public void SamrQuerySecurityObject_Group_OWNER_SECURITY_INFORMATION_NonDC()
{
ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
out _serverHandle, out _domainHandle, Utilities.MAXIMUM_ALLOWED);
string groupName = testGroupName;
uint relativeId = 0;
try
{
CreateGroup_NonDC(groupName, _serverHandle, _domainHandle, out _groupHandle, out relativeId);
HRESULT result = _samrProtocolAdapter.SamrOpenGroup(_domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL, relativeId, out _groupHandle);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrOpenGroup succeeded.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
finally
{
HRESULT result = _samrProtocolAdapter.SamrOpenGroup(_domainHandle, (uint)Group_ACCESS_MASK.GROUP_ALL_ACCESS, relativeId, out _groupHandle);
Site.Log.Add(LogEntryKind.TestStep, "SamrOpenGroup: delete the created group.");
result = _samrProtocolAdapter.SamrDeleteGroup(ref _groupHandle);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrDeleteGroup succeeded.");
}
}
protected void SetCap(string sharePath, _SID?capId)
{
_ACL sacl;
if (capId != null)
{
_SYSTEM_SCOPED_POLICY_ID_ACE ace = DtypUtility.CreateSystemScopedPolicyIdAce(capId.Value);
sacl = DtypUtility.CreateAcl(false, ace);
}
else
{
sacl = DtypUtility.CreateAcl(false);
}
_SECURITY_DESCRIPTOR sd = DtypUtility.CreateSecurityDescriptor(
SECURITY_DESCRIPTOR_Control.SACLAutoInherited | SECURITY_DESCRIPTOR_Control.SACLInheritanceRequired |
SECURITY_DESCRIPTOR_Control.SACLPresent | SECURITY_DESCRIPTOR_Control.SelfRelative,
null,
null,
sacl,
null);
if (sharePath != null)
{
SetSecurityDescriptor(sharePath, null, sd, SET_INFO_Request_AdditionalInformation_Values.SCOPE_SECURITY_INFORMATION);
}
}
protected void SetSecurityDescriptor(string sharePath, string fileName, _SECURITY_DESCRIPTOR sd, SET_INFO_Request_AdditionalInformation_Values securityAttributesToApply)
{
Smb2FunctionalClient clientAdmin;
clientAdmin = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
clientAdmin.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
uint treeId;
ConnectToShare(clientAdmin, TestConfig.AccountCredential, sharePath, out treeId);
FILEID fileId;
Smb2CreateContextResponse[] createContextResponses;
clientAdmin.Create(treeId,
fileName,
fileName == null ? CreateOptions_Values.FILE_DIRECTORY_FILE : CreateOptions_Values.FILE_NON_DIRECTORY_FILE,
out fileId,
out createContextResponses,
accessMask: AccessMask.READ_CONTROL | AccessMask.WRITE_DAC | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.WRITE_OWNER | AccessMask.ACCESS_SYSTEM_SECURITY,
shareAccess: ShareAccess_Values.FILE_SHARE_DELETE | ShareAccess_Values.FILE_SHARE_READ | ShareAccess_Values.FILE_SHARE_WRITE,
createDisposition: CreateDisposition_Values.FILE_OPEN);
clientAdmin.SetSecurityDescriptor(treeId, fileId, securityAttributesToApply, sd);
clientAdmin.Close(treeId, fileId);
clientAdmin.TreeDisconnect(treeId);
clientAdmin.Disconnect();
}
private void SetSecurityDescriptorOnShare(object ace)
{
_ACL acl = DtypUtility.CreateAcl(true, ace);
_SECURITY_DESCRIPTOR sd = originalSD;
_ACL oriAcl = originalSD.Dacl.Value;
DtypUtility.AddAceToAcl(ref oriAcl, true, ace);
sd.Dacl = oriAcl;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Security Descriptor on the share ({0}): {1}.",
FolderPermissionTestShareUncPath, DtypUtility.ToSddlString(sd));
SetSecurityDescriptor(FolderPermissionTestShareUncPath, null, sd, SET_INFO_Request_AdditionalInformation_Values.DACL_SECURITY_INFORMATION);
}
public void SamrQuerySecurityObject_User_DACL_SECURITY_INFORMATION()
{
ConnectAndOpenUser(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
_samrProtocolAdapter.DomainAdministratorName, out _userHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
bool isAdminSidMatched = false;
bool isWorldSidMatched = false;
bool isSelfMatched = false;
foreach (var ace in sd.Dacl.Value.Aces)
{
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)User_ACCESS_MASK.USER_ALL_ACCESS)
{
isAdminSidMatched = true;
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(User_ACCESS_MASK.USER_EXECUTE | User_ACCESS_MASK.USER_READ))
{
isWorldSidMatched = true;
