sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

pytest:sddl: add tests for long DACLs, differing flag interpretations

Browse Source 
Windows converts hex numbers into flags differently, and has different
ideas of what constitutes "FA", and possibly others.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Douglas Bagnall 2023-04-17 14:46:52 +12:00 committed by Andrew Bartlett
parent de6d470063
commit 1d9712283b
2 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
python/samba/tests/sddl.py
View File

@ -559,6 +559,18 @@ class SddlNonCanonical(SddlDecodeEncodeBase):
# ambiguous 'D', looks like part of the SID but isn't # ambiguous 'D', looks like part of the SID but isn't
("O:S-1-2-0x200D:", "O:S-1-2-512D:"), ("O:S-1-2-0x200D:", "O:S-1-2-512D:"),
("O:S-1-2-0x2D:(A;;GA;;;LG)", "O:S-1-2-2D:(A;;GA;;;LG)"), ("O:S-1-2-0x2D:(A;;GA;;;LG)", "O:S-1-2-2D:(A;;GA;;;LG)"),
# like the 'samba3.blackbox.large_acl.NT1' test in
# WindowsFlagsAreDifferent below, except using numeric flags
# that can't easily be turned into symbolic flags. Also it is
# longer, and uses different flags for each ACE.
(("D:(A;;0x00654321;;;WD)" +
''.join(f"(A;;0x00abc{i:03};;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(101, 601))),
("D:(A;;0x654321;;;WD)" +
''.join(f"(A;;0xabc{i:03};;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(101, 601)))
),
] ]
@ -702,6 +714,115 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
] ]
@DynamicTestCase
class SddlWindowsFlagsAreDifferent(SddlDecodeEncodeBase):
"""On Windows the 'FA' symbol means 0x1f01ff, while on Samba it means
0x1ff (Samba is SEC_FILE_ALL, Windows is SEC_FILE_ALL |
SEC_STD_ALL).
https://lists.samba.org/archive/cifs-protocol/2010-February/001387.html
is maybe relevant.
"""
name = "windows_flags_are_different"
should_succeed = True
strings = [
# from 'samba3.blackbox.large_acl.NT1.able to retrieve a large ACL if VFS supports it'
(("D:(A;;0x001f01ff;;;WD)" +
''.join(f"(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(1001, 1201))),
("D:(A;;FA;;;WD)" +
''.join(f"(A;;FA;;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(1001, 1201)))
),
# from samba4.blackbox.samba-tool_ntacl, but using FA in place of 0x1f01ff
(("O:S-1-5-21-2212615479-2695158682-2101375468-512"
"G:S-1-5-21-2212615479-2695158682-2101375468-513"
"D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
"(A;OICIIO;0x001f01ff;;;CO)"
"(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;0x001f01ff;;;SY)"
"(A;OICI;0x001200a9;;;AU)"
"(A;OICI;0x001200a9;;;ED)"
"S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
"(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"),
("O:S-1-5-21-2212615479-2695158682-2101375468-512"
"G:S-1-5-21-2212615479-2695158682-2101375468-513"
"D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
"(A;OICIIO;FA;;;CO)"
"(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;FA;;;SY)"
"(A;OICI;0x1200a9;;;AU)"
"(A;OICI;0x1200a9;;;ED)"
"S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
"(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)")),
("D:(A;;FA;;;WD)", "D:(A;;FA;;;WD)"),
]
@DynamicTestCase
class SddlSambaDoesItsOwnThing(SddlDecodeEncodeBase):
"""Samba's corresponding strings for the "windows flags are different"
examples.
"""
name = "samba_does_its_own_thing"
should_succeed = True
strings = [
# from 'samba3.blackbox.large_acl.NT1.able to retrieve a large ACL if VFS supports it'
(("D:(A;;0x001f01ff;;;WD)" +
''.join(f"(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(1001, 1201))),
("D:(A;;0x1f01ff;;;WD)" +
''.join(f"(A;;0x1f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(1001, 1201)))
),
# On Samba this is like a canonical test (same string
# returned), but Windows will turn all the 0x1f01ff into FA.
(("D:(A;;0x1f01ff;;;WD)" +
''.join(f"(A;;0x1f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(1001, 1201))),
("D:(A;;0x1f01ff;;;WD)" +
''.join(f"(A;;0x1f01ff;;;S-1-5-21-11111111-22222222-33333333-{i})"
for i in range(1001, 1201)))
),
# from samba4.blackbox.samba-tool_ntacl, removing 00 padding in 0x flags
(("O:S-1-5-21-2212615479-2695158682-2101375468-512"
"G:S-1-5-21-2212615479-2695158682-2101375468-513"
"D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
"(A;OICIIO;0x001f01ff;;;CO)"
"(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;0x001f01ff;;;SY)"
"(A;OICI;0x001200a9;;;AU)"
"(A;OICI;0x001200a9;;;ED)"
"S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
"(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"),
("O:S-1-5-21-2212615479-2695158682-2101375468-512"
"G:S-1-5-21-2212615479-2695158682-2101375468-513"
"D:P(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)"
"(A;OICIIO;0x1f01ff;;;CO)"
"(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)"
"(A;OICI;0x1f01ff;;;SY)"
"(A;OICI;0x1200a9;;;AU)"
"(A;OICI;0x1200a9;;;ED)"
"S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
"(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;"
"bf967aa5-0de6-11d0-a285-00aa003049e2;WD)")),
("D:(A;;FA;;;WD)", "D:(A;;CCDCLCSWRPWPDTLOCR;;;WD)"),
]
@DynamicTestCase @DynamicTestCase
class SddlWindowsIsWeird(SddlDecodeEncodeBase): class SddlWindowsIsWeird(SddlDecodeEncodeBase):
"""Windows will accept some very misleading SDDL strings. """Windows will accept some very misleading SDDL strings.

