[PATCH 0/3] Fix master to pass smbtorture smb2.acls and raw.acls tests - v2 - with Simo fixes.
Stefan (metze) Metzmacher
metze at samba.org
Tue Nov 20 00:21:12 MST 2012
Am 20.11.2012 00:44, schrieb Jeremy Allison:
> On Tue, Nov 20, 2012 at 12:15:15AM +0100, Michael Adam wrote:
>> For a start, I pushed the first two patches to autobuild.
>
> Thanks !
>
>> The change to the smb2.acls test, I have not yet quite
>> understood, especially since that code path is not
>> run at all in any tests I see. We should re-discuss this one.
>
> Ok, let me try and explain better. In the raw.acl SMB1
> test code that is the basis for the smb2.acl test code
> (file source4/torture/raw/acls.c) in the inheritance
> test we have a specific change in the default ACL
> creation to code with the Samba4 file server.
>
> In source4/torture/raw/acls.c it looks like this:
>
> 1509 if (torture_setting_bool(tctx, "samba4", false)) {
> 1510 /* the default ACL in Samba4 includes the group and
> 1511 other permissions */
> 1512 sd_def1 = security_descriptor_dacl_create(tctx,
> 1513 0, owner_sid, NULL,
> 1514 owner_sid,
> 1515 SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1516 SEC_RIGHTS_FILE_ALL,
> 1517 0,
> 1518 group_sid,
> 1519 SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1520 SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
> 1521 0,
> 1522 SID_WORLD,
> 1523 SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1524 SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE,
> 1525 0,
> 1526 SID_NT_SYSTEM,
> 1527 SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1528 SEC_RIGHTS_FILE_ALL,
> 1529 0,
> 1530 NULL);
> 1531 } else {
> 1532 /*
> 1533 * The Windows Default ACL for a new file, when there is no ACL to be
> 1534 * inherited: FullControl for the owner and SYSTEM.
> 1535 */
> 1536 sd_def1 = security_descriptor_dacl_create(tctx,
> 1537 0, owner_sid, NULL,
> 1538 owner_sid,
> 1539 SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1540 SEC_RIGHTS_FILE_ALL,
> 1541 0,
> 1542 SID_NT_SYSTEM,
> 1543 SEC_ACE_TYPE_ACCESS_ALLOWED,
> 1544 SEC_RIGHTS_FILE_ALL,
> 1545 0,
> 1546 NULL);
> 1547 }
>
> The reason for this is that the default Windows ACL on a new
> file that is created inside a directory with no inheritance
> from the parent directory, and no provided security descriptor
> is:
>
> owner-sid: Full control
> SYSTEM: full control
>
> When we're doing the same on a POSIX file system we don't
> emulate that - it makes no sense on a file system that needs
> to have underlying POSIX permissions underneath.
>
> The patch we're discussing adds the same default ACL to
> the smb2 ACL tests as we're using in the smb1 ACL tests,
> as we'll get the same value back.
>
> The question I'd like to discuss is that now we have
> a unified file server, we really should remove the
> distinctions saying :
>
> if (torture_setting_bool(tctx, "samba4", false)) and
> if (torture_setting_bool(tctx, "samba3", false))
>
> and make the tests pass by using:
>
> if (torture_setting_bool(tctx, "samba_smbd", false))
> and
> if (torture_setting_bool(tctx, "samba_ntfs", false))
>
> to differentiate the tests against the smbd and ntvfs
> fileserver code.
I'd prefer to remove this completely (and only expect windows behavior)
and add failing tests to the knowfail file.
If this behavior test is part of a larger test, we should isolate it
as a separate test.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121120/adc6ee67/attachment.pgp>
More information about the samba-technical
mailing list