for dir at 12:
got:
Bad sd in child file at 13
Expected default sd for dir at 13:
got:
Expected default sd:
at 14 - got:
(CI & NP) Bad sd in child dir at 14 (parent 0xe)
Bad sd in child file at 15
(CI & NP) Bad sd in child dir at 15 (parent 0xf)
testing access checks on inherited create with
\testsd\inheritance\testfile
torture/raw/acls.c:1558: security descriptors don't match!
got:
expected:
failed: w2k3 ACL bug (allowed open when ACL should deny)
trying without execute
(torture/raw/acls.c:1583) Incorrect status NT_STATUS_OK - should be
NT_STATUS_ACCESS_DENIED
TESTING DYNAMIC ACL INHERITANCE
get the original sd
owner_sid is S-1-5-21-385505261-2069261775-1913586636-500
create a file with an inherited acl
try and access file with base rights - should be OK
try and access file with extra rights - should be denied
(torture/raw/acls.c:1723) Incorrect status NT_STATUS_OK - should be
NT_STATUS_ACCESS_DENIED
put back original sd
TESTING ACCESS MASKS FOR SD GET/SET
(torture/raw/acls.c:1865) Incorrect status NT_STATUS_INVALID_OWNER -
should be
NT_STATUS_OK
error: ACLS [
Unknown error/failure
]
======================================================w23k test
results====================================================
test: ACLS
TESTING SETFILEINFO EA_SET
add a new ACE to the DACL
remove it again
testing nttrans create with sec_desc
creating normal file
querying ACL
adding a new ACE
creating a file with an initial ACL
TESTING SEC_DESC WITH A NULL DACL
creating a file with a empty sd
get the original sd
set NULL DACL
get the sd
try open for read control
try open for write
try open for read
try open for generic write
try open for generic read
set DACL with 0 aces
get the sd
try open for read control
try open for write => access_denied
try open for read => access_denied
try open for generic write => access_denied
try open for generic read => access_denied
set empty sd
get the sd
TESTING SID_CREATOR_OWNER
get the original sd
set a sec desc allowing no write by CREATOR_OWNER
try open for write
try open for read
try open for generic write
try open for generic read
set a sec desc allowing no write by owner
check that sd has been mapped correctly
try open for write
try open for read
try open for generic write
try open for generic read
set a sec desc allowing generic read by owner
check that generic read has been mapped correctly
try open for write
try open for read
try open for generic write
try open for generic read
put back original sd
TESTING FILE GENERIC BITS
get the original sd
SEC_PRIV_RESTORE - Yes
SEC_PRIV_TAKE_OWNERSHIP - Yes
testing generic bits 0x00000000
testing generic bits 0x00000000 (anonymous)
testing generic bits 0x80000000
testing generic bits 0x80000000 (anonymous)
testing generic bits 0x40000000
testing generic bits 0x40000000 (anonymous)
testing generic bits 0x20000000
testing generic bits 0x20000000 (anonymous)
testing generic bits 0x10000000
testing generic bits 0x10000000 (anonymous)
testing generic bits 0x00000001
testing generic bits 0x00000001 (anonymous)
testing generic bits 0x00000080
testing generic bits 0x00000080 (anonymous)
put back original sd
TESTING DIR GENERIC BITS
get the original sd
SEC_PRIV_RESTORE - Yes
SEC_PRIV_TAKE_OWNERSHIP - Yes
testing generic bits 0x00000000
testing generic bits 0x00000000 (anonymous)
testing generic bits 0x80000000
testing generic bits 0x80000000 (anonymous)
testing generic bits 0x40000000
testing generic bits 0x40000000 (anonymous)
testing generic bits 0x20000000
testing generic bits 0x20000000 (anonymous)
testing generic bits 0x10000000
testing generic bits 0x10000000 (anonymous)
put back original sd
TESTING FILE OWNER BITS
get the original sd
SEC_PRIV_RESTORE - Yes
SEC_PRIV_TAKE_OWNERSHIP - Yes
put back original sd
TESTING ACL INHERITANCE
get the original sd
owner_sid is S-1-5-32-544
testing access checks on inherited create with
\testsd\inheritance\testfile
failed: w2k3 ACL bug (allowed open when ACL should deny)
trying without execute
and with full permissions again
put back original sd
TESTING DYNAMIC ACL INHERITANCE
get the original sd
owner_sid is S-1-5-32-544
create a file with an inherited acl
try and access file with base rights - should be OK
try and access file with extra rights - should be denied
update parent sd
try and access file with base rights - should be OK
try and access now - should be OK if dynamic inheritance works
Server does not have dynamic inheritance
put back original sd
TESTING ACCESS MASKS FOR SD GET/SET
error: ACLS [
Unknown error/failure
]
From: Nagaraj Shyam
Sent: Wednesday, July 14, 2010 11:26 AM
To: 'samba at lists.samba.org'
Subject: RAW_ACLS smbtorture test
Hi All,
I wanted to check the state of the ACL evaluation engine in samba. I
have configured my linux sles 10, samba version 3.5.1-3.3-2332 with "ea
support = yes", "store dos attributes=yes", "vfs objects = acl_xattr"
and get lots of error + some failure messages.
I attached the results of running the test against both samba as well as
native windows 2003 cifs server.
Finally the test itself seems to error out.
Are there known issues in the samba acl evaluation engine? Is it being
worked on?
Thank you for any information/suggestions.
Regards.
-Shyam
More information about the samba
mailing list