summaryrefslogtreecommitdiffstats
path: root/testsuite/smbd
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /testsuite/smbd
parentInitial commit. (diff)
downloadsamba-upstream.tar.xz
samba-upstream.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testsuite/smbd')
-rw-r--r--testsuite/smbd/Makefile.se_access_check24
-rw-r--r--testsuite/smbd/Makefile.sec_ctx57
-rw-r--r--testsuite/smbd/se_access_check.exp53
-rw-r--r--testsuite/smbd/se_access_check_allowall.c86
-rw-r--r--testsuite/smbd/se_access_check_allowsome.c103
-rw-r--r--testsuite/smbd/se_access_check_denyall.c85
-rw-r--r--testsuite/smbd/se_access_check_denysome.c105
-rw-r--r--testsuite/smbd/se_access_check_empty.c108
-rw-r--r--testsuite/smbd/se_access_check_nullsd.c73
-rw-r--r--testsuite/smbd/se_access_check_printer.c211
-rw-r--r--testsuite/smbd/se_access_check_utils.c158
-rw-r--r--testsuite/smbd/se_access_check_utils.h45
-rw-r--r--testsuite/smbd/sec_ctx.exp66
-rw-r--r--testsuite/smbd/sec_ctx1.c39
-rw-r--r--testsuite/smbd/sec_ctx_current_user.c113
-rw-r--r--testsuite/smbd/sec_ctx_flow.c72
-rw-r--r--testsuite/smbd/sec_ctx_groups.c130
-rw-r--r--testsuite/smbd/sec_ctx_nonroot.c41
-rw-r--r--testsuite/smbd/sec_ctx_root.c60
-rw-r--r--testsuite/smbd/sec_ctx_stack.c85
-rw-r--r--testsuite/smbd/sec_ctx_torture.c102
-rw-r--r--testsuite/smbd/sec_ctx_utils.c64
-rw-r--r--testsuite/smbd/sec_ctx_utils.h29
-rw-r--r--testsuite/smbd/sighup.exp107
24 files changed, 2016 insertions, 0 deletions
diff --git a/testsuite/smbd/Makefile.se_access_check b/testsuite/smbd/Makefile.se_access_check
new file mode 100644
index 0000000..5637fa2
--- /dev/null
+++ b/testsuite/smbd/Makefile.se_access_check
@@ -0,0 +1,24 @@
+#
+# Makefile for se_access_check tests
+#
+
+include ../../source/Makefile
+
+# Objects common to all tests
+
+SE_ACCESS_CHECK_OBJ1 = $(LIB_OBJ) $(UBIQX_OBJ) $(PARAM_OBJ) $(RPC_PARSE_OBJ) \
+ $(LIBSMB_OBJ) lib/util_seaccess.o nsswitch/common.o
+
+SE_ACCESS_CHECK_OBJS = $(SE_ACCESS_CHECK_OBJ1:%=$(srcdir)/%) \
+ se_access_check_utils.o
+
+# Targets for individual tests
+
+se_access_check_nullsd: $(SE_ACCESS_CHECK_OBJS) se_access_check_nullsd.o
+se_access_check_everyone: $(SE_ACCESS_CHECK_OBJS) se_access_check_everyone.o
+se_access_check_allowall: $(SE_ACCESS_CHECK_OBJS) se_access_check_allowall.o
+se_access_check_denyall: $(SE_ACCESS_CHECK_OBJS) se_access_check_denyall.o
+se_access_check_allowsome: $(SE_ACCESS_CHECK_OBJS) se_access_check_allowsome.o
+se_access_check_denysome: $(SE_ACCESS_CHECK_OBJS) se_access_check_denysome.o
+se_access_check_empty: $(SE_ACCESS_CHECK_OBJS) se_access_check_empty.o
+se_access_check_printer: $(SE_ACCESS_CHECK_OBJS) se_access_check_printer.o
diff --git a/testsuite/smbd/Makefile.sec_ctx b/testsuite/smbd/Makefile.sec_ctx
new file mode 100644
index 0000000..c45ab5b
--- /dev/null
+++ b/testsuite/smbd/Makefile.sec_ctx
@@ -0,0 +1,57 @@
+#
+# Makefile for sec_ctx tests
+#
+
+include ../../source/Makefile
+
+# Objects common to all tests
+
+SEC_CTX_OBJ1 = $(RPC_CLIENT_OBJ) $(LIB_OBJ) $(RPC_PARSE_OBJ) $(PARAM_OBJ) \
+ $(LIBSMB_OBJ) $(PASSDB_OBJ) $(UBIQX_OBJ) smbd/password.o smbd/uid.o \
+ smbd/chgpasswd.o smbd/sec_ctx.o
+
+SEC_CTX_OBJS = $(SEC_CTX_OBJ1:%=$(srcdir)/%) sec_ctx_utils.o
+
+# Targets for tests
+
+SEC_CTX_NONROOT_OBJS = $(SEC_CTX_OBJS) sec_ctx_nonroot.o
+
+sec_ctx_nonroot: $(SEC_CTX_NONROOT_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_NONROOT_OBJS) $(LIBS)
+
+SEC_CTX_STACK_OBJS = $(SEC_CTX_OBJS) sec_ctx_stack.o
+
+sec_ctx_stack: $(SEC_CTX_STACK_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_STACK_OBJS) $(LIBS)
+
+SEC_CTX_FLOW_OBJS = $(SEC_CTX_OBJS) sec_ctx_flow.o
+
+sec_ctx_flow: $(SEC_CTX_FLOW_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_FLOW_OBJS) $(LIBS)
+
+SEC_CTX_TORTURE_OBJS = $(SEC_CTX_OBJS) sec_ctx_torture.o
+
+sec_ctx_torture: $(SEC_CTX_TORTURE_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_TORTURE_OBJS) $(LIBS)
+
+SEC_CTX_CURRENT_USER_OBJS = $(SEC_CTX_OBJS) sec_ctx_current_user.o
+
+sec_ctx_current_user: $(SEC_CTX_CURRENT_USER_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_CURRENT_USER_OBJS) $(LIBS)
+
+SEC_CTX_GROUPS_OBJS = $(SEC_CTX_OBJS) sec_ctx_groups.o
+
+sec_ctx_groups: $(SEC_CTX_GROUPS_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_GROUPS_OBJS) $(LIBS)
+
+SEC_CTX_ROOT_OBJS = $(SEC_CTX_OBJS) sec_ctx_root.o
+
+sec_ctx_root: $(SEC_CTX_ROOT_OBJS)
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SEC_CTX_ROOT_OBJS) $(LIBS)
diff --git a/testsuite/smbd/se_access_check.exp b/testsuite/smbd/se_access_check.exp
