1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

131045 Commits

Author SHA1 Message Date
Martin Schwenke
0e388a1994 ctdb-tests: Include eventscript stub commands in shellcheck test
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Martin Schwenke
4ee0abaece ctdb-tests: Avoid shellcheck warnings in remaining test stubs
A small amount of effort...

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Martin Schwenke
a31fb7e5ab ctdb-scripts: Simplify determination of real interface
This can now be made trivial.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Martin Schwenke
5abaec4992 ctdb-tests: Implement "ip -brief link show" in ip stub
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Martin Schwenke
ef921bdbdb ctdb-tests: Avoid ShellCheck warnings
Although this is a test stub, it is complicated enough to encourage
ShellCheck cleanliness.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Martin Schwenke
67e0ca5e01 ctdb-tests: Reformat script with "shfmt -w -p -i 0 -fn"
As per current Samba convention.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Martin Schwenke
517f09eb6f ctdb-scripts: Drop assumption that there are VLANs with no '@'
VLAN configuration on Linux often uses a convention of naming a VLAN
on <iface> with VLAN ID <tag> as <iface>.<tag>.  To be able to monitor
the underlying interface, the original 10.interface code naively
simply stripped off the '.' and everything after (i.e. ".*", as a glob
pattern).

Some users do not use the above convention.  A VLAN can be named
without including the underlying interface, but still with a
tag (e.g. vlan<tag> - the word "vlan" following by the tag) or, more
generally, perhaps without a tag (e.g. <vlan> - an arbitrary name).
The ip(8) command lists a VLAN as <vlan>@<iface>.  The underlying
interface can be found by stripping everything up to and including an
'@' (i.e. "*@").

Commit bc71251433 added support for
stripping "*@".  However, on suspicion, it kept support for the case
where there is no '@', falling back to stripping ".*".  If ip(8) ever
did this then it was a long time ago - it has been printing a format
including '@' since at least 2004.

Stripping ".*" interferes with interesting administrative decisions,
like having '.' in interface names.

So, drop the fallback to stripping ".*" because it appears to be
unnecessary and can cause inconvenience.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2022-09-16 03:36:32 +00:00
Andrew Bartlett
cc64ea24da CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check
It is strange that sDRightsEffective pays no attention to the
dSHeuristics flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Sep 16 03:31:42 UTC 2022 on sn-devel-184
2022-09-16 03:31:42 +00:00
Joseph Sutton
95fe965957 CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
acc9999a08 CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless all rights are granted
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Nadezhda Ivanova
5073d5997c CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
72b8e98252 CVE-2020-25720 s4:ntvfs: Use se_file_access_check() to check file access rights
se_access_check() will be changed in a following commit to remove the
implicit WRITE_DAC right that comes with being the owner of an object.
We want to keep this implicit right for file access, and by using
se_file_access_check() we can preserve the existing behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Nadezhda Ivanova
6dc6ca56bd CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior
Test using non-priviledged accounts now need to make sure they have
WP access on the prvided attributes, or Write-DACL
Some test create organizational units with a specific SD, and those now
need the user to have WD or else they give errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Nadezhda Ivanova
08187833fe CVE-2020-25720: s4-acl: Change behavior of Create Children check
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
0e1d8929f8 CVE-2020-25720: s4-acl: Move definition of acl_check_self_membership()
This allows us to make use of it in acl_add().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Nadezhda Ivanova
c2761a47fd CVE-2020-25720 s4-acl: Test Create Child permission should not allow full write to all attributes
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch includes tests for the proposed change of behavior.
test_add_c3 and c4 pass, because mandatory attributes can still be
set, and in the old behavior SD permissions were irrelevant

