1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-05 09:18:06 +03:00
samba-mirror/selftest/knownfail.d
Joseph Sutton 9447c4e81e CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org adapted due to Samba 4.17 and lower
 not having the patches for CVE-2020-25720 and 4.16 and lower
 not having the patches for CVE-2022-32743 ]
2023-03-20 10:03:38 +01:00
..
bug-14236 libprc ndr tests: Fix ndrdump test ntlmssp_CHALLENGE_MESSAGE 2020-02-07 08:53:40 +00:00
complex_expressions ldb: complex expression testing 2018-12-07 07:07:08 +01:00
dns s4/rpc_server/dnsserver: Allow parsing of dnsProperty to fail gracefully 2020-05-15 07:29:16 +00:00
dns_packet CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility 2020-07-02 09:01:41 +00:00
dns-aging dns update: zero flags and reserved 2021-07-05 04:16:34 +00:00
durable-v2-delay torture: Run durable_v2_reconnect_delay_msec with leases 2019-12-10 20:31:40 +00:00
empty-domain-name s3:auth_sam: map an empty domain or '.' to the local SAM name 2020-02-05 16:30:42 +00:00
encrypted_secrets knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
getncchanges knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
initshutdown Run test for initshutdown 2019-05-24 03:19:17 +00:00
kdc-salt dsdb: Allow special chars like "@" in samAccountName when generating the salt 2021-10-20 12:54:54 +00:00
keytab selftest/samba4.blackbox.export.keytab: Update to use a principal with SPN as UPN 2018-09-05 11:42:25 +02:00
kinit_trust s4/selftest: Adjust samba4.blackbox.pkinit to use (s3) smbclient 2020-04-03 15:08:30 +00:00
krb5-no-preauth selftest: knownfail updates after Heimdal Upgrade 2022-01-19 20:50:35 +00:00
labdc selftest: Add a 'LABDC' testenv to mimic a preproduction test-bed 2018-07-10 04:42:10 +02:00
ldap CVE-2020-25722 Ensure the structural objectclass cannot be changed 2021-11-09 19:45:34 +00:00
ldap_spn CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object 2022-01-31 14:26:10 +00:00
modify-order CVE-2020-25722 Ensure the structural objectclass cannot be changed 2021-11-09 19:45:34 +00:00
multichannel selftest: enable 'server multi channel support = yes' 2021-03-06 02:20:05 +00:00
netlogon smbtorture: Add more tests around NETLOGON challenge reuse 2017-06-27 16:57:42 +02:00
ntlmv1-restrictions knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
ntlmv2-restrictions s4:torture: Migrate smbtorture to new cmdline option parser 2021-06-16 00:34:38 +00:00
oneway selftest: fl2000dc: Add outgoing trust from fl2000dc to ad_dc 2021-07-07 14:10:29 +00:00
password_settings knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
priv_attr CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) 2021-11-09 19:45:32 +00:00
python-segfaults pyldb: Fix deleting an ldb.Control critical flag 2021-09-28 09:44:35 +00:00
quota1 smbd: Protect smbd_smb2_getinfo_send() against invalid quota files 2020-05-29 09:55:10 +00:00
README selftest: fix typos in README files 2021-03-01 03:50:35 +00:00
replica_sync knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
rpc-netlogon-zerologon CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 max len password 2020-10-16 04:45:40 +00:00
rw-invalid smbd: add vfs_valid_{pread,pwrite}_range() checks where needed 2020-05-12 19:53:44 +00:00
s3-lsa-server test_trust_ntlm.sh: add lookup name tests 2018-02-21 14:19:19 +01:00
samba3.vfs.fruit lib/adouble: pass filesize to ad_unpack() 2019-10-30 14:52:33 +00:00
samba-4.5-emulation python-drs: Add client-side debug and fallback for GET_ANC 2022-10-07 09:56:12 +00:00
smb1-tests Add test smbclient 'delree' of dir (on DFS share) 2022-06-20 10:00:16 +00:00
smb2.replay smb2_server: don't cancel pending request if at least one channel is still alive 2021-03-29 19:36:37 +00:00
smb2.session s3:smbd: really support AES-256* in the server 2021-07-20 16:13:28 +00:00
smbcacls s3:smbcacls: Add support for DFS path 2020-07-07 23:03:00 +00:00
smbclient-smb3 s3/client: fix dfs deltree, resolve dfs path 2022-06-20 10:56:52 +00:00
source3-epmapper s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
srvsvc selftest: Run samba3.srvsvc tests covering more of the srvsvc server 2019-05-24 03:19:17 +00:00
uac_objectclass_restrict CVE-2020-25722 Ensure the structural objectclass cannot be changed 2021-11-09 19:45:34 +00:00
upn_handling s3:winbind: Do not lookup local system accounts in AD 2018-07-04 23:55:56 +02:00
usage lib:ldb-samba: Migrate samba extensions to new cmdline option parser 2021-06-16 01:25:28 +00:00
vlv CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port 2020-07-02 09:01:41 +00:00
wkssvc selftest: Add more testing of wkssvc in source3 2019-05-24 03:19:17 +00:00

# Files in this directory contain lists of regular expressions
# matching the names of tests that are temporarily expected to fail.
#
# "make test" will not report failures for tests listed here and will consider
# a successful run for any of these tests an error.
#
# Empty lines and lines beginning with '#' are ignored.
# Please don't add tests to this README!