| 1 | /*
|
|---|
| 2 | Unix SMB/Netbios implementation.
|
|---|
| 3 | Version 1.9.
|
|---|
| 4 | Security context tests
|
|---|
| 5 | Copyright (C) Tim Potter 2000
|
|---|
| 6 |
|
|---|
| 7 | This program is free software; you can redistribute it and/or modify
|
|---|
| 8 | it under the terms of the GNU General Public License as published by
|
|---|
| 9 | the Free Software Foundation; either version 2 of the License, or
|
|---|
| 10 | (at your option) any later version.
|
|---|
| 11 |
|
|---|
| 12 | This program is distributed in the hope that it will be useful,
|
|---|
| 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 15 | GNU General Public License for more details.
|
|---|
| 16 |
|
|---|
| 17 | You should have received a copy of the GNU General Public License
|
|---|
| 18 | along with this program; if not, write to the Free Software
|
|---|
| 19 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|---|
| 20 | */
|
|---|
| 21 |
|
|---|
| 22 | #include "includes.h"
|
|---|
| 23 | #include "se_access_check_utils.h"
|
|---|
| 24 |
|
|---|
| 25 | /* Globals */
|
|---|
| 26 |
|
|---|
| 27 | BOOL failed;
|
|---|
| 28 | SEC_DESC *sd;
|
|---|
| 29 |
|
|---|
| 30 | struct ace_entry acl_empty[] = {
|
|---|
| 31 | { 0, 0, 0, NULL}
|
|---|
| 32 | };
|
|---|
| 33 |
|
|---|
| 34 | /* Check that access is always allowed for a NULL security descriptor */
|
|---|
| 35 |
|
|---|
| 36 | BOOL emptysd_check(struct passwd *pw, int ngroups, gid_t *groups)
|
|---|
| 37 | {
|
|---|
| 38 | uint32 acc_granted, status;
|
|---|
| 39 | BOOL result;
|
|---|
| 40 |
|
|---|
| 41 | /* For no DACL, access is allowed and the desired access mask is
|
|---|
| 42 | returned */
|
|---|
| 43 |
|
|---|
| 44 | result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
|
|---|
| 45 | ngroups, groups,
|
|---|
| 46 | SEC_RIGHTS_MAXIMUM_ALLOWED,
|
|---|
| 47 | &acc_granted, &status);
|
|---|
| 48 |
|
|---|
| 49 | if (!result || !(acc_granted == SEC_RIGHTS_MAXIMUM_ALLOWED)) {
|
|---|
| 50 | printf("FAIL: no dacl for %s (%d/%d)\n", pw->pw_name,
|
|---|
| 51 | pw->pw_uid, pw->pw_gid);
|
|---|
| 52 | failed = True;
|
|---|
| 53 | }
|
|---|
| 54 |
|
|---|
| 55 | result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
|
|---|
| 56 | ngroups, groups, 0x1234,
|
|---|
| 57 | &acc_granted, &status);
|
|---|
| 58 |
|
|---|
| 59 | if (!result || !(acc_granted == 0x1234)) {
|
|---|
| 60 | printf("FAIL: no dacl2 for %s (%d/%d)\n", pw->pw_name,
|
|---|
| 61 | pw->pw_uid, pw->pw_gid);
|
|---|
| 62 | failed = True;
|
|---|
| 63 | }
|
|---|
| 64 |
|
|---|
| 65 | /* If desired access mask is empty then no access is allowed */
|
|---|
| 66 |
|
|---|
| 67 | result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
|
|---|
| 68 | ngroups, groups, 0,
|
|---|
| 69 | &acc_granted, &status);
|
|---|
| 70 |
|
|---|
| 71 | if (result) {
|
|---|
| 72 | printf("FAIL: zero desired access for %s (%d/%d)\n",
|
|---|
| 73 | pw->pw_name, pw->pw_uid, pw->pw_gid);
|
|---|
| 74 | failed = True;
|
|---|
| 75 | }
|
|---|
| 76 |
|
|---|
| 77 | return True;
|
|---|
| 78 | }
|
|---|
| 79 |
|
|---|
| 80 | /* Main function */
|
|---|
| 81 |
|
|---|
| 82 | int main(int argc, char **argv)
|
|---|
| 83 | {
|
|---|
| 84 | /* Initialisation */
|
|---|
| 85 |
|
|---|
| 86 | generate_wellknown_sids();
|
|---|
| 87 |
|
|---|
| 88 | /* Create security descriptor */
|
|---|
| 89 |
|
|---|
| 90 | sd = build_sec_desc(acl_empty, NULL, NULL_SID, NULL_SID);
|
|---|
| 91 |
|
|---|
| 92 | if (!sd) {
|
|---|
| 93 | printf("FAIL: could not build security descriptor\n");
|
|---|
| 94 | return 1;
|
|---|
| 95 | }
|
|---|
| 96 |
|
|---|
| 97 | /* Run test */
|
|---|
| 98 |
|
|---|
| 99 | visit_pwdb(emptysd_check);
|
|---|
| 100 |
|
|---|
| 101 | /* Return */
|
|---|
| 102 |
|
|---|
| 103 | if (!failed) {
|
|---|
| 104 | printf("PASS\n");
|
|---|
| 105 | return 0;
|
|---|
| 106 | }
|
|---|
| 107 |
|
|---|
| 108 | return 1;
|
|---|
| 109 | }
|
|---|
