source4/torture: Add SEC_STD_DELETE to enable proper cleanup

basic.maximum_allowed and smb2.maximum_allowed attempt to unlink the
files created by those tests. But the restrictive SD with which they
were created prohibits the deletion inside shares where vfs_acl_xattr
is configured including "ignore system acls". The very same file will
otherwise cause problems while progressing with remaining sub tests.
SEC_STD_DELETE could be the minimum required additional access mask
to successfully delete the file under the said configuration using
vfs_acl_xattr and "ignore system acls" option without loosing the
integrity of the overall test.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 26 18:35:43 UTC 2024 on atb-devel-224

diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index c9f4a97743e25263bf14eb2dbd7d3a116fd9a32b..ba636fe2a9548c7c42a1f87c144424e11c12d79a 100644 (file)
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2680,10 +2680,11 @@ bool torture_maximum_allowed(struct torture_context *tctx,
        struct security_descriptor *sd, *sd_orig;
        union smb_open io;
        static TALLOC_CTX *mem_ctx;
-       int fnum, i;
+       int fnum, fnum1 = -1, i;
        bool ret = true;
        NTSTATUS status;
        union smb_fileinfo q;
+       union smb_setfileinfo set;
        const char *owner_sid;
        bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
 
@@ -2813,7 +2814,34 @@ bool torture_maximum_allowed(struct torture_context *tctx,
                smbcli_close(cli->tree, fnum);
        }
 
+       io.generic.level = RAW_OPEN_NTTRANS_CREATE;
+       io.ntcreatex.in.access_mask = SEC_STD_WRITE_DAC;
+       io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+       io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
+       io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
+       io.ntcreatex.in.fname = MAXIMUM_ALLOWED_FILE;
+
+       status = smb_raw_open(cli->tree, mem_ctx, &io);
+       CHECK_STATUS(status, NT_STATUS_OK);
+       fnum1 = io.ntcreatex.out.file.fnum;
+
+       sd = security_descriptor_dacl_create(tctx,
+                                       0, NULL, NULL,
+                                       SID_NT_AUTHENTICATED_USERS,
+                                       SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                       SEC_STD_DELETE,
+                                       0,
+                                       NULL);
+       set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+       set.set_secdesc.in.file.fnum = fnum1;
+       set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+       set.set_secdesc.in.sd = sd;
+
+       status = smb_raw_setfileinfo(cli->tree, &set);
+       CHECK_STATUS(status, NT_STATUS_OK);
+
  done:
+       smbcli_close(cli->tree, fnum1);
        smbcli_unlink(cli->tree, MAXIMUM_ALLOWED_FILE);
        return ret;
 }

diff --git a/source4/torture/smb2/max_allowed.c b/source4/torture/smb2/max_allowed.c
index af8b08ac9a92170439a6624d08f8df9b8a4ab57d..6d69b84fbe67f9ec201af9b724808db1c1976c33 100644 (file)
--- a/source4/torture/smb2/max_allowed.c
+++ b/source4/torture/smb2/max_allowed.c
@@ -33,11 +33,12 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
        struct security_descriptor *sd = NULL, *sd_orig = NULL;
        struct smb2_create io = {0};
        TALLOC_CTX *mem_ctx = NULL;
-       struct smb2_handle fnum = {{0}};
+       struct smb2_handle fnum = {{0}}, fnum1 = {{0}};
        int i;
        bool ret = true;
        NTSTATUS status;
        union smb_fileinfo q;
+       union smb_setfileinfo set;
        const char *owner_sid = NULL;
        bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
 
@@ -82,7 +83,7 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
        q.query_secdesc.in.file.handle = fnum;
        q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
        status = smb2_getinfo_file(tree, tctx, &q);
-       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, set_sd,
                talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
                                nt_errstr(status), nt_errstr(NT_STATUS_OK)));
        sd_orig = q.query_secdesc.out.sd;
@@ -159,21 +160,21 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
                if (mask & ok_mask ||
                    mask == SEC_FLAG_MAXIMUM_ALLOWED) {
                        torture_assert_ntstatus_ok_goto(tctx, status, ret,
-                               done, talloc_asprintf(tctx,
+                               set_sd, talloc_asprintf(tctx,
                                "Incorrect status %s - should be %s\n",
                                nt_errstr(status), nt_errstr(NT_STATUS_OK)));
                } else {
                        if (mask & SEC_FLAG_SYSTEM_SECURITY) {
                                torture_assert_ntstatus_equal_goto(tctx,
                                        status, NT_STATUS_PRIVILEGE_NOT_HELD,
-                                       ret, done, talloc_asprintf(tctx,
+                                       ret, set_sd, talloc_asprintf(tctx,
                                        "Incorrect status %s - should be %s\n",
                                        nt_errstr(status),
                                        nt_errstr(NT_STATUS_PRIVILEGE_NOT_HELD)));
                        } else {
                                torture_assert_ntstatus_equal_goto(tctx,
                                        status, NT_STATUS_ACCESS_DENIED,
-                                       ret, done, talloc_asprintf(tctx,
+                                       ret, set_sd, talloc_asprintf(tctx,
                                        "Incorrect status %s - should be %s\n",
                                        nt_errstr(status),
                                        nt_errstr(NT_STATUS_ACCESS_DENIED)));
@@ -185,7 +186,38 @@ static bool torture_smb2_maximum_allowed(struct torture_context *tctx,
                smb2_util_close(tree, fnum);
        }
 
+set_sd:
+       io.in.desired_access = SEC_STD_WRITE_DAC;
+       io.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+       io.in.create_disposition = NTCREATEX_DISP_OPEN;
+       io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
+       io.in.fname = MAXIMUM_ALLOWED_FILE;
+
+       status = smb2_create(tree, mem_ctx, &io);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+               talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
+                               nt_errstr(status), nt_errstr(NT_STATUS_OK)));
+       fnum1 = io.out.file.handle;
+
+       sd = security_descriptor_dacl_create(tctx,
+                                       0, NULL, NULL,
+                                       SID_NT_AUTHENTICATED_USERS,
+                                       SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                       SEC_STD_DELETE,
+                                       0,
+                                       NULL);
+       set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+       set.set_secdesc.in.file.handle = fnum1;
+       set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+       set.set_secdesc.in.sd = sd;
+
+       status = smb2_setinfo_file(tree, &set);
+       torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+               talloc_asprintf(tctx, "Incorrect status %s - should be %s\n",
+                               nt_errstr(status), nt_errstr(NT_STATUS_OK)));
+
  done:
+       smb2_util_close(tree, fnum1);
        smb2_util_unlink(tree, MAXIMUM_ALLOWED_FILE);
        talloc_free(mem_ctx);
        return ret;