mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior
Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
08187833fe
commit
6dc6ca56bd
@ -8,3 +8,5 @@
|
||||
^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_admin_computer\(.*\)
|
||||
^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_computer\(.*\)
|
||||
^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_user\(.*\)
|
||||
^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare\(.*\)
|
||||
^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_sd_cc\(.*\)
|
||||
|
@ -496,6 +496,7 @@ class AclAddTests(AclTests):
|
||||
user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
|
||||
mod = f"(OA;CI;CC;{samba.dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
|
||||
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
|
||||
# servicePrincipalName
|
||||
mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME};;{user_sid})"
|
||||
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
|
||||
dn = "CN=%s,OU=test_add_ou1,%s" % (self.test_user3, self.base_dn)
|
||||
@ -534,8 +535,12 @@ class AclAddTests(AclTests):
|
||||
user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
|
||||
mod = f"(OA;CI;CC;{samba.dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
|
||||
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
|
||||
# servicePrincipalName
|
||||
mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME};;{user_sid})"
|
||||
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
|
||||
# userAccountControl
|
||||
mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL};;{user_sid})"
|
||||
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
|
||||
dn = "CN=%s,OU=test_add_ou1,%s" % (self.test_user4, self.base_dn)
|
||||
samaccountname = self.test_user4 + "$"
|
||||
try:
|
||||
@ -4073,7 +4078,7 @@ class AclSearchTests(AclTests):
|
||||
def test_search4(self):
|
||||
"""There is no difference in visibility if the user is also creator"""
|
||||
self.create_clean_ou("OU=ou1," + self.base_dn)
|
||||
mod = "(A;CI;CC;;;%s)" % (str(self.user_sid))
|
||||
mod = "(A;CI;CCWD;;;%s)" % (str(self.user_sid))
|
||||
self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
|
||||
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
|
||||
self.domain_sid)
|
||||
@ -4145,7 +4150,7 @@ class AclSearchTests(AclTests):
|
||||
def test_search6(self):
|
||||
"""If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist"""
|
||||
self.create_clean_ou("OU=ou1," + self.base_dn)
|
||||
mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid))
|
||||
mod = "(A;CI;LCCCWD;;;%s)" % (str(self.user_sid))
|
||||
self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
|
||||
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
|
||||
self.domain_sid)
|
||||
|
@ -693,7 +693,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
|
||||
_ldb = self.get_ldb_connection(user_name, "samba123@")
|
||||
# Change Schema partition descriptor
|
||||
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
|
||||
mod = "(A;;WDCC;;;AU)"
|
||||
mod = "(A;CI;WDCC;;;AU)"
|
||||
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
|
||||
# Create example Schema class
|
||||
try:
|
||||
@ -983,7 +983,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
|
||||
delete_force(self.ldb_admin, object_dn)
|
||||
self.create_configuration_container(self.ldb_admin, object_dn, )
|
||||
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
|
||||
mod = "(A;;WDCC;;;AU)"
|
||||
mod = "(A;CI;WDCC;;;AU)"
|
||||
self.sd_utils.dacl_add_ace(object_dn, mod)
|
||||
# Create child object with user's credentials
|
||||
object_dn = "CN=test-specifier1," + object_dn
|
||||
@ -1122,7 +1122,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
|
||||
delete_force(self.ldb_admin, object_dn)
|
||||
self.create_configuration_container(self.ldb_admin, object_dn, )
|
||||
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
|
||||
mod = "(A;;CC;;;AU)"
|
||||
mod = "(A;CI;CCWD;;;AU)"
|
||||
self.sd_utils.dacl_add_ace(object_dn, mod)
|
||||
# Create child object with user's credentials
|
||||
object_dn = "CN=test-specifier1," + object_dn
|
||||
@ -1148,7 +1148,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
|
||||
delete_force(self.ldb_admin, object_dn)
|
||||
self.create_configuration_container(self.ldb_admin, object_dn, )
|
||||
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
|
||||
mod = "(A;;CC;;;AU)"
|
||||
mod = "(A;CI;CCWD;;;AU)"
|
||||
self.sd_utils.dacl_add_ace(object_dn, mod)
|
||||
# Create child object with user's credentials
|
||||
object_dn = "CN=test-specifier1," + object_dn
|
||||
|
@ -313,7 +313,7 @@ class UserAccountControlTests(samba.tests.TestCase):
|
||||
|
||||
def test_add_computer_sd_cc(self):
|
||||
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
|
||||
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
|
||||
mod = f"(OA;CI;WDCC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
|
||||
|
||||
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
|
||||
self.sd_utils.dacl_add_ace(self.OU, mod)
|
||||
@ -451,7 +451,7 @@ class UserAccountControlTests(samba.tests.TestCase):
|
||||
|
||||
def test_add_computer_cc_normal_bare(self):
|
||||
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
|
||||
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
|
||||
mod = f"(OA;CI;CC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
|
||||
|
||||
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
|
||||
self.sd_utils.dacl_add_ace(self.OU, mod)
|
||||
@ -889,9 +889,11 @@ class UserAccountControlTests(samba.tests.TestCase):
|
||||
computername = self.computernames[0]
|
||||
|
||||
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
|
||||
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
|
||||
|
||||
ace_cc = f"(OA;;CC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
|
||||
ace_wp_dnshostname = f"(OA;CI;WP;{dsdb.DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME};;{user_sid})"
|
||||
ace_wp_primarygroupid = f"(OA;CI;WP;{dsdb.DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID};;{user_sid})"
|
||||
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
|
||||
mod = ace_cc + ace_wp_dnshostname + ace_wp_primarygroupid
|
||||
|
||||
self.sd_utils.dacl_add_ace(self.OU, mod)
|
||||
try:
|
||||
|
Loading…
Reference in New Issue
Block a user