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(_samrProtocolAdapter.DomainAdministratorSid.Value, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(User_ACCESS_MASK.USER_WRITE))
{
isSelfMatched = true;
}
}
}
Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain AdministratorSid:USER_ALL_ACCESS.");
Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain WorldSid:USER_EXECUTE|USER_READ.");
Site.Assert.IsTrue(isSelfMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain Self:USER_WRITE.");
}
public void SamrQuerySecurityObject_Server_Group_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.GROUP_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
PtfAssert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid),
"[MS-SAMR] 3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrQuerySecurityObject_Server_SACL()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.pdcNetBIOSName,
_samrProtocolAdapter.primaryDomainFqdn,
_samrProtocolAdapter.DomainAdministratorName,
_samrProtocolAdapter.DomainUserPassword,
false,
true);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: ACCESS_SYSTEM_SECURITY.", _samrProtocolAdapter.PDCNetbiosName));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.PDCNetbiosName,
(uint)COMMON_ACCESS_MASK.ACCESS_SYSTEM_SECURITY,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.SACL_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the Sacl be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 The field(DACL) of the security descriptor is not returned and is set to zero.");
}
public void SamrQuerySecurityObject_Alias_SACL_SECURITY_INFORMATION_NonDC()
{
ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
out _serverHandle, out _domainHandle, Utilities.MAXIMUM_ALLOWED);
string aliasName = testAliasName;
uint relativeId = 0;
try
{
Site.Log.Add(LogEntryKind.TestStep, "SamrCreateAliasInDomain: create an alias with Name:{0}, and DesiredAccess:{1}",
testAliasName, ALIAS_ACCESS_MASK.ALIAS_ALL_ACCESS);
HRESULT result = _samrProtocolAdapter.SamrCreateAliasInDomain(
_domainHandle,
aliasName,
(uint)ALIAS_ACCESS_MASK.ALIAS_ALL_ACCESS,
out _aliasHandle,
out relativeId);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrCreateAliasInDomain returns:{0}.", result);
Site.Assert.IsNotNull(_aliasHandle, "The returned alias handle is: {0}.", _aliasHandle);
result = _samrProtocolAdapter.SamrOpenAlias(_domainHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY, relativeId, out _aliasHandle);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrOpenAlias succeeded.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with SACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
result = _samrProtocolAdapter.SamrQuerySecurityObject(_aliasHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned.");
}
finally
{
HRESULT result = _samrProtocolAdapter.SamrOpenAlias(_domainHandle, (uint)ALIAS_ACCESS_MASK.ALIAS_ALL_ACCESS, relativeId, out _aliasHandle);
Site.Log.Add(LogEntryKind.TestStep, "SamrOpenAlias: delete the created alias.");
result = _samrProtocolAdapter.SamrDeleteAlias(ref _aliasHandle);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrDeleteAlias succeeded.");
}
}
protected override void TestInitialize()
{
base.TestInitialize();
if (FolderPermissionTestShareUncPath == null)
{
FolderPermissionTestShareUncPath = Smb2Utility.GetUncPath(testConfig.SutComputerName, TestConfig.FolderPermissionTestShare);
FolderPermissionTestShareExist = ShareExists(TestConfig.AccountCredential, FolderPermissionTestShareUncPath);
}
if (!FolderPermissionTestShareExist)
{
BaseTestSite.Assert.Inconclusive("Required share does not exist: {0}", FolderPermissionTestShareUncPath);
}
originalSD = QuerySecurityDescriptor(FolderPermissionTestShareUncPath, null,
AdditionalInformation_Values.DACL_SECURITY_INFORMATION |
AdditionalInformation_Values.GROUP_SECURITY_INFORMATION |
AdditionalInformation_Values.OWNER_SECURITY_INFORMATION);
}
public void SamrSetSecurityObject_Owner_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle, (uint)(Common_ACCESS_MASK.WRITE_OWNER | Common_ACCESS_MASK.READ_CONTROL));
CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BGG:BA");
byte[] buffer = new byte[commonsd.BinaryLength];
commonsd.GetBinaryForm(buffer, 0);
_SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR()
{
SecurityDescriptor = buffer,
Length = (uint)buffer.Length
};
Site.Log.Add(LogEntryKind.TestStep,
"SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION as Built-in Guests.");
hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "If the database object referenced by ObjectHandle.Object is not a user object and the DACL_SECURITY_INFORMATION is not set in SecurityInformation, the server MUST silently ignore the request by aborting processing and returning 0.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?sd;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
// Initializing SecurityDescriptor object using the obtained bytes of security descriptor.
CommonSecurityDescriptor ObtainedSecurityDescriptor =
new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0);
Site.Assert.AreEqual("O:BA", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should still be the Administrator.");
_SECURITY_DESCRIPTOR secdes = DtypUtility.DecodeSecurityDescriptor(sd.Value.SecurityDescriptor);
Site.Assert.IsNotNull(secdes.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(secdes.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(secdes.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(secdes.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)secdes.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
private void SetSecurityDescriptorOnDynamicallyConfigurableShare(object ace)
{
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(originalShareInfo.Value.shi502_security_descriptor);
_ACL dacl = sd.Dacl.Value;
DtypUtility.AddAceToAcl(ref dacl, true, ace);
sd.Dacl = dacl;
DtypUtility.UpdateSecurityDescriptor(ref sd);
SHARE_INFO_502_I newShareInfo = originalShareInfo.Value;
newShareInfo.shi502_security_descriptor = DtypUtility.EncodeSecurityDescriptor(sd);
newShareInfo.shi502_reserved = (uint)newShareInfo.shi502_security_descriptor.Length;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Set Security Descriptor on the share ({0}): {1}.",
Smb2Utility.GetUncPath(TestConfig.SutComputerName, dynamicallyConfigurableShareName), DtypUtility.ToSddlString(sd));
SetShareInfo(dynamicallyConfigurableShareName, newShareInfo);
}
public void SamrQuerySecurityObject_User_SACL_SECURITY_INFORMATION_NonDC()
{
ConnectAndOpenUser_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.DMAdminName, out _userHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with SACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_userHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned.");
}
public void SamrQuerySecurityObject_Group_OWNER_SECURITY_INFORMATION()
{
ConnectAndOpenGroup(_samrProtocolAdapter.pdcFqdn, _samrProtocolAdapter.PrimaryDomainDnsName,
_samrProtocolAdapter.DomainAdminGroup, out _groupHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrQuerySecurityObjectForAlias_OWNER_SECURITY_INFORMATION()
{
aliasTestPrerequisite();
createAlias();
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with OWNER_SECURITY_INFORMATION");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_aliasHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNotNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.OwnerSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
}
public void SamrQuerySecurityObject_INVALID_SECURITY_INFORMATION_Domain_NonDC()
{
HRESULT hResult;
ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: INVALID_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.INVALID_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "If there is not any valid bit in the SECURITY_INFORMATION, all other bits MUST be zero when sent and ignored on receipt.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
}
public void SamrQuerySecurityObject_INVALID_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: INVALID_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.INVALID_SECURITY_INFORMATION, out securityDescriptor);
// TDI?
