search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
autorid: improve the precision of the DEBUG at the end of add_range
[Samba.git] / testsuite / smbd / se_access_check_printer.c
blobe2645c68549460286dcdf9f933e743d26ba84f2f
1 /*
2 Unix SMB/Netbios implementation.
3 Version 1.9.
4 Security context tests
5 Copyright (C) Tim Potter 2000
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "se_access_check_utils.h"
23
24 /* Globals */
25
26 BOOL failed;
27 SEC_DESC *sd;
28
29 struct ace_entry acl_printer[] = {
30
31 /* Everyone is allowed to print */
32
33 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
34 PRINTER_ACE_PRINT, "S-1-1-0" },
35
36 /* Except for user0 who uses too much paper */
37
38 { SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
39 PRINTER_ACE_FULL_CONTROL, "user0" },
40
41 /* Users 1 and 2 can manage documents */
42
43 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
44 PRINTER_ACE_MANAGE_DOCUMENTS, "user1" },
45
46 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
47 PRINTER_ACE_MANAGE_DOCUMENTS, "user2" },
48
49 /* Domain Admins can also manage documents */
50
51 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
52 PRINTER_ACE_MANAGE_DOCUMENTS, "Domain Admins" },
53
54 /* User 3 is da man */
55
56 { SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_ACE_FLAG_CONTAINER_INHERIT,
57 PRINTER_ACE_FULL_CONTROL, "user3" },
58
59 { 0, 0, 0, NULL}
60 };
61
62 BOOL test_user(char *username, uint32 acc_desired, uint32 *acc_granted)
63 {
64 struct passwd *pw;
65 uint32 status;
66
67 if (!(pw = getpwnam(username))) {
68 printf("FAIL: could not lookup user info for %s\n",
69 username);
70 exit(1);
71 }
72
73 return se_access_check(sd, pw->pw_uid, pw->pw_gid, 0, NULL,
74 acc_desired, acc_granted, &status);
75 }
76
77 static char *pace_str(uint32 ace_flags)
78 {
79 if ((ace_flags & PRINTER_ACE_FULL_CONTROL) ==
80 PRINTER_ACE_FULL_CONTROL) return "full control";
81
82 if ((ace_flags & PRINTER_ACE_MANAGE_DOCUMENTS) ==
83 PRINTER_ACE_MANAGE_DOCUMENTS) return "manage documents";
84
85 if ((ace_flags & PRINTER_ACE_PRINT) == PRINTER_ACE_PRINT)
86 return "print";
87
88 return "UNKNOWN";
89 }
90
91 uint32 perms[] = {
92 PRINTER_ACE_PRINT,
93 PRINTER_ACE_FULL_CONTROL,
94 PRINTER_ACE_MANAGE_DOCUMENTS,
95 0
96 };
97
98 void runtest(void)
99 {
100 uint32 acc_granted;
101 BOOL result;
102 int i, j;
103
104 for (i = 0; perms[i]; i++) {
105
106 /* Test 10 users */
107
108 for (j = 0; j < 10; j++) {
109 fstring name;
110
111 /* Test user against ACL */
112
113 snprintf(name, sizeof(fstring), "%s/user%d",
114 getenv("TEST_WORKGROUP"), j);
115
116 result = test_user(name, perms[i], &acc_granted);
117
118 printf("%s: %s %s 0x%08x\n", name,
119 pace_str(perms[i]),
120 result ? "TRUE " : "FALSE", acc_granted);
121
122 /* Check results */
123
124 switch (perms[i]) {
125
126 case PRINTER_ACE_PRINT: {
127 if (!result || acc_granted !=
128 PRINTER_ACE_PRINT) {
129 printf("FAIL: user %s can't print\n",
130 name);
131 failed = True;
132 }
133 break;
134 }
135
136 case PRINTER_ACE_FULL_CONTROL: {
137 if (j == 3) {
138 if (!result || acc_granted !=
139 PRINTER_ACE_FULL_CONTROL) {
140 printf("FAIL: user %s doesn't "
141 "have full control\n",
142 name);
143 failed = True;
144 }
145 } else {
146 if (result || acc_granted != 0) {
147 printf("FAIL: user %s has full "
148 "control\n", name);
149 failed = True;
150 }
151 }
152 break;
153 }
154 case PRINTER_ACE_MANAGE_DOCUMENTS: {
155 if (j == 1 || j == 2) {
156 if (!result || acc_granted !=
157 PRINTER_ACE_MANAGE_DOCUMENTS) {
158 printf("FAIL: user %s can't "
159 "manage documents\n",
160 name);
161 failed = True;
162 }
163 } else {
164 if (result || acc_granted != 0) {
165 printf("FAIL: user %s can "
166 "manage documents\n",
167 name);
168 failed = True;
169 }
170 }
171 break;
172 }
173
174 default:
175 printf("FAIL: internal error\n");
176 exit(1);
177 }
178 }
179 }
180 }
181
182 /* Main function */
183
184 int main(int argc, char **argv)
185 {
186 /* Initialisation */
187
188 generate_wellknown_sids();
189
190 /* Create security descriptor */
191
192 sd = build_sec_desc(acl_printer, NULL, NULL_SID, NULL_SID);
193
194 if (!sd) {
195 printf("FAIL: could not build security descriptor\n");
196 return 1;
197 }
198
199 /* Run test */
200
201 runtest();
202
203 /* Return */
204
205 if (!failed) {
206 printf("PASS\n");
207 return 0;
208 }
209
210 return 1;
211 }
Samba GIT mirror