sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00
Code

pytest: security descriptors: test some conditional and RA ACEs

Browse Source 
We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".

In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Douglas Bagnall 2023-09-05 11:27:00 +12:00 committed by Andrew Bartlett
parent 7b9462faf0
commit 901f77c543
4 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
libcli/security/tests/data/short-conditional-and-resource-aces-successes.json.gz Normal file
View File

Binary file not shown.

BIN
libcli/security/tests/data/short-conditional-and-resource-aces-tx-int.json.gz Normal file
View File

Binary file not shown.

21
python/samba/tests/security_descriptors.py
View File

@ -150,6 +150,27 @@ class SDDLvsDescriptorOverSizeAcls(SDDLvsDescriptorBase):
json_file = TEST_DIR / 'oversize-acls.json.gz'
@DynamicTestCase
class SDDLvsDescriptorShortConditionalAndResourceAceSuccesses(SDDLvsDescriptorBase):
"""These contain conditional ACEs or resource attribute aces, the SDDL
is less than 1000 characters long, and success is expected.
"""
json_file = TEST_DIR / 'short-conditional-and-resource-aces-successes.json.gz'
@DynamicTestCase
class SDDLvsDescriptorShortConditionalAndResourceAcesTxIntegers(SDDLvsDescriptorBase):
"""These contain resource attribute aces in the form
(RA;;;;;WD;("foo",TX,0x0,0077,00,...))
where the numbers after the 0x0 flags like "0077" are interpreted
by Windows as if they are octet strings. This is not documented
and not supported by Samba.
"""
json_file = TEST_DIR / 'short-conditional-and-resource-aces-tx-int.json.gz'
@DynamicTestCase
class SDDLvsDescriptorShortOrdinaryAclsNoMungeV4(SDDLvsDescriptorBase):
"""These ones have revision 2 ACLs (NT4), but Samba's SDDL only writes

2
selftest/knownfail.d/security-descriptors
View File

@ -1,4 +1,4 @@
^samba.tests.security_descriptors.+SDDLvsDescriptorRegistryObjectRights.+
^samba.tests.security_descriptors.+SDDLvsDescriptorShortOrdinaryAclsNoMungeV4.+
^samba.tests.security_descriptors.+SDDLvsDescriptorOverSizeAcls.+
^samba.tests.security_descriptors.+SDDLvsDescriptorShortConditionalAndResourceAcesTxIntegers.+