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "The following bits are valid; all other bits MUST be zero when sent and ignored on receipt.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
}
public void SamrQuerySecurityObject_SACL_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.ACCESS_SYSTEM_SECURITY);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: SACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.SACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNotNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is set, the client requests that the SACL be returned.");
}
protected override void TestInitialize()
{
base.TestInitialize();
if (FilePermissionTestShareUncPath == null)
{
FilePermissionTestShareUncPath = Smb2Utility.GetUncPath(testConfig.SutComputerName, TestConfig.FilePermissionTestShare);
FilePermissionTestShareExist = ShareExists(TestConfig.AccountCredential, FilePermissionTestShareUncPath);
}
if (!FilePermissionTestShareExist)
{
BaseTestSite.Assert.Inconclusive("Required share does not exist: {0}", FilePermissionTestShareUncPath);
}
tempFileName = GetTestFileName(FilePermissionTestShareUncPath);
CreateNewFile(FilePermissionTestShareUncPath, tempFileName);
baseSD = QuerySecurityDescriptor(FilePermissionTestShareUncPath, tempFileName,
AdditionalInformation_Values.DACL_SECURITY_INFORMATION |
AdditionalInformation_Values.GROUP_SECURITY_INFORMATION |
AdditionalInformation_Values.OWNER_SECURITY_INFORMATION);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Original Security Descriptor of the file ({0}): {1}",
Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.FilePermissionTestShare, tempFileName), DtypUtility.ToSddlString(baseSD));
client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
}
public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_NonDomainAdminGroup()
{
ConnectAndOpenGroup(_samrProtocolAdapter.pdcFqdn, _samrProtocolAdapter.PrimaryDomainDnsName,
"Domain Users", out _groupHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject with DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
HRESULT result = _samrProtocolAdapter.SamrQuerySecurityObject(_groupHandle, SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, result, "SamrQuerySecurityObject returns:{0}.", result);
Site.Assert.IsNotNull(securityDescriptor, "The returned securityDescriptor should not be null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
bool isAdminSidMatched = false;
bool isWorldSidMatched = false;
bool isAccountOperatorsSidMatched = false;
foreach (var ace in sd.Dacl.Value.Aces)
{
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)Group_ACCESS_MASK.GROUP_ALL_ACCESS)
{
isAdminSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The AdministratorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(Group_ACCESS_MASK.GROUP_EXECUTE | Group_ACCESS_MASK.GROUP_READ))
{
isWorldSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The WorldSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AccountOperatorsSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(Group_ACCESS_MASK.GROUP_ALL_ACCESS))
{
isAccountOperatorsSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The AccountOperatorsSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
}
Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain AdministratorSid:GROUP_ALL_ACCESS.");
Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain WorldSid:GROUP_EXECUTE|GROUP_READ.");
