1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior

Test using non-priviledged accounts now need to make sure they have
WP access on the prvided attributes, or Write-DACL
Some test create organizational units with a specific SD, and those now
need the user to have WD or else they give errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Nadezhda Ivanova 2021-10-22 21:10:35 +03:00 committed by Andrew Bartlett
parent 08187833fe
commit 6dc6ca56bd
4 changed files with 19 additions and 10 deletions

View File

@ -8,3 +8,5 @@
^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_admin_computer\(.*\)
^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_computer\(.*\)
^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_user\(.*\)
^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare\(.*\)
^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_sd_cc\(.*\)

View File

@ -496,6 +496,7 @@ class AclAddTests(AclTests):
user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = f"(OA;CI;CC;{samba.dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
# servicePrincipalName
mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME};;{user_sid})"
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
dn = "CN=%s,OU=test_add_ou1,%s" % (self.test_user3, self.base_dn)
@ -534,8 +535,12 @@ class AclAddTests(AclTests):
user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user))
mod = f"(OA;CI;CC;{samba.dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
# servicePrincipalName
mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME};;{user_sid})"
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
# userAccountControl
mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL};;{user_sid})"
self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod)
dn = "CN=%s,OU=test_add_ou1,%s" % (self.test_user4, self.base_dn)
samaccountname = self.test_user4 + "$"
try:
@ -4073,7 +4078,7 @@ class AclSearchTests(AclTests):
def test_search4(self):
"""There is no difference in visibility if the user is also creator"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;CC;;;%s)" % (str(self.user_sid))
mod = "(A;CI;CCWD;;;%s)" % (str(self.user_sid))
self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)
@ -4145,7 +4150,7 @@ class AclSearchTests(AclTests):
def test_search6(self):
"""If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist"""
self.create_clean_ou("OU=ou1," + self.base_dn)
mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid))
mod = "(A;CI;LCCCWD;;;%s)" % (str(self.user_sid))
self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod)
tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod,
self.domain_sid)

View File

@ -693,7 +693,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;WDCC;;;AU)"
mod = "(A;CI;WDCC;;;AU)"
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
try:
@ -983,7 +983,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;WDCC;;;AU)"
mod = "(A;CI;WDCC;;;AU)"
self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
@ -1122,7 +1122,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;CC;;;AU)"
mod = "(A;CI;CCWD;;;AU)"
self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
@ -1148,7 +1148,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name))
mod = "(A;;CC;;;AU)"
mod = "(A;CI;CCWD;;;AU)"
self.sd_utils.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn

View File

@ -313,7 +313,7 @@ class UserAccountControlTests(samba.tests.TestCase):
def test_add_computer_sd_cc(self):
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
mod = f"(OA;CI;WDCC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
self.sd_utils.dacl_add_ace(self.OU, mod)
@ -451,7 +451,7 @@ class UserAccountControlTests(samba.tests.TestCase):
def test_add_computer_cc_normal_bare(self):
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
mod = f"(OA;CI;CC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
self.sd_utils.dacl_add_ace(self.OU, mod)
@ -889,9 +889,11 @@ class UserAccountControlTests(samba.tests.TestCase):
computername = self.computernames[0]
user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
ace_cc = f"(OA;;CC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})"
ace_wp_dnshostname = f"(OA;CI;WP;{dsdb.DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME};;{user_sid})"
ace_wp_primarygroupid = f"(OA;CI;WP;{dsdb.DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID};;{user_sid})"
old_sd = self.sd_utils.read_sd_on_dn(self.OU)
mod = ace_cc + ace_wp_dnshostname + ace_wp_primarygroupid
self.sd_utils.dacl_add_ace(self.OU, mod)
try: