From 5e0365dfe891f556eed180bc44ac7120c37141fb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 31 Aug 2012 14:42:21 -0700
Subject: [PATCH] Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't
 include any generic bits (they're used directly in the fileserver where the
 generic bits have already been mapped into file specific bits) we need to add
 the generic bits to the test when we have these privileges.

Mark samba4.base.maximum_allowed knownfail until we implement NTCREATEX_OPTIONS_BACKUP_INTENT.
---
 selftest/knownfail               |  1 +
 source4/torture/basic/denytest.c | 31 +++++++++++++++++++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 93f1dfc732e..4e6eb43add7 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -93,6 +93,7 @@
 ^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet
 ^samba4.rpc.samr.passwords.lockout
 ^samba4.base.charset.*.Testing partial surrogate
+^samba4.*.base.maximum_allowed		# broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
 .*net.api.delshare.*				# DelShare isn't implemented yet
 ^samba4.rap.*netservergetinfo
 ^samba4.rap.*netsessionenum
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 2e21c83fadb..69717be3ba8 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2687,7 +2687,7 @@ bool torture_maximum_allowed(struct torture_context *tctx,
 	NTSTATUS status;
 	union smb_fileinfo q;
 	const char *owner_sid;
-	bool has_restore_privilege, has_backup_privilege;
+	bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
 
 	mem_ctx = talloc_init("torture_maximum_allowed");
 
@@ -2747,18 +2747,41 @@ bool torture_maximum_allowed(struct torture_context *tctx,
 			owner_sid,
 			has_backup_privilege?"Yes":"No");
 
+	status = torture_check_privilege(cli,
+					 owner_sid,
+					 sec_privilege_name(SEC_PRIV_SECURITY));
+	has_system_security_privilege = NT_STATUS_IS_OK(status);
+	torture_comment(tctx, "Checked SEC_PRIV_SECURITY for %s - %s\n",
+			owner_sid,
+			has_system_security_privilege?"Yes":"No");
+
 	smbcli_close(cli->tree, fnum);
 
 	for (i = 0; i < 32; i++) {
 		uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i);
-		uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | 
+		/*
+		 * SEC_GENERIC_EXECUTE is a complete subset of
+		 * SEC_GENERIC_READ when mapped to specific bits,
+		 * so we need to include it in the basic OK mask.
+		 */
+		uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | SEC_GENERIC_EXECUTE |
 			SEC_STD_DELETE | SEC_STD_WRITE_DAC;
 
+		/*
+		 * Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP
+		 * don't include any generic bits (they're used directly
+		 * in the fileserver where the generic bits have already
+		 * been mapped into file specific bits) we need to add the
+		 * generic bits to the ok_mask when we have these privileges.
+		 */
 		if (has_restore_privilege) {
-			ok_mask |= SEC_RIGHTS_PRIV_RESTORE;
+			ok_mask |= SEC_RIGHTS_PRIV_RESTORE|SEC_GENERIC_WRITE;
 		}
 		if (has_backup_privilege) {
-			ok_mask |= SEC_RIGHTS_PRIV_BACKUP;
+			ok_mask |= SEC_RIGHTS_PRIV_BACKUP|SEC_GENERIC_READ;
+		}
+		if (has_system_security_privilege) {
+			ok_mask |= SEC_FLAG_SYSTEM_SECURITY;
 		}
 
 		/* Skip all SACL related tests. */
-- 
2.11.4.GIT