Site.Assert.IsTrue(isAccountOperatorsSidMatched, "3.1.5.12.2.1 if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain AccountOperatorSid:GROUP_ALL_ACCESS.");
}
public void SamrQuerySecurityObject_Group_DACL_SECURITY_INFORMATION_Domain()
{
HRESULT hResult;
ConnectAndOpenDomain(_samrProtocolAdapter.PDCNetbiosName, _samrProtocolAdapter.PrimaryDomainDnsName,
out _serverHandle, out _domainHandle, (uint)Common_ACCESS_MASK.READ_CONTROL);
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject, SecurityInformation: GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.GROUP_SECURITY_INFORMATION | SecurityInformation.DACL_SECURITY_INFORMATION, out securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
Site.Assert.IsNull(sd.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is not set, the client requests that the Owner member not be returned.");
Site.Assert.IsNotNull(sd.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is set, the client requests that the Group member be returned.");
Site.Assert.AreEqual(AdministratorSid, DtypUtility.ToSddlString((_SID)sd.GroupSid), "3.1.5.12.2 The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).");
Site.Assert.IsNotNull(sd.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
Site.Assert.IsNull(sd.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
bool isAdminSidMatched = false;
bool isWorldSidMatched = false;
bool isAccountOperatorSidMatched = false;
foreach (var ace in sd.Dacl.Value.Aces)
{
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AdministratorSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_ACCESS))
{
isAdminSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The AdministratorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(WorldSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE | DOMAIN_ACCESS_MASK.DOMAIN_READ))
{
isWorldSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The WorldSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
if (DtypUtility.ToSddlString(((_ACCESS_ALLOWED_ACE)ace).Sid).Equals(AccountOperatorsSid, StringComparison.InvariantCultureIgnoreCase))
{
if (((_ACCESS_ALLOWED_ACE)ace).Mask == (uint)(DOMAIN_ACCESS_MASK.DOMAIN_ALL_EXECUTE
| DOMAIN_ACCESS_MASK.DOMAIN_READ
| DOMAIN_ACCESS_MASK.DOMAIN_CREATE_USER
| DOMAIN_ACCESS_MASK.DOMAIN_CREATE_GROUP
| DOMAIN_ACCESS_MASK.DOMAIN_CREATE_ALIAS))
{
isAccountOperatorSidMatched = true;
}
else
{
Site.Log.Add(LogEntryKind.Debug, "The AccountOperatorSid's Access Mask is {0}.", ((_ACCESS_ALLOWED_ACE)ace).Mask);
}
}
}
Site.Assert.IsTrue(isWorldSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain WorldSid:DOMAIN_EXECUTE | DOMAIN_READ.");
Site.Assert.IsTrue(isAdminSidMatched, "3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AdministratorSid:DOMAIN_ALL_ACCESS.");
Site.Assert.IsTrue(isAccountOperatorSidMatched,
"3.1.5.12.2.1 If ObjectHandle.Object refers to a domain object, the DACL MUST contain AccountOperatorSid:DOMAIN_EXECUTE | DOMAIN_READ | DOMAIN_CREATE_USER | DOMAIN_CREATE_GROUP | DOMAIN_CREATE_ALIAS.");
}
public static extern bool GetSecurityDescriptorOwner(
_SECURITY_DESCRIPTOR pSecurityDescriptor,
out IntPtr pOwner,
ref bool lpbOwnerDefaulted
);
public static extern uint GetSecurityInfo(
IntPtr handle,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
out IntPtr pSidOwner,
out IntPtr pSidGroup,
out _ACL pDacl,
out _ACL pSacl,
out _SECURITY_DESCRIPTOR pSecurityDescriptor
);
public static extern bool InitializeSecurityDescriptor(ref _SECURITY_DESCRIPTOR pSecurityDescriptor, uint dwRevision);
public static extern bool IsValidSecurityDescriptor(_SECURITY_DESCRIPTOR pSecurityDescriptor);