new file mode 100644
index 0000000..a8d92cf
--- /dev/null
+++ b/testsuite/smbd/se_access_check.exp
@@ -0,0 +1,53 @@
+#
+# @(#) Test se_access_check() function
+#
+
+#
+# Unix SMB/Netbios implementation.
+# Copyright (C) Tim Potter 2000
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+
+load_lib "compile.exp"
+load_lib "util-defs.exp"
+
+# Run tests from C source files
+
+set se_access_check_tests [list \
+ { "null security descriptor" "se_access_check_nullsd" } \
+ { "security descriptor allow everyone" "se_access_check_allowall" } \
+ { "security descriptor allow everyone" "se_access_check_allowall" } \
+ { "security descriptor deny everyone" "se_access_check_denyall" } \
+ { "empty security descriptor" "se_access_check_empty" } \
+ { "allow some users access" "se_access_check_allowsome" } \
+ { "deny some users access" "se_access_check_denysome" } \
+ { "printer access permissions" "se_access_check_printer" } \
+ ]
+
+foreach { test } $se_access_check_tests {
+ set test_desc [lindex $test 0]
+ set test_file [lindex $test 1]
+
+ simple_make "se_access_check" $test_file
+ set output [util_start "$srcdir/$subdir/$test_file" ]
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_file" "$srcdir/$subdir/$test_file.o"
+ } else {
+ fail $test_desc
+ puts $output
+ }
+}
diff --git a/testsuite/smbd/se_access_check_allowall.c b/testsuite/smbd/se_access_check_allowall.c
new file mode 100644
index 0000000..74b9a37
--- /dev/null
+++ b/testsuite/smbd/se_access_check_allowall.c
@@ -0,0 +1,86 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_allowall[] = {
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "S-1-1-0" },
+ { 0, 0, 0, NULL}
+};
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL allowall_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (!result || status != NT_STATUS_NO_PROBLEMO ||
+ acc_granted != GENERIC_ALL_ACCESS) {
+ printf("FAIL: allowall se_access_check %d/%d\n",
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_allowall, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(allowall_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_allowsome.c b/testsuite/smbd/se_access_check_allowsome.c
new file mode 100644
index 0000000..1394d5f
--- /dev/null
+++ b/testsuite/smbd/se_access_check_allowsome.c
@@ -0,0 +1,103 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_allowsome[] = {
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user0" },
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user2" },
+ { 0, 0, 0, NULL}
+};
+
+BOOL allowsome_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ fstring name;
+ BOOL result;
+ int len1, len2;
+
+ /* Check only user0 and user2 allowed access */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ len1 = (int)strlen(pw->pw_name) - strlen("user0");
+ len2 = (int)strlen(pw->pw_name) - strlen("user2");
+
+ if ((strncmp("user0", &pw->pw_name[MAX(len1, 0)],
+ strlen("user0")) == 0) ||
+ (strncmp("user2", &pw->pw_name[MAX(len2, 0)],
+ strlen("user2")) == 0)) {
+ if (!result || acc_granted != GENERIC_ALL_ACCESS) {
+ printf("FAIL: access not granted for %s\n",
+ pw->pw_name);
+ }
+ } else {
+ if (result || acc_granted != 0) {
+ printf("FAIL: access granted for %s\n", pw->pw_name);
+ }
+ }
+
+ printf("result %s for user %s\n", result ? "allowed" : "denied",
+ pw->pw_name);
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_allowsome, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(allowsome_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_denyall.c b/testsuite/smbd/se_access_check_denyall.c
new file mode 100644
index 0000000..efec172
--- /dev/null
+++ b/testsuite/smbd/se_access_check_denyall.c
@@ -0,0 +1,85 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_denyall[] = {
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "S-1-1-0" },
+ { 0, 0, 0, NULL}
+};
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL denyall_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (result || acc_granted != 0) {
+ printf("FAIL: denyall se_access_check %d/%d\n",
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_denyall, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(denyall_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_denysome.c b/testsuite/smbd/se_access_check_denysome.c
new file mode 100644
index 0000000..e690e1a
--- /dev/null
+++ b/testsuite/smbd/se_access_check_denysome.c
@@ -0,0 +1,105 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_denysome[] = {
