From: Jeremy Allison Date: Tue, 18 May 2021 19:11:46 +0000 (-0700) Subject: s3: torture: Add test for bug 14708 - POSIX default ACL not mapped into returned... X-Git-Tag: tevent-0.11.0~801 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=544289b54bbf85098f4cc354f655290600c7f5ba;p=thirdparty%2Fsamba.git s3: torture: Add test for bug 14708 - POSIX default ACL not mapped into returned Windows ACL for directory handles. Knownfail for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14708 Signed-off-by: Jeremy Allison Reviewed-by: Noel Power --- diff --git a/selftest/knownfail.d/posix_dir_default_acl b/selftest/knownfail.d/posix_dir_default_acl new file mode 100644 index 00000000000..5c8a5d9af4e --- /dev/null +++ b/selftest/knownfail.d/posix_dir_default_acl @@ -0,0 +1,2 @@ +^samba3.smbtorture_s3.plain.POSIX-DIR-DEFAULT-ACL.smbtorture\(nt4_dc_smb1\) +^samba3.smbtorture_s3.crypt.POSIX-DIR-DEFAULT-ACL.smbtorture\(nt4_dc_smb1\) diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 11d0a41bda9..20a0e63bed7 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -264,6 +264,7 @@ posix_tests = ["POSIX", "POSIX-APPEND", "POSIX-SYMLINK-ACL", "POSIX-SYMLINK-EA", "POSIX-STAT", "POSIX-SYMLINK-PARENT", "POSIX-SYMLINK-CHMOD", + "POSIX-DIR-DEFAULT-ACL", ] for t in posix_tests: diff --git a/source3/torture/proto.h b/source3/torture/proto.h index 57b1b5fea13..bc2d8c7b3f2 100644 --- a/source3/torture/proto.h +++ b/source3/torture/proto.h @@ -91,6 +91,7 @@ bool run_posix_readlink_test(int dummy); bool run_posix_stat_test(int dummy); bool run_posix_symlink_parent_test(int dummy); bool run_posix_symlink_chmod_test(int dummy); +bool run_posix_dir_default_acl_test(int dummy); bool run_case_insensitive_create(int dummy); bool run_nbench2(int dummy); diff --git a/source3/torture/test_posix.c b/source3/torture/test_posix.c index 33a28866f9f..8c1306c5066 100644 --- a/source3/torture/test_posix.c +++ b/source3/torture/test_posix.c @@ -23,6 +23,7 @@ #include "libsmb/clirap.h" #include "libsmb/proto.h" #include "../libcli/smb/smbXcli_base.h" +#include "util_sd.h" extern struct cli_credentials *torture_creds; extern fstring host, workgroup, share, password, username, myname; @@ -1049,3 +1050,262 @@ out: TALLOC_FREE(frame); return correct; } + +/* + Ensure we get an ACL containing OI|IO ACE entries + after we add a default POSIX ACL to a directory. + This will only ever be an SMB1 test as it depends + on POSIX ACL semantics. + */ +bool run_posix_dir_default_acl_test(int dummy) +{ + TALLOC_CTX *frame = NULL; + struct cli_state *cli_unix = NULL; + NTSTATUS status; + uint16_t fnum = (uint16_t)-1; + const char *dname = "dir_with_default_acl"; + bool correct = false; + SMB_STRUCT_STAT sbuf; + size_t acl_size = 0; + char *aclbuf = NULL; + size_t num_file_acls = 0; + size_t num_dir_acls = 0; + size_t expected_buflen; + uint8_t def_acl[SMB_POSIX_ACL_HEADER_SIZE + + 5*SMB_POSIX_ACL_ENTRY_SIZE] = {0}; + uint8_t *p = NULL; + uint32_t i = 0; + struct security_descriptor *sd = NULL; + bool got_inherit = false; + + frame = talloc_stackframe(); + + printf("Starting POSIX-DIR-DEFAULT-ACL test\n"); + + if (!torture_open_connection(&cli_unix, 