From: Jeremy Allison <jra@samba.org>
Date: Sat, 18 Apr 2020 00:39:22 +0000 (-0700)
Subject: s3: torture: Call the smbtorture3 SMB2-SACL test.
X-Git-Tag: ldb-2.2.0~903
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b338636a1e8a5d426728c5fea1515642ef7ca881;p=thirdparty%2Fsamba.git

s3: torture: Call the smbtorture3 SMB2-SACL test.

Calls the test in the previous commit by adding
SeSecurityPrivilege first, running the SMB2-SACL test
then removing SeSecurityPrivilege.

Demonstrates the difference between server behavior
with SEC_FLAG_SYSTEM_SECURITY against SMB1 and SMB2 servers.

Mark as knownfail for now.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/selftest/knownfail.d/sacl_set_get b/selftest/knownfail.d/sacl_set_get
new file mode 100644
index 00000000000..6aee383ba02
--- /dev/null
+++ b/selftest/knownfail.d/sacl_set_get
@@ -0,0 +1,2 @@
+^samba3.blackbox.sacl_get_set.SACL set_get\(fileserver\)
+
diff --git a/source3/script/tests/test_sacl_set_get.sh b/source3/script/tests/test_sacl_set_get.sh
new file mode 100755
index 00000000000..68a9057d4ce
--- /dev/null
+++ b/source3/script/tests/test_sacl_set_get.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Runs the smbtorture3 SMB2-SACL test
+# that requres SeSecurityPrivilege
+# against Samba.
+#
+
+if [ $# -lt 7 ]; then
+    echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SMBTORTURE3 NET SHARE"
+    exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+SMBTORTURE3="$5"
+NET="$6"
+SHARE="$7"
+
+failed=0
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+sacl_set_get() {
+    out=$($SMBTORTURE3 //$SERVER_IP/$SHARE -U $USERNAME%$PASSWORD SMB2-SACL)
+    if [ $? -ne 0 ] ; then
+	echo "SMB2-SACL failed"
+	echo "$out"
+	return 1
+    fi
+}
+
+# Grant SeSecurityPrivilege to the user
+testit "grant SeSecurityPrivilege" $NET rpc rights grant $USERNAME SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
+
+# Run the tests.
+testit "SACL set_get" sacl_set_get || failed=`expr $failed + 1`
+
+# Revoke SeSecurityPrivilege
+testit "revoke SeSecurityPrivilege" $NET rpc rights revoke $USERNAME SeSecurityPrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index e693f50dc30..a536a473cb5 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -415,6 +415,9 @@ for env in ["fileserver"]:
     plantestsuite("samba3.blackbox.smb1_system_security", env + "_smb1_done",
                   [os.path.join(samba3srcdir, "script/tests/test_smb1_system_security.sh"),
                    '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbtorture3, net, 'tmp'])
+    plantestsuite("samba3.blackbox.sacl_get_set", env,
+                  [os.path.join(samba3srcdir, "script/tests/test_sacl_set_get.sh"),
+                   '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbtorture3, net, 'tmp'])
 
     #
     # tar command tests