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user1" },
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "user3" },
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ GENERIC_ALL_ACCESS, "S-1-1-0" },
+ { 0, 0, 0, NULL}
+};
+
+BOOL denysome_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ fstring name;
+ BOOL result;
+ int len1, len2;
+
+ /* Check only user1 and user3 denied access */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ len1 = (int)strlen(pw->pw_name) - strlen("user1");
+ len2 = (int)strlen(pw->pw_name) - strlen("user3");
+
+ if ((strncmp("user1", &pw->pw_name[MAX(len1, 0)],
+ strlen("user1")) == 0) ||
+ (strncmp("user3", &pw->pw_name[MAX(len2, 0)],
+ strlen("user3")) == 0)) {
+ if (result || acc_granted != 0) {
+ printf("FAIL: access not denied for %s\n",
+ pw->pw_name);
+ }
+ } else {
+ if (!result || acc_granted != GENERIC_ALL_ACCESS) {
+ printf("FAIL: access denied for %s\n", pw->pw_name);
+ }
+ }
+
+ printf("result %s for user %s\n", result ? "allowed" : "denied",
+ pw->pw_name);
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_denysome, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(denysome_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_empty.c b/testsuite/smbd/se_access_check_empty.c
new file mode 100644
index 0000000..44f5949
--- /dev/null
+++ b/testsuite/smbd/se_access_check_empty.c
@@ -0,0 +1,108 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_empty[] = {
+ { 0, 0, 0, NULL}
+};
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL emptysd_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ /* For no DACL, access is allowed and the desired access mask is
+ returned */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (!result || !(acc_granted == SEC_RIGHTS_MAXIMUM_ALLOWED)) {
+ printf("FAIL: no dacl for %s (%d/%d)\n", pw->pw_name,
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups, 0x1234,
+ &acc_granted, &status);
+
+ if (!result || !(acc_granted == 0x1234)) {
+ printf("FAIL: no dacl2 for %s (%d/%d)\n", pw->pw_name,
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ /* If desired access mask is empty then no access is allowed */
+
+ result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
+ ngroups, groups, 0,
+ &acc_granted, &status);
+
+ if (result) {
+ printf("FAIL: zero desired access for %s (%d/%d)\n",
+ pw->pw_name, pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_empty, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ visit_pwdb(emptysd_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_nullsd.c b/testsuite/smbd/se_access_check_nullsd.c
new file mode 100644
index 0000000..872b2f6
--- /dev/null
+++ b/testsuite/smbd/se_access_check_nullsd.c
@@ -0,0 +1,73 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+
+/* Check that access is always allowed for a NULL security descriptor */
+
+BOOL nullsd_check(struct passwd *pw, int ngroups, gid_t *groups)
+{
+ uint32 acc_granted, status;
+ BOOL result;
+
+ result = se_access_check(NULL, pw->pw_uid, pw->pw_gid,
+ ngroups, groups,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &acc_granted, &status);
+
+ if (!result || status != NT_STATUS_NO_PROBLEMO ||
+ acc_granted != SEC_RIGHTS_MAXIMUM_ALLOWED) {
+ printf("FAIL: null se_access_check %d/%d\n",
+ pw->pw_uid, pw->pw_gid);
+ failed = True;
+ }
+
+ printf("access check passed for user %s (%d/%d)\n",
+ pw->pw_name, pw->pw_uid, pw->pw_gid);
+
+ return True;
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Run test */
+
+ visit_pwdb(nullsd_check);
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_printer.c b/testsuite/smbd/se_access_check_printer.c
new file mode 100644
index 0000000..e2645c6
--- /dev/null
+++ b/testsuite/smbd/se_access_check_printer.c
@@ -0,0 +1,211 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+
+/* Globals */
+
+BOOL failed;
+SEC_DESC *sd;
+
+struct ace_entry acl_printer[] = {
+
+ /* Everyone is allowed to print */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_PRINT, "S-1-1-0" },
+
+ /* Except for user0 who uses too much paper */
+
+ { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_FULL_CONTROL, "user0" },
+
+ /* Users 1 and 2 can manage documents */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_MANAGE_DOCUMENTS, "user1" },
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_MANAGE_DOCUMENTS, "user2" },
+
+ /* Domain Admins can also manage documents */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" },
+
+ /* User 3 is da man */
+
+ { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
+ PRINTER_ACE_FULL_CONTROL, "user3" },
+
+ { 0, 0, 0, NULL}
+};
+
+BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted)
+{
+ struct passwd *pw;
+ uint32 status;
+
+ if (!(pw = getpwnam(username))) {
+ printf("FAIL: could not lookup user info for %s\n",
+ username);
+ exit(1);
+ }
+
+ return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL,
+ acc_desired, acc_granted, &status);
+}
+
+static char *pace_str(uint32 ace_flags)
+{
+ if ((ace_flags & PRINTER_ACE_FULL_CONTROL) ==
+ PRINTER_ACE_FULL_CONTROL) return "full control";
+
+ if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) ==
+ PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents";
+
+ if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT)
+ return "print";
+
+ return "UNKNOWN";
+}
+
+uint32 perms[] = {
+ PRINTER_ACE_PRINT,
+ PRINTER_ACE_FULL_CONTROL,
+ PRINTER_ACE_MANAGE_DOCUMENTS,
+ 0
+};
+
+void runtest(void)
+{
+ uint32 acc_granted;
+ BOOL result;
+ int i, j;
+
+ for (i = 0; perms[i]; i++) {
+
+ /* Test 10 users */
+
+ for (j = 0; j < 10; j++) {
+ fstring name;
+
+ /* Test user against ACL */
+
+ snprintf(name, sizeof(fstring), "%s/user%d",
+ getenv("TEST_WORKGROUP"), j);
+
+ result = test_user(name, perms[i], &acc_granted);
+
+ printf("%s: %s %s 0x%08x\n", name,
+ pace_str(perms[i]),
+ result ? "TRUE " : "FALSE", acc_granted);
+
+ /* Check results */
+
+ switch (perms[i]) {
+
+ case PRINTER_ACE_PRINT: {
+ if (!result || acc_granted !=
+ PRINTER_ACE_PRINT) {
+ printf("FAIL: user %s can't print\n",
+ name);
+ failed = True;
+ }
+ break;
+ }
+
+ case PRINTER_ACE_FULL_CONTROL: {
+ if (j == 3) {
+ if (!result || acc_granted !=
+ PRINTER_ACE_FULL_CONTROL) {
+ printf("FAIL: user %s doesn't "
+ "have full control\n",
+ name);
+ failed = True;
+ }
+ } else {
+ if (result || acc_granted != 0) {
+ printf("FAIL: user %s has full "
+ "control\n", name);
+ failed = True;
+ }
+ }
+ break;
+ }
+ case PRINTER_ACE_MANAGE_DOCUMENTS: {
+ if (j == 1 || j == 2) {
+ if (!result || acc_granted !=
+ PRINTER_ACE_MANAGE_DOCUMENTS) {
+ printf("FAIL: user %s can't "
+ "manage documents\n",
+ name);
+ failed = True;
+ }
+ } else {
+ if (result || acc_granted != 0) {
+ printf("FAIL: user %s can "
+ "manage documents\n",
+ name);
+ failed = True;
+ }
+ }
+ break;
+ }
+
+ default:
+ printf("FAIL: internal error\n");
+ exit(1);
+ }
+ }
+ }
+}
+
+/* Main function */
+
+int main(int argc, char **argv)
+{
+ /* Initialisation */
+
+ generate_wellknown_sids();
+
+ /* Create security descriptor */
+
+ sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID);
+
+ if (!sd) {
+ printf("FAIL: could not build security descriptor\n");
+ return 1;
+ }
+
+ /* Run test */
+
+ runtest();
+
+ /* Return */
+
+ if (!failed) {
+ printf("PASS\n");
+ return 0;
+ }
+
+ return 1;
+}
diff --git a/testsuite/smbd/se_access_check_utils.c b/testsuite/smbd/se_access_check_utils.c
new file mode 100644
index 0000000..bd20a7b
--- /dev/null
+++ b/testsuite/smbd/se_access_check_utils.c
@@ -0,0 +1,158 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "se_access_check_utils.h"
+#include "lib/util/string_wrappers.h"
+
+void char_to_sid(struct dom_sid *sid, char *sid_str)
+{
+ /* If it looks like a SID, call string_to_sid() else look it up
+ using wbinfo. */
+
+ if (strncmp(sid_str, "S-", 2) == 0) {
+ string_to_sid(sid, sid_str);
+ } else {
+ struct winbindd_request request;
+ struct winbindd_response response;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.name, sid_str);
+ if (winbindd_request(WINBINDD_LOOKUPNAME, &request,
+ &response) != NSS_STATUS_SUCCESS) {
+ printf("FAIL: unable to look up sid for name %s\n",
+ sid_str);
+ exit(1);
+ }
+
+ string_to_sid(sid, response.data.sid.sid);
+ printf("converted char %s to sid %s\n", sid_str,
+ response.data.sid.sid);
+ }
+}
+
+/* Construct an ACL from a list of ace_entry structures */
+
+SEC_ACL *build_acl(struct ace_entry *ace_list)
+{
+ SEC_ACE *aces = NULL;
+ SEC_ACL *result;
+ int num_aces = 0;
+
+ if (ace_list == NULL) return NULL;
+
+ /* Create aces */
+
+ while(ace_list->sid) {
+ SEC_ACCESS sa;
+ struct dom_sid sid;
+
+ /* Create memory for new ACE */
+
+ if (!(aces = Realloc(aces,
+ sizeof(SEC_ACE) * (num_aces + 1)))) {
+ return NULL;
+ }
+
+ /* Create ace */
+
+ init_sec_access(&sa, ace_list->mask);
+
+ char_to_sid(&sid, ace_list->sid);
+ init_sec_ace(&aces[num_aces], &sid, ace_list->type,
+ sa, ace_list->flags);
+
+ num_aces++;
+ ace_list++;
+ }
+
+ /* Create ACL from list of ACEs */
+
