blob: 9d0091884a9bab408475c0b6159bf43aa54b95a8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
#!/bin/sh
#
# this verifies that SEC_STD_WRITE_OWNER only effectively grants take-ownership
# permissions but NOT give-ownership.
#
if [ $# -lt 9 ]; then
echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD PREFIX SMBCLIENT SMBCACLS NET SHARE"
exit 1
fi
SERVER="$1"
SERVER_IP="$2"
USERNAME="$3"
PASSWORD="$4"
PREFIX="$5"
SMBCLIENT="$6"
SMBCACLS="$7"
NET="$8"
SHARE="$9"
SMBCLIENT="$VALGRIND ${SMBCLIENT}"
SMBCACLS="$VALGRIND ${SMBCACLS}"
NET="$VALGRIND ${NET}"
failed=0
incdir=$(dirname $0)/../../../testprogs/blackbox
. $incdir/subunit.sh
setup_testfile()
{
local share=$1
local fname=$2
touch $PREFIX/$fname
$SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname"
$SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "ls" | grep "$fname" && return 1
$SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "lcd $PREFIX; put $fname" || return 1
}
remove_testfile()
{
local share=$1
local fname=$2
$SMBCLIENT //$SERVER/$share -U $USERNAME%$PASSWORD -c "rm $fname"
}
set_win_owner()
{
local share=$1
local fname=$2
local owner=$3
echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C '$owner'"
$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$owner" || return 1
}
win_owner_is()
{
local share=$1
local fname=$2
local expected_owner=$3
local actual_owner
echo "$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD"
$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD
actual_owner=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD | sed -rn 's/^OWNER:(.*)/\1/p')
echo "actual_owner = $actual_owner"
if ! test "x$actual_owner" = "x$expected_owner"; then
echo "Actual owner of $share/$fname is [$actual_owner] expected [$expected_owner]"
return 1
fi
return 0
}
add_ace()
{
local share=$1
local fname=$2
local ace=$3
local_ace=$(printf '%s' "$ace" | sed 's|\\|/|')
# avoid duplicate
out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD)
if [ $? -ne 0 ]; then
echo "get acl failed"
echo "$out"
return 1
fi
echo "Original ACL"
echo $out
echo "$out" | grep "$local_ace" && return 0
# add it
$SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -a "$ace"
if [ $? -ne 0 ]; then
echo "add acl failed"
return 1
fi
# check it's there
out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD)
if [ $? -ne 0 ]; then
echo "get new acl failed"
echo "$out"
return 1
fi
echo "New ACL"
echo $out
echo "Checking if new ACL has \"$local_ace\""
echo "$out" | grep "$local_ace" || return 1
echo "ok"
}
chown_give_fails()
{
local share=$1
local fname=$2
local user=$3
local expected_error=$4
# this must fail
out=$($SMBCACLS //$SERVER/$share $fname -U $USERNAME%$PASSWORD -C "$user") && return 1
# it failed, now check it returned the expected error code
echo "$out" | grep $expected_error || return 1
}
# Create a testfile
testit "create testfile" setup_testfile $SHARE afile || failed=$(expr $failed + 1)
testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=$(expr $failed + 1)
# Grant SeRestorePrivilege to the user and full rights on the file
testit "grant SeRestorePrivilege" $NET rpc rights grant $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=$(expr $failed + 1)
testit "grant full rights" add_ace $SHARE afile "ACL:$SERVER\\$USERNAME:ALLOWED/0x0/FULL" || failed=$(expr $failed + 1)
# We have SeRestorePrivilege, so both give and take ownership must succeed
testit "give owner with SeRestorePrivilege" set_win_owner $SHARE afile "$SERVER\user1" || failed=$(expr $failed + 1)
testit "verify owner" win_owner_is $SHARE afile "$SERVER/user1" || failed=$(expr $failed + 1)
testit "take owner" set_win_owner $SHARE afile "$SERVER\\$USERNAME" || failed=$(expr $failed + 1)
testit "verify owner" win_owner_is $SHARE afile "$SERVER/$USERNAME" || failed=$(expr $failed + 1)
# Revoke SeRestorePrivilege, give ownership must fail now with NT_STATUS_INVALID_OWNER
testit "revoke SeRestorePrivilege" $NET rpc rights revoke $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || failed=$(expr $failed + 1)
testit "give owner without SeRestorePrivilege" chown_give_fails $SHARE afile "$SERVER\user1" NT_STATUS_INVALID_OWNER || failed=$(expr $failed + 1)
testit "delete testfile" remove_testfile $SHARE afile || failed=$(expr $failed + 1)
exit $failed
|
