1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/source4/setup
Joseph Sutton d5d0e71279 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
..
ad-schema setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft 2023-03-22 22:10:32 +00:00
adprep setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md 2023-03-22 22:10:32 +00:00
display-specifiers
tests samba-tool: let 'domain provision' to use the 2019 schema by default 2023-03-22 22:10:32 +00:00
aggregate_schema.ldif
dns_update_list
extended-rights.ldif
idmap_init.ldif
krb5.conf
named.conf
named.conf.dlz s4/dlz: add support for bind 9.18 2022-05-23 00:53:09 +00:00
named.conf.update
named.txt
prefixMap.txt
provision_basedn_modify.ldif
provision_basedn_options.ldif
provision_basedn_references.ldif
provision_basedn.ldif
provision_computers_add.ldif
provision_computers_modify.ldif
provision_configuration_basedn.ldif
provision_configuration_modify.ldif
provision_configuration_references.ldif
provision_configuration.ldif
provision_dns_accounts_add.ldif
provision_dns_add_samba.ldif
provision_dnszones_add.ldif
provision_dnszones_modify.ldif
provision_dnszones_partitions.ldif
provision_group_policy.ldif
provision_init.ldif
provision_partitions.ldif
provision_privilege.ldif
provision_rootdse_add.ldif
provision_rootdse_modify.ldif
provision_schema_basedn_modify.ldif
provision_schema_basedn.ldif
provision_self_join_config.ldif
provision_self_join_modify_config.ldif
provision_self_join_modify_schema.ldif
provision_self_join_modify.ldif
provision_self_join.ldif CVE-2020-25722 s4/provision: add host/ SPNs at the start 2021-11-09 19:45:33 +00:00
provision_users_add.ldif
provision_users_modify.ldif
provision_users.ldif s4:provision_users.ldif: Add Protected Users group 2022-03-18 11:55:30 +00:00
provision_well_known_sec_princ.ldif
provision.ldif
provision.reg
provision.zone
schema_samba4.ldif CVE-2023-0614 ldb: Prevent disclosure of confidential attributes 2023-04-05 02:10:35 +00:00
secrets_dns.ldif
secrets_init.ldif
secrets.ldif
share.ldif
spn_update_list
wscript_build
ypServ30.ldif