+ result = make_sec_acl(ACL_REVISION, num_aces, aces);
+ free(aces);
+
+ return result;
+}
+
+/* Make a security descriptor */
+
+SEC_DESC *build_sec_desc(struct ace_entry *dacl, struct ace_entry *sacl,
+ char *owner_sid, char *group_sid)
+{
+ struct dom_sid the_owner_sid, the_group_sid;
+ SEC_ACL *the_dacl, *the_sacl;
+ SEC_DESC *result;
+ size_t size;
+
+ /* Build up bits of security descriptor */
+
+ char_to_sid(&the_owner_sid, owner_sid);
+ char_to_sid(&the_group_sid, group_sid);
+
+ the_dacl = build_acl(dacl);
+ the_sacl = build_acl(sacl);
+
+ result = make_sec_desc(SEC_DESC_REVISION,
+ SEC_DESC_SELF_RELATIVE | SEC_DESC_DACL_PRESENT,
+ &the_owner_sid, &the_group_sid,
+ the_sacl, the_dacl, &size);
+
+ free_sec_acl(&the_dacl);
+ free_sec_acl(&the_sacl);
+
+ return result;
+}
+
+/* Iterate over password database and call a user-specified function */
+
+void visit_pwdb(BOOL (*fn)(struct passwd *pw, int ngroups, gid_t *groups))
+{
+ struct passwd *pw;
+ int ngroups;
+ gid_t *groups;
+
+ setpwent();
+
+ while ((pw = getpwent())) {
+ BOOL result;
+
+ /* Get grouplist */
+
+ ngroups = getgroups(0, NULL);
+
+ groups = malloc(sizeof(gid_t) * ngroups);
+ getgroups(ngroups, groups);
+
+ /* Call function */
+
+ result = fn(pw, ngroups, groups);
+ if (!result) break;
+
+ /* Clean up */
+
+ free(groups);
+ }
+
+ endpwent();
+}
diff --git a/testsuite/smbd/se_access_check_utils.h b/testsuite/smbd/se_access_check_utils.h
new file mode 100644
index 0000000..706c223
--- /dev/null
+++ b/testsuite/smbd/se_access_check_utils.h
@@ -0,0 +1,45 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SE_ACCESS_CHECK_UTILS_H
+#define _SE_ACCESS_CHECK_UTILS_H
+
+#include "includes.h"
+
+/* Structure to build ACE lists from */
+
+struct ace_entry {
+ uint8 type, flags;
+ uint32 mask;
+ char *sid;
+};
+
+#define NULL_SID "S-1-0-0"
+#define WORLD_SID "S-1-1-0"
+
+/* Function prototypes */
+
+SEC_ACL *build_acl(struct ace_entry *ace_list);
+SEC_DESC *build_sec_desc(struct ace_entry *dacl, struct ace_entry *sacl,
+ char *owner_sid, char *group_sid);
+
+void visit_pwdb(BOOL (*fn)(struct passwd *pw, int ngroups, gid_t *groups));
+
+#endif
diff --git a/testsuite/smbd/sec_ctx.exp b/testsuite/smbd/sec_ctx.exp
new file mode 100644
index 0000000..9ced9e5
--- /dev/null
+++ b/testsuite/smbd/sec_ctx.exp
@@ -0,0 +1,66 @@
+#
+# @(#) Test the push_sec_ctx() and pop_sec_ctx() functions
+#
+
+#
+# Unix SMB/Netbios implementation.
+# Copyright (C) Tim Potter 2000
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+
+load_lib "compile.exp"
+load_lib "util-defs.exp"
+
+# Non-root test
+
+set test_desc "change sec_ctx as non-root"
+set test_prog "sec_ctx_nonroot"
+simple_make "sec_ctx" $test_prog
+set output [util_start "$srcdir/$subdir/$test_prog"]
+
+if { [regexp "child killed" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_prog" "$srcdir/$subdir/$test_prog.o"
+} else {
+ fail $test_desc
+}
+
+# Run tests from C files as root
+
+set sec_ctx_tests [list \
+ { "security contexts are stackable" "sec_ctx_stack" } \
+ { "over/underflow tests" "sec_ctx_flow" } \
+ { "torture test" "sec_ctx_torture" } \
+ { "current_user global" "sec_ctx_current_user" } \
+ { "group membership" "sec_ctx_groups" } \
+ { "become root" "sec_ctx_root" } \
+ ]
+
+foreach { test } $sec_ctx_tests {
+ set test_desc [lindex $test 0]
+ set test_file [lindex $test 1]
+
+ simple_make "sec_ctx" $test_file
+ set output [util_start "sudo $srcdir/$subdir/$test_file" ]
+
+ if { [regexp "PASS" $output] } {
+ pass $test_desc
+ file delete "$srcdir/$subdir/$test_file" "$srcdir/$subdir/$test_file.o"
+ } else {
+ fail $test_desc
+ puts $output
+ }
+
+}
diff --git a/testsuite/smbd/sec_ctx1.c b/testsuite/smbd/sec_ctx1.c
new file mode 100644
index 0000000..ab85ae1
--- /dev/null
+++ b/testsuite/smbd/sec_ctx1.c
@@ -0,0 +1,39 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+void exit_server(char *reason) {}
+
+int main (int argc, char **argv)
+{
+ /* Become a non-root user */
+
+ samba_setuid(1);
+ samba_setgid(1);
+
+ /* Try to push a security context. This should fail with a
+ smb_assert() error. */
+
+ push_sec_ctx(2, 2);
+ printf("FAIL\n");
+
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_current_user.c b/testsuite/smbd/sec_ctx_current_user.c
new file mode 100644
index 0000000..6361b16
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_current_user.c
@@ -0,0 +1,113 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main(int argc, char **argv)
+{
+ extern struct current_user current_user;
