[PATCH 0/3] Fix master to pass smbtorture smb2.acls and raw.acls tests - v2 - with Simo fixes.
Jeremy Allison
jra at samba.org
Mon Nov 19 16:44:11 MST 2012
On Tue, Nov 20, 2012 at 12:15:15AM +0100, Michael Adam wrote:
> For a start, I pushed the first two patches to autobuild.
Thanks !
> The change to the smb2.acls test, I have not yet quite
> understood, especially since that code path is not
> run at all in any tests I see. We should re-discuss this one.
Ok, let me try and explain better. In the raw.acl SMB1
test code that is the basis for the smb2.acl test code
(file source4/torture/raw/acls.c) in the inheritance
test we have a specific change in the default ACL
creation to code with the Samba4 file server.
In source4/torture/raw/acls.c it looks like this:
1509 if (torture_setting_bool(tctx, "samba4", false)) {
1510 /* the default ACL in Samba4 includes the group and
1511 other permissions */
1512 sd_def1 = security_descriptor_dacl_create(tctx,
1513 0, owner_sid, NULL,
1514 owner_sid,
1515 SEC_ACE_TYPE_ACCESS_ALLOWED,
1516 SEC_RIGHTS_FILE_ALL,
1517 0,
1518 group_sid,
1519 SEC_ACE_TYPE_ACCESS_ALLOWED,
1520 SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
1521 0,
1522 SID_WORLD,
1523 SEC_ACE_TYPE_ACCESS_ALLOWED,
1524 SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
1525 0,
1526 SID_NT_SYSTEM,
1527 SEC_ACE_TYPE_ACCESS_ALLOWED,
1528 SEC_RIGHTS_FILE_ALL,
1529 0,
1530 NULL);
1531 } else {
1532 /*
1533 * The Windows Default ACL for a new file, when there is no ACL to be
1534 * inherited: FullControl for the owner and SYSTEM.
1535 */
1536 sd_def1 = security_descriptor_dacl_create(tctx,
1537 0, owner_sid, NULL,
1538 owner_sid,
1539 SEC_ACE_TYPE_ACCESS_ALLOWED,
1540 SEC_RIGHTS_FILE_ALL,
1541 0,
1542 SID_NT_SYSTEM,
1543 SEC_ACE_TYPE_ACCESS_ALLOWED,
1544 SEC_RIGHTS_FILE_ALL,
1545 0,
1546 NULL);
1547 }
The reason for this is that the default Windows ACL on a new
file that is created inside a directory with no inheritance
from the parent directory, and no provided security descriptor
is:
owner-sid: Full control
SYSTEM: full control
When we're doing the same on a POSIX file system we don't
emulate that - it makes no sense on a file system that needs
to have underlying POSIX permissions underneath.
The patch we're discussing adds the same default ACL to
the smb2 ACL tests as we're using in the smb1 ACL tests,
as we'll get the same value back.
The question I'd like to discuss is that now we have
a unified file server, we really should remove the
distinctions saying :
if (torture_setting_bool(tctx, "samba4", false)) and
if (torture_setting_bool(tctx, "samba3", false))
and make the tests pass by using:
if (torture_setting_bool(tctx, "samba_smbd", false))
and
if (torture_setting_bool(tctx, "samba_ntfs", false))
to differentiate the tests against the smbd and ntvfs
fileserver code.
Jeremy.
More information about the samba-technical
mailing list