/// <summary>
///
/// </summary>
/// <param name="pSecurityDescriptor"></param>
/// <returns></returns>
public static bool InitializeSecurityDescriptor(ref _SECURITY_DESCRIPTOR pSecurityDescriptor)
{
return InitializeSecurityDescriptor( ref pSecurityDescriptor, _SECURITY_DESCRIPTOR.REVISION );
}
protected override void TestInitialize()
{
base.TestInitialize();
if (FolderPermissionTestShareUncPath == null)
{
FolderPermissionTestShareUncPath = Smb2Utility.GetUncPath(testConfig.SutComputerName, TestConfig.FolderPermissionTestShare);
FolderPermissionTestShareExist = ShareExists(TestConfig.AccountCredential, FolderPermissionTestShareUncPath);
}
if (!FolderPermissionTestShareExist)
{
BaseTestSite.Assert.Inconclusive("Required share does not exist: {0}", FolderPermissionTestShareUncPath);
}
originalSD = QuerySecurityDescriptor(FolderPermissionTestShareUncPath, null,
AdditionalInformation_Values.DACL_SECURITY_INFORMATION |
AdditionalInformation_Values.GROUP_SECURITY_INFORMATION |
AdditionalInformation_Values.OWNER_SECURITY_INFORMATION);
}
protected void SetSecurityDescriptor(string sharePath, string fileName, _SECURITY_DESCRIPTOR sd, SET_INFO_Request_AdditionalInformation_Values securityAttributesToApply)
{
Smb2FunctionalClient clientAdmin;
clientAdmin = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
clientAdmin.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
uint treeId;
ConnectToShare(clientAdmin, TestConfig.AccountCredential, sharePath, out treeId);
FILEID fileId;
Smb2CreateContextResponse[] createContextResponses;
clientAdmin.Create(treeId,
fileName,
fileName == null ? CreateOptions_Values.FILE_DIRECTORY_FILE : CreateOptions_Values.FILE_NON_DIRECTORY_FILE,
out fileId,
out createContextResponses,
accessMask: AccessMask.READ_CONTROL | AccessMask.WRITE_DAC | AccessMask.FILE_READ_ATTRIBUTES | AccessMask.WRITE_OWNER | AccessMask.ACCESS_SYSTEM_SECURITY,
shareAccess: ShareAccess_Values.FILE_SHARE_DELETE | ShareAccess_Values.FILE_SHARE_READ | ShareAccess_Values.FILE_SHARE_WRITE,
createDisposition: CreateDisposition_Values.FILE_OPEN);
clientAdmin.SetSecurityDescriptor(treeId, fileId, securityAttributesToApply, sd);
clientAdmin.Close(treeId, fileId);
clientAdmin.TreeDisconnect(treeId);
clientAdmin.Disconnect();
}
public void SamrSetSecurityObject_Owner_SECURITY_INFORMATION_Domain_NonDC()
{
ConnectAndOpenDomain_NonDC(_samrProtocolAdapter.domainMemberFqdn, _samrProtocolAdapter.domainMemberFqdn,
out _serverHandle, out _domainHandle, Utilities.WRITE_OWNER | Utilities.DOMAIN_READ);
try
{
Site.Log.Add(LogEntryKind.TestStep,
"Set the owner of DM domain to be Built-in Guest.");
CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BGG:BA");
byte[] buffer = new byte[commonsd.BinaryLength];
commonsd.GetBinaryForm(buffer, 0);
_SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR()
{
SecurityDescriptor = buffer,
Length = (uint)buffer.Length
};
_SAMPR_SR_SECURITY_DESCRIPTOR?sd;
Site.Log.Add(LogEntryKind.TestStep,
"SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION. ");
HRESULT hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrSetSecurityObject must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION.");
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
Site.Assert.IsNotNull(sd, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
CommonSecurityDescriptor ObtainedSecurityDescriptor = new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0);
Site.Assert.AreEqual("O:BG", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should be Built-in Guest.");