+ uid_t initial_uid = current_user.uid;
+ gid_t initial_gid = current_user.gid;
+ int ngroups;
+ gid_t *groups;
+
+ init_sec_ctx();
+
+ /* Check initial id */
+
+ if (initial_uid != 0 || initial_gid != 0) {
+ printf("FAIL: current_user not initialised to root\n");
+ return 1;
+ }
+
+ /* Push a context and check current user is updated */
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(1, 2, 0, NULL);
+
+ if (current_user.uid != 1 || current_user.gid != 2) {
+ printf("FAIL: current_user id not updated after push\n");
+ return 1;
+ }
+
+ if (current_user.ngroups != 0 || current_user.groups) {
+ printf("FAIL: current_user groups not updated after push\n");
+ return 1;
+ }
+
+ /* Push another */
+
+ get_random_grouplist(&ngroups, &groups);
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(2, 3, ngroups, groups);
+
+ if (current_user.uid != 2 || current_user.gid != 3) {
+ printf("FAIL: current_user id not updated after second "
+ "push\n");
+ return 1;
+ }
+
+ if (current_user.ngroups != ngroups ||
+ (memcmp(current_user.groups, groups,
+ sizeof(gid_t) * ngroups) != 0)) {
+ printf("FAIL: current_user groups not updated\n");
+ return 1;
+ }
+
+ /* Pop them both off */
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ if (current_user.uid != 1 || current_user.gid != 2) {
+ printf("FAIL: current_user not updaded pop\n");
+ return 1;
+ }
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ /* Check initial state was returned */
+
+ if (current_user.uid != initial_uid ||
+ current_user.gid != initial_gid) {
+ printf("FAIL: current_user not updaded pop\n");
+ return 1;
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_flow.c b/testsuite/smbd/sec_ctx_flow.c
new file mode 100644
index 0000000..f3c0564
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_flow.c
@@ -0,0 +1,72 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ int i;
+
+ init_sec_ctx();
+
+ /* Check for underflow */
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(1, 1, 0, NULL);
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ if (pop_sec_ctx()) {
+ printf("FAIL: underflow push_sec_ctx\n");
+ return 1;
+ }
+
+ /* Check for overflow */
+
+ for (i = 0; i < MAX_SEC_CTX_DEPTH + 1; i++) {
+ BOOL result;
+
+ result = push_sec_ctx();
+ set_sec_ctx(i, i, 0, NULL);
+
+ if ((i < MAX_SEC_CTX_DEPTH) && !result) {
+ printf("FAIL: push_sec_ctx(%d)\n", i);
+ return 1;
+ }
+
+ if ((i == MAX_SEC_CTX_DEPTH + 1) && result) {
+ printf("FAIL: overflow push_sec_ctx(%d)\n", i);
+ return 1;
+ }
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_groups.c b/testsuite/smbd/sec_ctx_groups.c
new file mode 100644
index 0000000..6310963
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_groups.c
@@ -0,0 +1,130 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ int ngroups, initial_ngroups, check_ngroups, final_ngroups;
+ gid_t *groups, *initial_groups, *check_groups, *final_groups;
+ int i;
+
+ init_sec_ctx();
+
+ /* Save current groups */
+
+ initial_ngroups = sys_getgroups(0, NULL);
+ initial_groups = malloc(sizeof(gid_t) * initial_ngroups);
+ sys_getgroups(initial_ngroups, initial_groups);
+
+ printf("Initial groups are: ");
+ for (i = 0; i < initial_ngroups; i++) {
+ printf("%d, ", initial_groups[i]);
+ }
+ printf("\n");
+
+ /* Push a context plus groups */
+
+ get_random_grouplist(&ngroups, &groups);
+
+ printf("Random groups are: ");
+ for (i = 0; i < ngroups; i++) {
+ printf("%d, ", groups[i]);
+ }
+ printf("\n");
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push_sec_ctx\n");
+ return 1;
+ }
+
+ set_sec_ctx(1, 2, ngroups, groups);
+
+ /* Check grouplist stuck */
+
+ check_ngroups = sys_getgroups(0, NULL);
+ check_groups = malloc(sizeof(gid_t) * check_ngroups);
+ sys_getgroups(check_ngroups, check_groups);
+
+ printf("Actual groups are: ");
+ for (i = 0; i < check_ngroups; i++) {
+ printf("%d, ", check_groups[i]);
+ }
+ printf("\n");
+
+ if (ngroups != check_ngroups) {
+ printf("FAIL: number of groups differs\n");
+ return 1;
+ }
+
+ for (i = 0; i < ngroups; i++) {
+ if (groups[i] != check_groups[i]) {
+ printf("FAIL: group %d differs\n", i);
+ return 1;
+ }
+ }
+
+ safe_free(groups);
+ safe_free(check_groups);
+
+ /* Pop and check initial groups are back */
+
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop_sec_ctx\n");
+ return 1;
+ }
+
+ final_ngroups = sys_getgroups(0, NULL);
+ final_groups = malloc(sizeof(gid_t) * final_ngroups);
+ sys_getgroups(final_ngroups, final_groups);
+
+ printf("Final groups are: ");
