From 2827656c3417f82291d30f8f7b18a14983968da5 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 23 Jan 2017 17:35:51 +0100 Subject: [PATCH 1/2] selftest: also run test base.createx_access against ad_dc Fails currently, will be made to work in the next commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit a3781d1cfe7d5e7df20fc65a9a7653937f03808c) --- selftest/knownfail | 1 + source3/selftest/tests.py | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/selftest/knownfail b/selftest/knownfail index d96e238..aa27eea 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -39,6 +39,7 @@ ^samba3.raw.acls nfs4acl_xattr-special.inherit_creator_group\(nt4_dc\) ^samba3.base.delete.deltest16a ^samba3.base.delete.deltest17a +^samba3.base.createx_access.createx_access\(ad_dc\) ^samba3.unix.whoami anonymous connection.whoami\(ad_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token ^samba3.unix.whoami anonymous connection.whoami\(ad_member\) # smbd maps anonymous logins to domain guest in the local domain, not SID_NT_ANONYMOUS # these show that we still have some differences between our system diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index b72da85..d482145 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -280,7 +280,7 @@ plantestsuite("samba3.async_req", "nt4_dc", #smbtorture4 tests -base = ["base.attr", "base.charset", "base.chkpath", "base.defer_open", "base.delaywrite", "base.delete", +base = ["base.attr", "base.charset", "base.chkpath", "base.createx_access", "base.defer_open", "base.delaywrite", "base.delete", "base.deny1", "base.deny2", "base.deny3", "base.denydos", "base.dir1", "base.dir2", "base.disconnect", "base.fdpass", "base.lock", "base.mangle", "base.negnowait", "base.ntdeny1", @@ -336,6 +336,8 @@ tests= base + raw + smb2 + rpc + unix + local + rap + nbt + libsmbclient + idmap for t in tests: if t == "base.delaywrite": plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD -k yes --maximum-runtime=900') + if t == "base.createx_access": + plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD -k yes --maximum-runtime=900') elif t == "rap.sam": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1') plansmbtorture4testsuite(t, "ad_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1') -- 2.9.3 From 4ef59f26b43dec61afedb46d1dad3ff8f82a0f04 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 23 Jan 2017 16:19:06 +0100 Subject: [PATCH 2/2] s3/smbd: check for invalid access_mask smbd_calculate_access_mask() This makes us pass "base.createx_access". Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 326765923f1d384e5cd8b7fda048b459c67a4bf5) --- selftest/knownfail | 1 - source3/smbd/open.c | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/selftest/knownfail b/selftest/knownfail index aa27eea..d96e238 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -39,7 +39,6 @@ ^samba3.raw.acls nfs4acl_xattr-special.inherit_creator_group\(nt4_dc\) ^samba3.base.delete.deltest16a ^samba3.base.delete.deltest17a -^samba3.base.createx_access.createx_access\(ad_dc\) ^samba3.unix.whoami anonymous connection.whoami\(ad_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token ^samba3.unix.whoami anonymous connection.whoami\(ad_member\) # smbd maps anonymous logins to domain guest in the local domain, not SID_NT_ANONYMOUS # these show that we still have some differences between our system diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 42db659..4be30a0 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -2274,6 +2274,12 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, uint32_t orig_access_mask = access_mask; uint32_t rejected_share_access; + if (access_mask & SEC_MASK_INVALID) { + DBG_DEBUG("access_mask [%8x] contains invalid bits\n", + access_mask); + return NT_STATUS_ACCESS_DENIED; + } + /* * Convert GENERIC bits to specific bits. */ -- 2.9.3