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
2563f85237 CVE-2020-25720 pydsdb: Add AD schema GUID constants
This helps reduce the profusion of magic constant values in Python
tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
cc70907782 CVE-2020-25720 pydsdb: Add dsHeuristics constant definitions
We want to be able to use these values in Python tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
0af5706b55 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29
These are the newly-added AttributeAuthorizationOnLDAPAdd and
BlockOwnerImplicitRights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
890d2c5cf5 CVE-2020-25720 python:tests: Ensure that access checks don't succeed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Joseph Sutton
cbbf3fd741 CVE-2020-25720 s4:tests/sec_descriptor: Add missing security descriptor modify
The variable sub_sddl1 previously went unused, so this call to
modify_sd_on_dn() was presumably intended to go here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-16 02:32:36 +00:00
Jeremy Allison
b4455f0487 s3: libsmb: In cli_posix_open_internal_send() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_setpathinfo_XXXX()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 15 19:44:00 UTC 2022 on sn-devel-184
2022-09-15 19:44:00 +00:00
Jeremy Allison
fa7e6899b3 s3: libsmb: In cli_qpathinfo_send() (SMBtrans2:TRANSACT2_QPATHINFO) check for DFS pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_qpathinfo()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
adc4a1b290 s3: libsmb: In cli_set_ea_path() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_setpathinfo_XXXX()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
5c083e8bc3 s3: libsmb: In cli_ctemp_send() (SMBctemp) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_ctemp() shows
SMBctemp uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
6a82167f11 s3: libsmb: In cli_chkpath_send() (SMBcheckpath) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_chkpath() shows
SMBcheckpath uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
a53c049c4d s3: libsmb: In cli_setatr_send() (SMBsetatr) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_setatr() shows
SMBsetatr uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
75339aec0e s3: libsmb: In cli_getatr_send() (SMBgetatr) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_getatr() shows
SMBgetatr uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
b58cee4251 s3: libsmb: In cli_openx_create() (SMBopenX) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_openx() shows
SMBopenX uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
ab12572264 s3: libsmb: In cli_nttrans_create_send() (SMBnttrans:NT_TRANSACT_CREATE) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_nttrans_create() shows
SMBnttrans:NT_TRANSACT_CREATE uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
198869afec s3: libsmb: In cli_ntcreate1_send() (SMBntcreateX) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_ntcreatex() shows
SMBntcreateX uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
8561eaa02d s3: libsmb: In cli_rmdir_send() (SMBrmdir) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_rmdir() shows
SMBrmdir uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
47cf519e98 s3: libsmb: In cli_mkdir_send() (SMBmkdir) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_mkdir() shows
SMBmkdir uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
e2efea7d1f s3: libsmb: In cli_unlink_send() (SMBunlink) check for DFS pathname.
smbtorture3: SMB1-DFS-OPERATIONS: test_smb1_unlink() shows
SMBunlink uses DFS paths.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
73a6e2b14a s3: libsmb: In cli_ntrename_internal_send() (SMBntrename) check for DFS dst pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_ntrename_rename().
and smbtorture3: SMB1-DFS-PATHS: test_smb1_ntrename_hardlink().

Remove the old code that stripped a DFS name from the
destination filename, and go through smb1_dfs_share_path()
as we did for fname_src in the last commit.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
f1765c9c7b s3: libsmb: In cli_ntrename_internal_send() (SMBntrename) check for DFS source pathname.
smbtorture3: SMB1-DFS-PATHS: test_smb1_ntrename_rename() shows
SMBntrename uses DFS for src and dst.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
44bf2bc89a s3: libsmb: In cli_cifs_rename_send() (SMBmv) check for DFS dst pathname.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_mv().

Remove the old code that stripped a DFS name from the
destination filename, and go through smb1_dfs_share_path()
as we did for fname_src in the last commit.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
4da3c724d5 s3: libsmb: In cli_cifs_rename_send() (SMBmv) check for DFS source pathname.
smbtorture3: SMB1-DFS-PATHS: test_smb1_mv() shows
SMBmv uses DFS for src and dst.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
2d28696efe s3: libsmb: Make cli_setpathinfo_send() (SMBtrans2: TRANSACT2_SETPATHINFO) DFS path aware.
See smbtorture3: SMB1-DFS-PATHS: test_smb1_setpathinfo_XXXX()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
f34fad61fd s3: smbcacls: Now cli_resolve_path() and cli_list() can handle DFS names we no longer need local_cli_resolve_path().
Remove local_cli_resolve_path(). No more special treatment for DFS names in smbcacls.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Noel Power <noel.power@suse.com>
2022-09-15 18:43:32 +00:00
Jeremy Allison
3c2a31b438 s3: libsmb: Fix cli_resolve_path() to cope with DFS paths passed in as well as local paths.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
d9f0d92479 s3: libsmb: Fix SMB1 cli_list_old_send() to cope with DFS paths.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
4a9458d03d s3: libsmb: Fix SMB1 cli_list_trans_send() (SMBtrans2:TRANSACT2_FINDFIRST) to cope with DFS paths.
See smbtorture3: SMB1-DFS-SEARCH-PATHS: test_smb1_findfirst_path

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
c98d165e51 s3: libsmb: Add smb1_dfs_share_path() to convert a name into a DFS path if needed.
Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
dd9cdfb3b1 s3: libsmb: For SMB2 opens on a DFS share, convert to a DFS path if not already done.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
26b4a6951b s3: libsmb: Add cli_dfs_is_already_full_path() function.
Returns true if it's already a fully qualified DFS path.

Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
070b73e3f9 s3: libsmb: In cli_list_old_send(), push state->mask into the packet, not just mask.
This doesn't matter right now, but it will when I
add DFS path awareness to cli_list().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
ad97a97bd8 s3: libsmb: Make cli_state_save_tcon()/cli_state_restore_tcon() static.
There are no external callers.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
4e3ea1b2e7 s3: smbcacls: In cli_lsa_lookup_domain_sid(), replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
There are now no more external users of cli_state_save_tcon()/cli_state_restore_tcon()
so we can make them static.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00
Jeremy Allison
fddade459f s3: utils: In show_userlist() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-09-15 18:43:32 +00:00