+ for (i = 0; i < final_ngroups; i++) {
+ printf("%d, ", final_groups[i]);
+ }
+ printf("\n");
+
+ if (initial_ngroups != final_ngroups) {
+ printf("FAIL: final number of groups differ\n");
+ return 1;
+ }
+
+ for (i = 0; i < initial_ngroups; i++) {
+ if (initial_groups[i] != final_groups[i]) {
+ printf("FAIL: final group %d differs\n", i);
+ return 1;
+ }
+ }
+
+ printf("Final groups are: ");
+ for (i = 0; i < final_ngroups; i++) {
+ printf("%d, ", final_groups[i]);
+ }
+ printf("\n");
+
+ safe_free(initial_groups);
+ safe_free(final_groups);
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_nonroot.c b/testsuite/smbd/sec_ctx_nonroot.c
new file mode 100644
index 0000000..6d4dbf3
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_nonroot.c
@@ -0,0 +1,41 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ init_sec_ctx();
+
+ /* Become a non-root user */
+
+ samba_setuid(1);
+ samba_setgid(1);
+
+ /* Try to push a security context. This should fail with a
+ smb_assert() error. */
+
+ push_sec_ctx();
+ set_sec_ctx(2, 2, 0, NULL);
+ printf("FAIL\n");
+
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_root.c b/testsuite/smbd/sec_ctx_root.c
new file mode 100644
index 0000000..0969978
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_root.c
@@ -0,0 +1,60 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ int ngroups, actual_ngroups;
+ gid_t *groups, *actual_groups;
+ extern struct current_user current_user;
+
+ init_sec_ctx();
+
+ /* Initialise a security context */
+
+ get_random_grouplist(&ngroups, &groups);
+ set_sec_ctx(1, 1, ngroups, groups);
+
+ /* Become root and check */
+
+ set_root_sec_ctx();
+
+ actual_ngroups = getgroups(0, NULL);
+ actual_groups = (gid_t *)malloc(actual_ngroups * sizeof(gid_t));
+
+ getgroups(actual_ngroups, actual_groups);
+
+ if (geteuid() != 0 || getegid() != 0 || actual_ngroups != 0) {
+ printf("FAIL: root id not set\n");
+ return 1;
+ }
+
+ if (current_user.uid != 0 || current_user.gid != 0 ||
+ current_user.ngroups != 0 || current_user.groups) {
+ printf("FAIL: current_user not set correctly\n");
+ return 1;
+ }
+
+ printf("PASS\n");
+
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_stack.c b/testsuite/smbd/sec_ctx_stack.c
new file mode 100644
index 0000000..98dd0e1
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_stack.c
@@ -0,0 +1,85 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+int main (int argc, char **argv)
+{
+ BOOL result;
+ int i;
+
+ init_sec_ctx();
+
+ /* Push a whole bunch of security contexts */
+
+ for (i = 0; i < MAX_SEC_CTX_DEPTH; i++) {
+
+ result = push_sec_ctx();
+ set_sec_ctx(i + 1, i + 2, 0, NULL);
+
+ if (!result) {
+ printf("FAIL: push_sec_ctx(%d)\n", i);
+ return 1;
+ }
+
+ printf("pushed context (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(), getegid());
+
+ if ((geteuid() != i + 1) || (getegid() != i + 2)) {
+ printf("FAIL: incorrect context pushed\n");
+ return 1;
+ }
+ }
+
+ /* Pop them all off */
+
+ for (i = MAX_SEC_CTX_DEPTH; i > 0; i--) {
+
+ result = pop_sec_ctx();
+
+ if (!result) {
+ printf("FAIL: pop_sec_ctx(%d)\n", i);
+ return 1;
+ }
+
+ printf("popped context (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(), getegid());
+
+ printf("i = %d\n",i);
+
+ if (i > 1) {
+ if ((geteuid() != i - 1) || (getegid() != i)) {
+ printf("FAIL: incorrect context popped\n");
+ return 1;
+ }
+ } else {
+ if ((geteuid() != 0) || (getegid() != 0)) {
+ printf("FAIL: incorrect context popped\n");
+ return 1;
+ }
+ }
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_torture.c b/testsuite/smbd/sec_ctx_torture.c
new file mode 100644
index 0000000..2e4d140
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_torture.c
@@ -0,0 +1,102 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "sec_ctx_utils.h"
+
+#define NUM_TESTS 10000
+
+int main (int argc, char **argv)
+{
+ int seed, level = 0, num_tests = 0;
+
+ init_sec_ctx();
+
+ if (argc == 1) {
+ seed = time(NULL);
+ } else {
+ seed = atoi(argv[1]);
+ }
+
+ printf("seed = %d\n", seed);
+
+ while(num_tests < NUM_TESTS) {
+ switch (random() % 2) {
+
+ /* Push a random context */
+
+ case 0:
+ if (level < MAX_SEC_CTX_DEPTH) {
+ int ngroups;
+ gid_t *groups;
+
+ if (!push_sec_ctx()) {
+ printf("FAIL: push random ctx\n");
+ return 1;
+ }
+
+ get_random_grouplist(&ngroups, &groups);
+
+ set_sec_ctx(random() % 32767,
+ random() % 32767,
+ ngroups, groups);
+
+ if (!verify_current_groups(ngroups,
+ groups)) {
+ printf("FAIL: groups did not stick\n");
