diff options
Diffstat (limited to 'source4/torture/smb2/max_allowed.c')
-rw-r--r-- | source4/torture/smb2/max_allowed.c | 248 |
1 files changed, 248 insertions, 0 deletions
diff --git a/source4/torture/smb2/max_allowed.c b/source4/torture/smb2/max_allowed.c new file mode 100644 index 0000000..af8b08a --- /dev/null +++ b/source4/torture/smb2/max_allowed.c @@ -0,0 +1,248 @@ +/* + Unix SMB/CIFS implementation. + SMB torture tester - deny mode scanning functions + Copyright (C) Andrew Tridgell 2001 + Copyright (C) David Mulder 2019 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "system/filesys.h" +#include "libcli/smb2/smb2.h" +#include "libcli/smb2/smb2_calls.h" +#include "libcli/security/security.h" +#include "torture/util.h" +#include "torture/smb2/proto.h" + +#define MAXIMUM_ALLOWED_FILE "torture_maximum_allowed" +static bool torture_smb2_maximum_allowed(struct torture_context *tctx, + struct smb2_tree *tree) +{ + struct security_descriptor *sd = NULL, *sd_orig = NULL; + struct smb2_create io = {0}; + TALLOC_CTX *mem_ctx = NULL; + struct smb2_handle fnum = {{0}}; + int i; + bool ret = true; + NTSTATUS status; + union smb_fileinfo q; + const char *owner_sid = NULL; + bool has_restore_privilege, has_backup_privilege, has_system_security_privilege; + + mem_ctx = talloc_init("torture_maximum_allowed"); + torture_assert_goto(tctx, mem_ctx != NULL, ret, done, + "talloc allocation failed\n"); + + if (!torture_setting_bool(tctx, "sacl_support", true)) + torture_warning(tctx, "Skipping SACL related tests!\n"); + + sd = security_descriptor_dacl_create(mem_ctx, + 0, NULL, NULL, + SID_NT_AUTHENTICATED_USERS, + SEC_ACE_TYPE_ACCESS_ALLOWED, + SEC_RIGHTS_FILE_READ, + 0, NULL); + torture_assert_goto(tctx, sd != NULL, ret, done, + "security descriptor creation failed\n"); + + /* Blank slate */ + smb2_util_unlink(tree, MAXIMUM_ALLOWED_FILE); + + /* create initial file with restrictive SD */ + io.in.desired_access = SEC_RIGHTS_FILE_ALL; + io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + io.in.create_disposition = NTCREATEX_DISP_CREATE; + io.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS; + io.in.fname = MAXIMUM_ALLOWED_FILE; + io.in.sec_desc = sd; + + status = smb2_create(tree, mem_ctx, &io); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + talloc_asprintf(tctx, "Incorrect status %s - should be %s\n", + nt_errstr(status), nt_errstr(NT_STATUS_OK))); + fnum = io.out.file.handle; + + /* the correct answers for this test depends on whether the + user has restore privileges. To find that out we first need + to know our SID - get it from the owner_sid of the file we + just created */ + q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; + q.query_secdesc.in.file.handle = fnum; + q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; + status = smb2_getinfo_file(tree, tctx, &q); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + talloc_asprintf(tctx, "Incorrect status %s - should be %s\n", + nt_errstr(status), nt_errstr(NT_STATUS_OK))); + sd_orig = q.query_secdesc.out.sd; + + owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); + + status = torture_smb2_check_privilege(tree, + owner_sid, + sec_privilege_name(SEC_PRIV_RESTORE)); + has_restore_privilege = NT_STATUS_IS_OK(status); + torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n", + owner_sid, + has_restore_privilege?"Yes":"No"); + + status = torture_smb2_check_privilege(tree, + owner_sid, + sec_privilege_name(SEC_PRIV_BACKUP)); + has_backup_privilege = NT_STATUS_IS_OK(status); + torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n", + owner_sid, + has_backup_privilege?"Yes":"No"); + + status = torture_smb2_check_privilege(tree, + owner_sid, + sec_privilege_name(SEC_PRIV_SECURITY)); + has_system_security_privilege = NT_STATUS_IS_OK(status); + torture_comment(tctx, "Checked SEC_PRIV_SECURITY for %s - %s\n", + owner_sid, + has_system_security_privilege?"Yes":"No"); + + smb2_util_close(tree, fnum); + + for (i = 0; i < 32; i++) { + uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i); + /* + * SEC_GENERIC_EXECUTE is a complete subset of + * SEC_GENERIC_READ when mapped to specific bits, + * so we need to include it in the basic OK mask. + */ + uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | SEC_GENERIC_EXECUTE | + SEC_STD_DELETE | SEC_STD_WRITE_DAC; + + /* + * Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP + * don't include any generic bits (they're used directly + * in the fileserver where the generic bits have already + * been mapped into file specific bits) we need to add the + * generic bits to the ok_mask when we have these privileges. + */ + if (has_restore_privilege) { + ok_mask |= SEC_RIGHTS_PRIV_RESTORE|SEC_GENERIC_WRITE; + } + if (has_backup_privilege) { + ok_mask |= SEC_RIGHTS_PRIV_BACKUP|SEC_GENERIC_READ; + } + if (has_system_security_privilege) { + ok_mask |= SEC_FLAG_SYSTEM_SECURITY; + } + + /* Skip all SACL related tests. */ + if ((!torture_setting_bool(tctx, "sacl_support", true)) && + (mask & SEC_FLAG_SYSTEM_SECURITY)) + continue; + + io = (struct smb2_create){0}; + io.in.desired_access = mask; + io.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + io.in.create_disposition = NTCREATEX_DISP_OPEN; + io.in.impersonation_level = + NTCREATEX_IMPERSONATION_ANONYMOUS; + io.in.fname = MAXIMUM_ALLOWED_FILE; + + status = smb2_create(tree, mem_ctx, &io); + if (mask & ok_mask || + mask == SEC_FLAG_MAXIMUM_ALLOWED) { + torture_assert_ntstatus_ok_goto(tctx, status, ret, + done, talloc_asprintf(tctx, + "Incorrect status %s - should be %s\n", + nt_errstr(status), nt_errstr(NT_STATUS_OK))); + } else { + if (mask & SEC_FLAG_SYSTEM_SECURITY) { + torture_assert_ntstatus_equal_goto(tctx, + status, NT_STATUS_PRIVILEGE_NOT_HELD, + ret, done, talloc_asprintf(tctx, + "Incorrect status %s - should be %s\n", + nt_errstr(status), + nt_errstr(NT_STATUS_PRIVILEGE_NOT_HELD))); + } else { + torture_assert_ntstatus_equal_goto(tctx, + status, NT_STATUS_ACCESS_DENIED, + ret, done, talloc_asprintf(tctx, + "Incorrect status %s - should be %s\n", + nt_errstr(status), + nt_errstr(NT_STATUS_ACCESS_DENIED))); + } + } + + fnum = io.out.file.handle; + + smb2_util_close(tree, fnum); + } + + done: + smb2_util_unlink(tree, MAXIMUM_ALLOWED_FILE); + talloc_free(mem_ctx); + return ret; +} + +static bool torture_smb2_read_only_file(struct torture_context *tctx, + struct smb2_tree *tree) +{ + struct smb2_create c; + struct smb2_handle h = {{0}}; + bool ret = true; + NTSTATUS status; + + smb2_deltree(tree, MAXIMUM_ALLOWED_FILE); + + c = (struct smb2_create) { + .in.desired_access = SEC_RIGHTS_FILE_ALL, + .in.file_attributes = FILE_ATTRIBUTE_READONLY, + .in.create_disposition = NTCREATEX_DISP_CREATE, + .in.fname = MAXIMUM_ALLOWED_FILE, + }; + + status = smb2_create(tree, tctx, &c); + torture_assert_ntstatus_ok_goto(tctx, status, ret, done, + "smb2_create failed\n"); + h = c.out.file.handle; + smb2_util_close(tree, h); + ZERO_STRUCT(h); + + c = (struct smb2_create) { + .in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED, + .in.file_attributes = FILE_ATTRIBUTE_READONLY, + .in.create_disposition = NTCREATEX_DISP_OPEN, + .in.fname = MAXIMUM_ALLOWED_FILE, + }; + + status = smb2_create(tree, tctx, &c); + torture_assert_ntstatus_ok_goto( + tctx, status, ret, done, + "Failed to open READ-ONLY file with SEC_FLAG_MAXIMUM_ALLOWED\n"); + h = c.out.file.handle; + smb2_util_close(tree, h); + ZERO_STRUCT(h); + +done: + if (!smb2_util_handle_empty(h)) { + smb2_util_close(tree, h); + } + smb2_deltree(tree, MAXIMUM_ALLOWED_FILE); + return ret; +} + +struct torture_suite *torture_smb2_max_allowed(TALLOC_CTX *ctx) +{ + struct torture_suite *suite = torture_suite_create(ctx, "maximum_allowed"); + + torture_suite_add_1smb2_test(suite, "maximum_allowed", torture_smb2_maximum_allowed); + torture_suite_add_1smb2_test(suite, "read_only", torture_smb2_read_only_file); + return suite; +} |