_SECURITY_DESCRIPTOR secdes = DtypUtility.DecodeSecurityDescriptor(sd.Value.SecurityDescriptor);
Site.Assert.IsNotNull(secdes.OwnerSid, "3.1.5.12.2 If this bit(OWNER_SECURITY_INFORMATION) is set, the client requests that the Owner member be returned.");
Site.Assert.IsNull(secdes.GroupSid, "3.1.5.12.2 If this bit(GROUP_SECURITY_INFORMATION) is not set, the client requests that the Group member not be returned.");
Site.Assert.IsNull(secdes.Dacl, "3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is not set, the client requests that the DACL not be returned.");
Site.Assert.IsNull(secdes.Sacl, "3.1.5.12.2 If this bit(SACL_SECURITY_INFORMATION) is not set, the client requests that the SACL not be returned.");
}
finally
{
Site.Log.Add(LogEntryKind.TestStep, "Change the owner of DM domain back to Built-in Administrator.");
CommonSecurityDescriptor commonsd = new CommonSecurityDescriptor(false, true, "O:BAG:BA");
byte[] buffer = new byte[commonsd.BinaryLength];
commonsd.GetBinaryForm(buffer, 0);
_SAMPR_SR_SECURITY_DESCRIPTOR securityDescriptor = new _SAMPR_SR_SECURITY_DESCRIPTOR()
{
SecurityDescriptor = buffer,
Length = (uint)buffer.Length
};
Site.Log.Add(LogEntryKind.TestStep,
"SamrSetSecurityObject, SecurityInformation: OWNER_SECURITY_INFORMATION. ");
HRESULT hResult = _samrProtocolAdapter.SamrSetSecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, securityDescriptor);
Site.Assert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrSetSecurityObject must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep, "SamrQuerySecurityObject to check again, SecurityInformation: OWNER_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?sd;
hResult = _samrProtocolAdapter.SamrQuerySecurityObject(_domainHandle, SecurityInformation.OWNER_SECURITY_INFORMATION, out sd);
CommonSecurityDescriptor ObtainedSecurityDescriptor =
new CommonSecurityDescriptor(false, true, sd.Value.SecurityDescriptor, 0);
Site.Assert.AreEqual("O:BA", ObtainedSecurityDescriptor.GetSddlForm(AccessControlSections.Owner), "Owner should be changed back to the Administrator.");
}
}
protected override void TestInitialize()
{
base.TestInitialize();
if (FilePermissionTestShareUncPath == null)
{
FilePermissionTestShareUncPath = Smb2Utility.GetUncPath(testConfig.SutComputerName, TestConfig.FilePermissionTestShare);
FilePermissionTestShareExist = ShareExists(TestConfig.AccountCredential, FilePermissionTestShareUncPath);
}
if (!FilePermissionTestShareExist)
{
BaseTestSite.Assert.Inconclusive("Required share does not exist: {0}", FilePermissionTestShareUncPath);
}
tempFileName = string.Format("{0}_{1}.txt", CurrentTestCaseName, Guid.NewGuid());
CreateNewFile(FilePermissionTestShareUncPath, tempFileName);
baseSD = QuerySecurityDescriptor(FilePermissionTestShareUncPath, tempFileName,
AdditionalInformation_Values.DACL_SECURITY_INFORMATION |
AdditionalInformation_Values.GROUP_SECURITY_INFORMATION |
AdditionalInformation_Values.OWNER_SECURITY_INFORMATION);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Original Security Descriptor of the file ({0}): {1}",
Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.FilePermissionTestShare, tempFileName), DtypUtility.ToSddlString(baseSD));
client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
}
public static extern bool GetSecurityDescriptorOwner(
_SECURITY_DESCRIPTOR pSecurityDescriptor,
[MarshalAs( UnmanagedType.LPArray )] byte[] pOwner,
ref bool lpbOwnerDefaulted
);
public void SamrQuerySecurityObject_Server_DACL_NonDC()
