From 1e5e0481e78dfa179e37889bdef63e6d108c328e Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Tue, 9 Jun 2015 09:50:18 -0700 Subject: [PATCH 1/3] sharesec: Use non-numerical output for sharesec This is an easy change to get the sharesec output back to the format used before. It is also easier to understand than the output of the flags. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11324 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 0b9fa2849dc8b7c61467a6517c40e6e15c104d4a) --- source3/utils/sharesec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c index 71a55b5..98ac224 100644 --- a/source3/utils/sharesec.c +++ b/source3/utils/sharesec.c @@ -182,7 +182,7 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th /* should not happen */ return 0; case SMB_ACL_VIEW: - sec_desc_print(NULL, stdout, old, true); + sec_desc_print(NULL, stdout, old, false); return 0; case SMB_ACL_DELETE: for (i=0;sd->dacl && idacl->num_aces;i++) { @@ -203,7 +203,7 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th if (!found) { printf("ACL for ACE:"); - print_ace(NULL, stdout, &sd->dacl->aces[i], true); + print_ace(NULL, stdout, &sd->dacl->aces[i], false); printf(" not found\n"); } } -- 1.7.1 From 273655ef39ec0ca736c280f335cd3ffb942bdfda Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Tue, 9 Jun 2015 10:28:17 -0700 Subject: [PATCH 2/3] selftest: Add test for sharesec command Add a test for the sharesec command to ensure that it works, and to also verify that the output does not change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11324 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit a6650d74d1b7cc051637c1a19daff5a8009f405b) --- source3/script/tests/test_sharesec.sh | 111 +++++++++++++++++++++++++++++++++ source3/selftest/tests.py | 3 + 2 files changed, 114 insertions(+), 0 deletions(-) create mode 100755 source3/script/tests/test_sharesec.sh diff --git a/source3/script/tests/test_sharesec.sh b/source3/script/tests/test_sharesec.sh new file mode 100755 index 0000000..ef207ff --- /dev/null +++ b/source3/script/tests/test_sharesec.sh @@ -0,0 +1,111 @@ +#!/bin/sh +# +# Test sharesec command. +# +# Verify that changing and querying the security descriptor works. Also +# ensure that the output format for ACL entries does not change. +# +# The test uses well-known SIDs to not require looking up names and SIDs +# +# Copyright (C) 2015 Christof Schmitt + +if [ $# -lt 3 ]; then +Usage: test_sharesec.sh SERVERCONFFILE SHARESEC SHARE +exit 1 +fi + +CONF=$1 +SHARESEC=$2 +SHARE=$3 + +CMD="$SHARESEC $CONF $SHARE" + +incdir=$(dirname $0)/../../../testprogs/blackbox +. $incdir/subunit.sh + +failed=0 + +testit "Set new ACL" $CMD --replace S-1-1-0:ALLOWED/0x0/READ || \ + failed=$(expr $failed + 1) +testit "Query new ACL" $CMD --view || failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify new ACL count" test $COUNT -eq 1 || failed=$(expr $failed + 1) +ACL=$($CMD --view | grep ACL: | sed -e 's/^ACL://') +testit "Verify new ACL" test $ACL = S-1-1-0:ALLOWED/0x0/READ + +OWNER=$($CMD --view | grep OWNER:) +testit "Verify empty OWNER" test "$OWNER" = "OWNER:" || \ + failed=$(expr $failed + 1) +GROUP=$($CMD --view | grep GROUP:) +testit "Verify empty GROUP" test "$GROUP" = "GROUP:" || \ + failed=$(expr $failed + 1) +CONTROL=$($CMD --view | grep CONTROL: | sed -e 's/^CONTROL://') +testit "Verify control flags" test "$CONTROL" = "SR|DP" || \ + failed=$(expr $failed + 1) + +testit "Add second ACL entry" $CMD --add S-1-5-32-544:ALLOWED/0x0/FULL || \ + failed=$(expr $failed + 1) +testit "Query ACL with two entries" $CMD --view || \ + failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify ACL count with two entries" test $COUNT -eq 2 || \ + failed=$(expr $failed + 1) +ACL=$($CMD --view | grep S-1-5-32-544 | sed -e 's/^ACL://') +testit "Verify second ACL entry" test $ACL = S-1-5-32-544:ALLOWED/0x0/FULL || \ + failed=$(expr $failed + 1) + +testit "Modify ACL entry" $CMD --modify S-1-5-32-544:ALLOWED/0x0/CHANGE || \ + failed=$(expr $failed + 1) +testit "Verify ACL with two entries after modify" $CMD --view || \ + failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify ACL count with two entries after modify" test $COUNT -eq 2 || \ + failed=$(expr $failed + 1) +ACL=$($CMD --view | grep S-1-5-32-544 | sed -e 's/^ACL://') +testit "Verify modified entry" test $ACL = S-1-5-32-544:ALLOWED/0x0/CHANGE || \ + failed=$(expr $failed + 1) + +testit "Add deny ACL entry" $CMD --add S-1-5-32-545:DENIED/0x0/CHANGE || \ + failed=$(expr $failed + 1) +testit "Query ACL with three entries" $CMD --view || \ + failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify ACL count with three entries" test $COUNT -eq 3 || \ + failed=$(expr $failed + 1) +ACL=$($CMD --view | grep S-1-5-32-545 | sed -e 's/^ACL://') +testit "Verify DENIED ACL entry" test $ACL = S-1-5-32-545:DENIED/0x0/CHANGE || \ + failed=$(expr $failed + 1) + +testit "Add special ACL entry" $CMD --add S-1-5-32-546:ALLOWED/0x0/RWXDP || \ + failed=$(expr $failed + 1) +testit "Query ACL with four entries" $CMD --view || \ + failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify ACL count with four entries" test $COUNT -eq 4 || \ + failed=$(expr $failed + 1) +ACL=$($CMD --view | grep S-1-5-32-546 | sed -e 's/^ACL://') +testit "Verify special entry" test $ACL = S-1-5-32-546:ALLOWED/0x0/RWXDP || \ + failed=$(expr $failed + 1) + +testit "Remove ACL entry" $CMD --remove S-1-5-32-546:ALLOWED/0x0/RWXDP || \ + failed=$(expr $failed + 1) +testit "Query ACL with three entries after removal" $CMD --view || \ + failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify ACL count after removal" test $COUNT -eq 3 || \ + failed=$(expr $failed + 1) +ACL="$($CMD --view | grep S-1-5-32-546')" +testit "Verify removal" test -e "$ACL" || failed=$(expr $failed + 1) + +testit "Set back to default ACL " $CMD --replace S-1-1-0:ALLOWED/0x0/FULL || \ + failed=$(expr $failed + 1) +testit "Query standard ACL" $CMD --view || \ + failed=$(expr $failed + 1) +COUNT=$($CMD --view | grep ACL: | sed -e 's/^ACL://' | wc -l) +testit "Verify standard ACL count" test $COUNT -eq 1 || \ + failed=$(expr $failed + 1) +ACL=$($CMD --view | grep ACL: | sed -e 's/^ACL://') +testit "Verify standard ACL" test $ACL = S-1-1-0:ALLOWED/0x0/FULL || \ + failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 3902a2c..555a211 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -413,6 +413,9 @@ for s in signseal_options: plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"), "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration]) +plantestsuite("samba3.blackbox.sharesec", "simpleserver:local", + [os.path.join(samba3srcdir, "script/tests/test_sharesec.sh"), + configuration, os.path.join(bindir(), "sharesec"), "tmp"]) options_list = ["", "-e"] for options in options_list: -- 1.7.1 From bb30e01a7820d97f872418e90a073f4485d26a81 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Tue, 9 Jun 2015 10:29:21 -0700 Subject: [PATCH 3/3] docs-xml: Update sharesec manpage to reflect current output Update the sharesec man page to reflect the output currently used, and also add a note that the OWNER and GROUP fields are not used for share ACLs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11324 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed Jun 17 13:36:23 CEST 2015 on sn-devel-104 (cherry picked from commit 8406d4dd1593b4a4d7bcbdc7b7c7893339f8e814) --- docs-xml/manpages/sharesec.1.xml | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs-xml/manpages/sharesec.1.xml b/docs-xml/manpages/sharesec.1.xml index 6a201cc..7e13d49 100644 --- a/docs-xml/manpages/sharesec.1.xml +++ b/docs-xml/manpages/sharesec.1.xml @@ -154,10 +154,9 @@ If not specified it defaults to 1. Using values other than 1 may cause strange behaviour. - The owner and group specify the owner and group SIDs for the - object. If a SID in the format S-1-x-y-z is specified this is used, - otherwise the name specified is resolved using the server on which - the file or directory resides. + The owner and group specify the owner and group SIDs for + the object. Share ACLs do not specify an owner or a group, so + these fields are empty. ACLs specify permissions granted to the SID. This SID can be specified in S-1-x-y-z format or as a name in which case @@ -227,10 +226,11 @@ host:~ # sharesec share -v REVISION:1 - OWNER:(NULL SID) - GROUP:(NULL SID) - ACL:S-1-1-0:ALLOWED/0/0x101f01ff - ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL + CONTROL:SR|DP + OWNER: + GROUP: + ACL:S-1-1-0:ALLOWED/0x0/FULL + ACL:S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0x0/FULL -- 1.7.1