0)) { + TALLOC_FREE(frame); + return false; + } + + torture_conn_set_sockopt(cli_unix); + + status = torture_setup_unix_extensions(cli_unix); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return false; + } + + /* Start with a clean slate. */ + cli_posix_unlink(cli_unix, dname); + cli_posix_rmdir(cli_unix, dname); + + status = cli_posix_mkdir(cli_unix, dname, 0777); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_posix_mkdir of %s failed error %s\n", + dname, + nt_errstr(status)); + goto out; + } + + /* Do a posix stat to get the owner. */ + status = cli_posix_stat(cli_unix, dname, &sbuf); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_posix_stat of %s failed %s\n", + dname, + nt_errstr(status)); + goto out; + } + + /* Get the ACL on the directory. */ + status = cli_posix_getacl(cli_unix, dname, frame, &acl_size, &aclbuf); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_posix_getacl on %s failed %s\n", + dname, + nt_errstr(status)); + goto out; + } + + if (acl_size < 6 || SVAL(aclbuf,0) != SMB_POSIX_ACL_VERSION) { + printf("%s, unknown POSIX acl version %u.\n", + dname, + (unsigned int)CVAL(aclbuf,0) ); + goto out; + } + + num_file_acls = SVAL(aclbuf,2); + num_dir_acls = SVAL(aclbuf,4); + + /* + * No overflow check, num_*_acls comes from a 16-bit value, + * and we expect expected_buflen (size_t) to be of at least 32 + * bit. + */ + expected_buflen = SMB_POSIX_ACL_HEADER_SIZE + + SMB_POSIX_ACL_ENTRY_SIZE*(num_file_acls+num_dir_acls); + + if (acl_size != expected_buflen) { + printf("%s, incorrect POSIX acl buffer size " + "(should be %zu, was %zu).\n", + dname, + expected_buflen, + acl_size); + goto out; + } + + if (num_dir_acls != 0) { + printf("%s, POSIX default acl already exists" + "(should be 0, was %zu).\n", + dname, + num_dir_acls); + goto out; + } + + /* + * Get the Windows ACL on the directory. + * Make sure there are no inheritable entries. + */ + status = cli_ntcreate(cli_unix, + dname, + 0, + SEC_STD_READ_CONTROL, + 0, + FILE_SHARE_READ| + FILE_SHARE_WRITE| + FILE_SHARE_DELETE, + FILE_OPEN, + FILE_DIRECTORY_FILE, + 0x0, + &fnum, + NULL); + if (!NT_STATUS_IS_OK(status)) { + printf("Failed to open directory %s: %s\n", + dname, + nt_errstr(status)); + goto out; + } + + status = cli_query_security_descriptor(cli_unix, + fnum, + SECINFO_DACL, + frame, + &sd); + if (!NT_STATUS_IS_OK(status)) { + printf("Failed to get security descriptor on directory %s: %s\n", + dname, + nt_errstr(status)); + goto out; + } + + for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { + struct security_ace *ace = &sd->dacl->aces[i]; + if (ace->flags & (SEC_ACE_FLAG_OBJECT_INHERIT| + SEC_ACE_FLAG_CONTAINER_INHERIT)) { + printf("security descritor on directory %s already " + "contains inheritance flags\n", + dname); + sec_desc_print(NULL, stdout, sd, true); + goto out; + } + } + + TALLOC_FREE(sd); + + /* Construct a new default ACL. */ + SSVAL(def_acl,0,SMB_POSIX_ACL_VERSION); + SSVAL(def_acl,2,SMB_POSIX_IGNORE_ACE_ENTRIES); + SSVAL(def_acl,4,5); /* num_dir_acls. */ + + p = def_acl + SMB_POSIX_ACL_HEADER_SIZE; + + /* USER_OBJ. */ + SCVAL(p,0,SMB_POSIX_ACL_USER_OBJ); /* tagtype. */ + SCVAL(p,1,SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE); + p += SMB_POSIX_ACL_ENTRY_SIZE; + + /* GROUP_OBJ. */ + SCVAL(p,0,SMB_POSIX_ACL_GROUP_OBJ); /* tagtype. */ + SCVAL(p,1,SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE); + p += SMB_POSIX_ACL_ENTRY_SIZE; + + /* OTHER. */ + SCVAL(p,0,SMB_POSIX_ACL_OTHER); /* tagtype. */ + SCVAL(p,1,SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE); + p += SMB_POSIX_ACL_ENTRY_SIZE; + + /* Explicit user. */ + SCVAL(p,0,SMB_POSIX_ACL_USER); /* tagtype. */ + SCVAL(p,1,SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE); + SIVAL(p,2,sbuf.st_ex_uid); + p += SMB_POSIX_ACL_ENTRY_SIZE; + + /* MASK. */ + SCVAL(p,0,SMB_POSIX_ACL_MASK); /* tagtype. */ + SCVAL(p,1,SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE); + p += SMB_POSIX_ACL_ENTRY_SIZE; + + /* Set the POSIX default ACL. */ + status = cli_posix_setacl(cli_unix, dname, def_acl, sizeof(def_acl)); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_posix_setacl on %s failed %s\n", + dname, + nt_errstr(status)); + goto out; + } + + /* + * Get the Windows ACL on the directory again. + * Now there should be inheritable entries. + */ + + status = cli_query_security_descriptor(cli_unix, + fnum, + SECINFO_DACL, + frame, + &sd); + if (!NT_STATUS_IS_OK(status)) { + printf("Failed (2) to get security descriptor " + "on directory %s: %s\n", + dname, + nt_errstr(status)); + goto out; + } + + for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { + struct security_ace *ace = &sd->dacl->aces[i]; + if (ace->flags & (SEC_ACE_FLAG_OBJECT_INHERIT| + SEC_ACE_FLAG_CONTAINER_INHERIT)) { + got_inherit = true; + break; + } + } + + if (!got_inherit) { + printf("security descritor on directory %s does not " + "contain inheritance flags\n", + dname); + sec_desc_print(NULL, stdout, sd, true); + goto out; + } + + cli_close(cli_unix, fnum); + fnum = (uint16_t)-1; + printf("POSIX-DIR-DEFAULT-ACL test passed\n"); + correct = true; + +out: + + TALLOC_FREE(sd); + + if (fnum != (uint16_t)-1) { + cli_close(cli_unix, fnum); + } + cli_posix_unlink(cli_unix, dname); + cli_posix_rmdir(cli_unix, dname); + + if (!torture_close_connection(cli_unix)) { + correct = false; + } + + TALLOC_FREE(frame); + return correct; +} diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 68e2cd2ba20..06bb44943e6 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -14955,6 +14955,10 @@ static struct { .name = "POSIX-SYMLINK-CHMOD", .fn = run_posix_symlink_chmod_test, }, + { + .name = "POSIX-DIR-DEFAULT-ACL", + .fn = run_posix_dir_default_acl_test, + }, { .name = "WINDOWS-BAD-SYMLINK", .fn = run_symlink_open_test, diff --git a/source3/wscript_build b/source3/wscript_build index 4703d5baff4..d0fda816f56 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -1225,6 +1225,7 @@ bld.SAMBA3_BINARY('smbtorture' + bld.env.suffix3, torture/test_idmap_cache.c torture/test_hidenewfiles.c torture/test_readdir_timestamp.c + lib/util_sd.c ''' + TORTURE3_ADDITIONAL_SOURCE, deps=''' talloc @@ -1238,6 +1239,7 @@ bld.SAMBA3_BINARY('smbtorture' + bld.env.suffix3, NDR_OPEN_FILES idmap IDMAP_TDB_COMMON + libcli_lsa3 samba-cluster-support ''', cflags='-DWINBINDD_SOCKET_DIR=\"%s\"' % bld.env.WINBINDD_SOCKET_DIR,