+ return 1;
+ }
+
+ printf("pushed (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(),
+ getegid());
+
+ level++;
+ num_tests++;
+
+ free(groups);
+ }
+ break;
+
+ /* Pop a random context */
+
+ case 1:
+ if (level > 0) {
+ if (!pop_sec_ctx()) {
+ printf("FAIL: pop random ctx\n");
+ return 1;
+ }
+
+ printf("popped (%d, %d) eff=(%d, %d)\n",
+ getuid(), getgid(), geteuid(),
+ getegid());
+
+ level--;
+ num_tests++;
+ }
+ break;
+ }
+ }
+
+ /* Everything's cool */
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/testsuite/smbd/sec_ctx_utils.c b/testsuite/smbd/sec_ctx_utils.c
new file mode 100644
index 0000000..3834cfd
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_utils.c
@@ -0,0 +1,64 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* Keep linker happy */
+
+void exit_server(char *reason) {}
+
+/* Generate random list of groups */
+
+void get_random_grouplist(int *ngroups, gid_t **groups)
+{
+ int i;
+
+ *ngroups = random() % setgroups_max();
+ *groups = malloc(*ngroups * sizeof(gid_t));
+
+ if (!groups) {
+ printf("FAIL: malloc random grouplist\n");
+ return;
+ }
+
+ for (i = 0; i < *ngroups; i++) {
+ (*groups)[i] = random() % 32767;
+ }
+}
+
+/* Check a list of groups with current groups */
+
+BOOL verify_current_groups(int ngroups, gid_t *groups)
+{
+ int actual_ngroups;
+ gid_t *actual_groups;
+
+ actual_ngroups = getgroups(0, NULL);
+ actual_groups = (gid_t *)malloc(actual_ngroups * sizeof(gid_t));
+
+ getgroups(actual_ngroups, actual_groups);
+
+ if (actual_ngroups != ngroups) {
+ return False;
+ }
+
+ return memcmp(actual_groups, groups, actual_ngroups *
+ sizeof(gid_t)) == 0;
+}
diff --git a/testsuite/smbd/sec_ctx_utils.h b/testsuite/smbd/sec_ctx_utils.h
new file mode 100644
index 0000000..03c90e7
--- /dev/null
+++ b/testsuite/smbd/sec_ctx_utils.h
@@ -0,0 +1,29 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 1.9.
+ Security context tests
+ Copyright (C) Tim Potter 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SEC_CTX_UTILS_H
+#define _SEC_CTX_UTILS_H
+
+/* Function prototypes */
+
+void get_random_grouplist(int *ngroups, gid_t **groups);
+BOOL verify_current_groups(int ngroups, gid_t *groups);
+
+#endif /* _SEC_CTX_UTILS_H */
diff --git a/testsuite/smbd/sighup.exp b/testsuite/smbd/sighup.exp
new file mode 100644
index 0000000..a9e1bff
--- /dev/null
+++ b/testsuite/smbd/sighup.exp
@@ -0,0 +1,107 @@
+#
+# @(#) Check services file reloaded after SIGHUP
+#
+
+load_lib "util-defs.exp"
+
+# Create a smb.conf file from a list of sections. Each section consists of
+# a name and a list of lines which are the contents of that section.
+# Returns a temporary filename which must be deleted after use.
+
+proc write_smb_conf { args } {
+
+ # Set up temporary file
+
+ set name "/tmp/smb.conf-test-[pid]"
+ set f [open $name "w"]
+
+ # Parse sections
+
+ foreach section [lindex $args 0] {
+ set secname [lindex $section 0]
+ set contents [lindex $section 1]
+
+ puts $f "\[$secname]"
+
+ foreach { line } $contents {
+ puts $f "\t$line"
+ }
+
+ puts $f ""
+ }
+
+ close $f
+
+ # Return filename of smb.conf file
+
+ return $name
+}
+
+proc append_smb_conf { args } {
+
+ set name [lindex $args 0]
+ set f [open $name "a"]
+
+ foreach section [lindex $args 1] {
+ set secname [lindex $section 0]
+ set contents [lindex $section 1]
+
+ puts $f "\[$secname]"
+
+ foreach { line } $contents {
+ puts $f "\t$line"
+ }
+
+ puts $f ""
+ }
+
+ close $f
+}
+
+# Create a smb.conf file
+
+set smb_conf [list \
+ [list "global" \
+ [list "netbios name = testing" \
+ "guest ok = true"]]]
+
+set name [write_smb_conf $smb_conf]
+
+# Run smbd and smbclient output
+
+set smbd_output [util_start "bin/smbd" "-s $name"]
+set nmbd_output [util_start "bin/nmbd" "-s $name"]
+
+sleep 5
+
+set smbclient_output [util_start "bin/smbclient -L //testing -N"]
+verbose $smbclient_output
+
+if { ![regexp "Anonymous login successful" $smbclient_output] } {
+ untested "smbd could not be started"
+ util_start "killall" "smbd nmbd"
+ file delete $name
+ return
+}
+
+# Append another share and sighup
+
+append_smb_conf $name [list [list "tmp" [list "browseable = true"]]]
+set output [util_start "killall" "-HUP smbd"]
+verbose $output
+
+sleep 2
+
+set smbclient_output2 [util_start "bin/smbclient -L //testing -N"]
+verbose $smbclient_output2
+
+if { [regexp "tmp.*Disk" $smbclient_output2] } {
+ pass "sighup reload"
+} else {
+ fail "sighup reload"
+}
+
+# Clean up
+
+util_start "killall" "smbd nmbd"
+file delete $name