IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This parses the blob as a conditional ACE, and if possible tries
decompiling it into SDDL.
There are not many round-trip assertions we can honestly make, but we
keep the trip going as long as possible, in case it reveals anything.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When a test fails, this prints a little stanza like
static void test_something(void **state)
{
INIT();
USER_SIDS("WD", "AA");
DEVICE_SIDS("BA", "BG");
SD("D:(XA;;0x1f;;;AA;(! Member_of{SID(AA)}))");
DENY_CHECK(0x10);
}
which is exactly right for copying into
libcli/security/tests/test_run_conditional_ace.c
which is much easier to iterate over with compiling and debugging.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Sometimes we need security tokens for tests, and the raw constructor
is not very ergonomic. This wraps it so you can do this:
from samba.tests.token_factory import token as Token
t = Token(['WD', 'AA'],
privileges=['SEC_PRIV_DEBUG'],
rights=0x840,
device_claims={'wheels': 2, 'smelly': 'no'},
device_sids=['BG'])
and get a security.token object with the expected qualities.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It isn't used and ended up filled with junk. The alignment works out.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These will soon be used by python/samba/tests/sddl_conditional_ace.py,
and are a format understood by the Windows programs in
libcli/security/tests/windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Before we had to do this in an environment variable. In that case we
are probably wanting to monitor changes, so we like it to print more
messages than we want to see in an autobuild run that will hopefully
never do anything interesting.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Currently a test suite needs a strings list in order to import new
strings. This lets us avoid that and have the actual tests defined
only in external lists, making it easier to see we're testing the same
thing on Windows and reducing duplication.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests were named in the superclass, but were not actually run,
nor was the file in git.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it easy to separate a large number of examples into
successes and knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".
In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.
Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.
It would not be hard to fix.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.
In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.
The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.
There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This matters when we have a millions failures.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Here we're not compiling the whole SD, just the single conditional
ACE.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As with other object ACEs, if there is not a GUID to refer to the ACE
becomes the corresponding non-object ACE.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
*_CALLBACK_OBJECT types inherit like other _OBJECT types.
*_CALLBACK types do nothing, like other non-OBJECT types.
We also explicitly throw unused alarm callback types and
SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL and
SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID into the fire.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With this, Conditional ACEs and Resource Attribute ACEs in SDDL will
be parsed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Will work when the ace_flags table is updated.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Will work when the ace_flags table is updated.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The decoding will not happen until "RA" is added to the ace_types table.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conditional ACEs will not actually be decoded until the CALLBACK types
are added to the ace_types flag table.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This doesn't actually *do* anything yet, for two reasons:
1. conditional ACEs are not checked in the
libcli/security/access_check.c functions (or anywhere else), and
will be treated just as they are now, as unknown types.
2. this file isn't mentioned in the wscript, so aren't compiled.
We'll get to point 2 first.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Resource Attribute ACEs have similar syntactical components to
conditional ACEs -- enough so that it is worth reusing the same
functions, but not quite enough so that it is exactly simple.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There are three different forms for claims, and we need to convert
between them.
For now, we are only going to be converting between conditional ACE
type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by
resource ACEs and in the security token, and later we will add the PAC
claim types.
It doesn't help that these all have incompatible definitions, but we
do our best.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is to show where we're going to end up.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is just the outline of what will come, but first we'll add
conditional ACE SDDL decoding in sddl_conditional_ace.c
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tabs not spaces.
It appears that my emacs got its configuration mixed up and was using
spaces.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Almost always the ACE has an `ignored` DATA_BLOB as the coda, and the
length of the coda is the length field of the blob, which is usually
zero.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conditional ACEs go into a DATA_BLOB just like the default ignored
coda, but we add a union field with a different name to preserve
sanity.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
And now we see why security_ace_coda was a union.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