{
HRESULT hResult;
IChecker PtfAssert = TestClassBase.BaseTestSite.Assert;
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrBind, Server:{0}, Domain:{1}, User:{2}, Password{3}.",
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword));
_samrProtocolAdapter.SamrBind(
_samrProtocolAdapter.domainMemberFqdn,
_samrProtocolAdapter.domainMemberNetBIOSName,
_samrProtocolAdapter.DMAdminName,
_samrProtocolAdapter.DMAdminPassword,
false,
false);
Site.Log.Add(LogEntryKind.TestStep,
string.Format("SamrConnect5, Server:{0}, Desired Access: READ_CONTROL.", _samrProtocolAdapter.domainMemberFqdn));
hResult = (HRESULT)_samrProtocolAdapter.SamrConnect5(
_samrProtocolAdapter.domainMemberFqdn,
(uint)COMMON_ACCESS_MASK.READ_CONTROL,
out _serverHandle);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrConnect5 must return STATUS_SUCCESS.");
Site.Log.Add(LogEntryKind.TestStep,
"SamrQuerySecurityObject, SecurityInformation: DACL_SECURITY_INFORMATION.");
_SAMPR_SR_SECURITY_DESCRIPTOR?securityDescriptor;
hResult = (HRESULT)SAMRProtocolAdapter.RpcAdapter.SamrQuerySecurityObject(
_serverHandle,
SamrQuerySecurityObject_SecurityInformation_Values.DACL_SECURITY_INFORMATION,
out securityDescriptor);
PtfAssert.AreEqual(HRESULT.STATUS_SUCCESS, hResult, "SamrQuerySecurityObject must return STATUS_SUCCESS.");
PtfAssert.IsNotNull(securityDescriptor, "The SecurityDescriptor returned by SamrQuerySecurityObject is not null.");
_SECURITY_DESCRIPTOR sd = DtypUtility.DecodeSecurityDescriptor(securityDescriptor.Value.SecurityDescriptor);
PtfAssert.IsNotNull(sd.Dacl,
"[MS-SAMR] 3.1.5.12.2 If this bit(DACL_SECURITY_INFORMATION) is set, the client requests that the DACL be returned.");
PtfAssert.IsNull(sd.OwnerSid,
"[MS-SAMR] 3.1.5.12.2 The field(OwnerSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.GroupSid,
"[MS-SAMR] 3.1.5.12.2 The field(GroupSid) of the security descriptor is not returned and is set to zero.");
PtfAssert.IsNull(sd.Sacl,
"[MS-SAMR] 3.1.5.12.2 The field(SACL) of the security descriptor is not returned and is set to zero.");
Site.Log.Add(LogEntryKind.TestStep,
"Verifies that the DACL returned from the server contains the following ACEs: WorldSid(SAM_SERVER_EXECUTE | SAM_SERVER_READ), AdministratorSid(SAM_SERVER_ALL_ACCESS");
bool worldSidFound = false;
uint worldSidMask = 0;
bool adminSidFound = false;
uint adminSidMask = 0;
foreach (var o in sd.Dacl.Value.Aces)
{
if (!(o is Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE))
{
continue;
}
Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE ace = (Microsoft.Protocols.TestTools.StackSdk.Dtyp._ACCESS_ALLOWED_ACE)o;
switch (DtypUtility.ToSddlString(ace.Sid))
{
case AdministratorSid:
adminSidFound = true;
adminSidMask = ace.Mask;
break;
case WorldSid:
worldSidFound = true;
worldSidMask = ace.Mask;
break;
}
}
PtfAssert.IsTrue(worldSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. WorldSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_EXECUTE | SERVER_ACCESS_MASK.SAM_SERVER_READ, (SERVER_ACCESS_MASK)worldSidMask,
"The access mask of WorldSid is SAM_SERVER_EXECUTE|SAM_SERVER_READ.");
PtfAssert.IsTrue(adminSidFound,
"[MS-SAMR] 3.1.5.12.2 If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACE. AdministratorSid");
PtfAssert.AreEqual(SERVER_ACCESS_MASK.SAM_SERVER_ALL_ACCESS, (SERVER_ACCESS_MASK)adminSidMask,
"The access mask of AdministratorSid is SAM_SERVER_ALL_ACCESS.");
}
public static extern int GetSecurityDescriptorLength(_SECURITY_DESCRIPTOR pSecurityDescriptor);
