sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute

Browse Source 
Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Nadezhda Ivanova 2021-10-25 14:54:56 +03:00 committed by Jule Anger
parent 48e3cf9651
commit 6121f31c0e
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
selftest/knownfail.d/bug-14832 Normal file
View File

@ -0,0 +1 @@
^samba4.ldap.acl.python\(.*\).__main__.AclSPNTests.test_user_spn\(.*\)

17
source4/dsdb/tests/python/acl.py
View File

@ -1925,6 +1925,8 @@ class AclSPNTests(AclTests):
self.computername = "testcomp8"
self.test_user = "spn_test_user8"
self.computerdn = "CN=%s,CN=computers,%s" % (self.computername, self.base_dn)
self.user_object = "user_with_spn"
self.user_object_dn = "CN=%s,CN=Users,%s" % (self.user_object, self.base_dn)
self.dc_dn = "CN=%s,OU=Domain Controllers,%s" % (self.dcname, self.base_dn)
self.site = "Default-First-Site-Name"
self.rodcctx = DCJoinContext(server=host, creds=creds, lp=lp,
@ -1946,6 +1948,7 @@ class AclSPNTests(AclTests):
self.dcctx.cleanup_old_join()
delete_force(self.ldb_admin, "cn=%s,cn=computers,%s" % (self.computername, self.base_dn))
delete_force(self.ldb_admin, self.get_user_dn(self.test_user))
delete_force(self.ldb_admin, self.user_object_dn)
del self.ldb_user1
@ -2221,6 +2224,20 @@ class AclSPNTests(AclTests):
def test_spn_rodc(self):
self.dc_spn_test(self.rodcctx)
def test_user_spn(self):
#grant SW to a regular user and try to set the spn on a user object
#should get ERR_INSUFFICIENT_ACCESS_RIGHTS, since Validate-SPN only applies to computer
self.ldb_admin.newuser(self.user_object, self.user_pass)
mod = "(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;%s)" % str(self.user_sid1)
self.sd_utils.dacl_add_ace(self.user_object_dn, mod)
try:
self.replace_spn(self.ldb_user1, self.user_object_dn, "nosuchservice/%s/%s" % ("abcd", "abcd"))
except LdbError as e60:
(num, _) = e60.args
self.assertEqual(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
else:
self.fail()
def test_delete_add_spn(self):
# Grant Validated-SPN property.
mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})'