From: Ralph Boehme Date: Fri, 6 Oct 2017 13:31:20 +0000 (+0200) Subject: selftest: tests for change ownership on a file X-Git-Tag: tevent-0.9.34~247 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4b2e171e6b90f9c3594ebb705a28c66b981c2bf5;p=thirdparty%2Fsamba.git selftest: tests for change ownership on a file This test verifies that SEC_STD_WRITE_OWNER only effectively grants take-ownership permissions but NOT give-ownership. The latter requires SeRestorePrivilege privilege. Bug: https://bugzilla.samba.org/show_bug.cgi?id=7933 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/selftest/knownfail.d/samba3.blackbox.give_owner b/selftest/knownfail.d/samba3.blackbox.give_owner new file mode 100644 index 00000000000..28fc0c03236 --- /dev/null +++ b/selftest/knownfail.d/samba3.blackbox.give_owner @@ -0,0 +1 @@ +samba3.blackbox.give_owner.give owner without SeRestorePrivilege\(fileserver\) diff --git a/source3/script/tests/test_give_owner.sh b/source3/script/tests/test_give_owner.sh new file mode 100755 index 00000000000..64e09f3c2b4 --- /dev/null +++ b/source3/script/tests/test_give_owner.sh @@ -0,0 +1,121 @@ +#!/bin/sh +# +# this verifies that SEC_STD_WRITE_OWNER only effectively grants take-ownership +# permissions but NOT give-ownership. +# + +if [ $# -lt 9 ]; then + echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD PREFIX SMBCLIENT SMBCACLS NET SHARE" + exit 1 +fi + +SERVER="$1" +SERVER_IP="$2" +USERNAME="$3" +PASSWORD="$4" +PREFIX="$5" +SMBCLIENT="$6" +SMBCACLS="$7" +NET="$8" +SHARE="$9" + +SMBCLIENT="$VALGRIND ${SMBCLIENT}" +SMBCACLS="$VALGRIND ${SMBCACLS}" +NET="$VALGRIND ${NET}" +failed=0 + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh + +setup_testfile() { + local share=$1 + local fname=$2 + touch $PREFIX/$fname + $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname" + $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "ls" | grep "$fname" && return 1 + $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "lcd $PREFIX; put $fname" || return 1 +} + +remove_testfile() { + local share=$1 + local fname=$2 + $SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname" +} + +set_win_owner() { + local share=$1 + local fname=$2 + local owner=$3 + echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C '$owner'" + $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$owner" || return 1 +} + +win_owner_is() { + local share=$1 + local fname=$2 + local expected_owner=$3 + local actual_owner + + echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD" + $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD + actual_owner=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD | sed -rn 's/^OWNER:(.*)/\1/p') + echo "actual_owner = $actual_owner" + if ! test "x$actual_owner" = "x$expected_owner" ; then + echo "Actual owner of $share/$fname is [$actual_owner] expected [$expected_owner]" + return 1 + fi + return 0 +} + +add_ace() { + local share=$1 + local fname=$2 + local ace=$3 + + local_ace=$(echo $ace | sed 's|\\|/|') + + # avoid duplicate + out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD) + echo "$out" | grep "$local_ace" && return 0 + + # add it + $SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -a "$ace" || return 1 + + # check it's there + out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD) || return 1 + echo "$out" | grep "$local_ace" || return 1 +} + +chown_give_fails() { + local share=$1 + local fname=$2 + local user=$3 + local expected_error=$4 + + # this must fail + out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$user") && return 1 + # it failed, now check it returned the expected error code + echo "$out" | grep $expected_error || return 1 +} + +# Create a testfile +testit "create testfile" setup_testfile $SHARE afile || failed=`expr $failed + 1` +testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=`expr $failed + 1` + +# Grant SeRestorePrivilege to the user and full rights on the file +testit "grant SeRestorePrivilege" $NET rpc rights grant $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1` +testit "grant full rights" add_ace $SHARE afile "ACL:$SERVER\\$USERNAME:ALLOWED/0x0/FULL" || failed=`expr $failed + 1` + +# We have SeRestorePrivilege, so both give and take ownership must succeed +testit "give owner with SeRestorePrivilege" set_win_owner $SHARE afile "$SERVER\user1" || failed=`expr $failed + 1` +testit "verify owner" win_owner_is $SHARE afile "$SERVER/user1" || failed=`expr $failed + 1` +testit "take owner" set_win_owner $SHARE afile "$SERVER\\$USERNAME" || failed=`expr $failed + 1` +testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=`expr $failed + 1` + +# Revoke SeRestorePrivilege, give ownership must fail now with NT_STATUS_INVALID_OWNER +testit "revoke SeRestorePrivilege" $NET rpc rights revoke $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1` +testit "give owner without SeRestorePrivilege" chown_give_fails $SHARE afile "$SERVER\user1" NT_STATUS_INVALID_OWNER || failed=`expr $failed + 1` + +testit "delete testfile" remove_testfile $SHARE afile || failed=`expr $failed + 1` + +exit $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 4137e2cb46b..8efc42c58d0 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -260,6 +260,7 @@ for env in ["fileserver"]: plantestsuite("samba3.blackbox.inherit_owner.unix.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_inherit_owner.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'inherit_owner_u', '0', '1', '-m', 'SMB3']) plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1']) plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3']) + plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp']) # # tar command tests