3
selftest/knownfail.d/sddl
View File

@ -4,6 +4,9 @@
^samba.tests.sddl.+.SddlShouldFail.test_sddl_should_fail_D:.A;;GA.;;;LG..none ^samba.tests.sddl.+.SddlShouldFail.test_sddl_should_fail_D:.A;;GA.;;;LG..none
^samba.tests.sddl.+.SddlShouldFail.test_sddl_should_fail_D:.A;;GA;;;S-1-3-4...none ^samba.tests.sddl.+.SddlShouldFail.test_sddl_should_fail_D:.A;;GA;;;S-1-3-4...none
^samba.tests.sddl.+.SddlShouldFail.test_sddl_should_fail_D:.A;;RP.;;;LG..none ^samba.tests.sddl.+.SddlShouldFail.test_sddl_should_fail_D:.A;;RP.;;;LG..none
^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;0x001f01ff;;;WD..A;;0x001f01ff;;;S-1.+S
^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_D:.A;;FA;;;WD..none
^samba.tests.sddl.+.SddlWindowsFlagsAreDifferent.test_sddl_O:S-1-5-21-2212615479-2695158682-210137546.+:
^samba.tests.sddl.+.SddlWindowsIsLessFussy.test_sddl_should_fail_D:.A;.;GA;;;LG..none ^samba.tests.sddl.+.SddlWindowsIsLessFussy.test_sddl_should_fail_D:.A;.;GA;;;LG..none
^samba.tests.sddl.+.SddlWindowsIsLessFussy.test_sddl_should_fail_D:.A;;.GA;;;LG..none ^samba.tests.sddl.+.SddlWindowsIsLessFussy.test_sddl_should_fail_D:.A;;.GA;;;LG..none
^samba.tests.sddl.+.SddlWindowsIsLessFussy.test_sddl_should_fail_D:.A;;GA;;;WD...none ^samba.tests.sddl.+.SddlWindowsIsLessFussy.test_sddl_should_fail_D:.A;;GA;;;WD...none