sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code
d5d0e71279
samba-mirror/selftest/knownfail.d
History
Joseph Sutton d5d0e71279 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes 
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
..
bug-14236 libprc ndr tests: Fix ndrdump test ntlmssp_CHALLENGE_MESSAGE 2020-02-07 08:53:40 +00:00
bug-14810 CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors 2022-09-16 02:32:36 +00:00
claims-client-tool netcmd: tests for claims client tool 2023-03-31 07:25:32 +00:00
complex_expressions
constructed-claims tests/krb5: Add tests for constructed (authentication silo) claims 2023-04-05 01:06:29 +00:00
dfs_paths s3: smbd: Fix dumb typos that meant smb1.SMB1-DFS-* tests were running against an SMB2-only fileserver. 2023-03-31 06:07:01 +00:00
dns s4/rpc_server/dnsserver: Allow parsing of dnsProperty to fail gracefully 2020-05-15 07:29:16 +00:00
dns_packet CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility 2020-07-02 09:01:41 +00:00
dns-aging dns update: zero flags and reserved 2021-07-05 04:16:34 +00:00
durable-v2-delay torture: Run durable_v2_reconnect_delay_msec with leases 2019-12-10 20:31:40 +00:00
empty-domain-name s3:auth_sam: map an empty domain or '.' to the local SAM name 2020-02-05 16:30:42 +00:00
encrypted_secrets knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
getncchanges s4-drsuapi: Give an error that matches windows on destination_dsa_guid lookup failure 2023-01-31 13:43:54 +00:00
initshutdown
kdc-salt dsdb: Allow special chars like "@" in samAccountName when generating the salt 2021-10-20 12:54:54 +00:00
keytab
kinit_trust s4/selftest: Adjust samba4.blackbox.pkinit to use (s3) smbclient 2020-04-03 15:08:30 +00:00
krb5-no-preauth selftest: knownfail updates after Heimdal Upgrade 2022-01-19 20:50:35 +00:00
labdc
ldap CVE-2020-25722 Ensure the structural objectclass cannot be changed 2021-11-09 19:45:34 +00:00
ldap_spn CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object 2022-01-31 15:27:37 +00:00
lm-hash-support-gone torture: Allow Samba as an AD DC to use zeros for LM key 2022-03-17 02:47:13 +00:00
lzxpress lzxpress: compress shortcut if we've reached maximum length 2022-05-17 23:11:21 +00:00
modify-order CVE-2020-25722 Ensure the structural objectclass cannot be changed 2021-11-09 19:45:34 +00:00
multichannel selftest: enable 'server multi channel support = yes' 2021-03-06 02:20:05 +00:00
netlogon
nt-hash-support-gone samba-tool user: Accomodate missing unicodePwd in getpassword command 2022-06-26 22:10:29 +00:00
ntlmv1-restrictions knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
ntlmv2-restrictions s4:torture: Migrate smbtorture to new cmdline option parser 2021-06-16 00:34:38 +00:00
oneway selftest: fl2000dc: Add outgoing trust from fl2000dc to ad_dc 2021-07-07 14:10:29 +00:00
priv_attr CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) 2021-11-09 19:45:32 +00:00
protected_users s4:auth: Disable NTLM authentication for Protected Users 2022-03-18 11:55:30 +00:00
python-segfaults pyldb: Fix deleting an ldb.Control critical flag 2021-09-28 09:44:35 +00:00
quota1 smbd: Protect smbd_smb2_getinfo_send() against invalid quota files 2020-05-29 09:55:10 +00:00
README selftest: fix typos in README files 2021-03-01 03:50:35 +00:00
replica_sync knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
rpc-dfs s3:rpcclient: Fix crash in rpcclient 2022-03-07 00:00:32 +00:00
rpc-netlogon-zerologon CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 max len password 2020-10-16 04:45:40 +00:00
rw-invalid smbd: add vfs_valid_{pread,pwrite}_range() checks where needed 2020-05-12 19:53:44 +00:00
s3-logging tests: adapt logging test for s3. 2022-06-17 01:28:30 +00:00
s3-lsa-server
samba3.vfs.fruit lib/adouble: pass filesize to ad_unpack() 2019-10-30 14:52:33 +00:00
samba-4.5-emulation python-drs: Add client-side debug and fallback for GET_ANC 2022-10-04 02:48:37 +00:00
sid-strings sddl: Remove SDDL SID strings unsupported by Windows 2022-03-17 23:11:37 +00:00
smb1-tests Add test smbclient 'delree' of dir (on DFS share) 2022-06-17 16:20:35 +00:00
smb2.replay smb2_server: don't cancel pending request if at least one channel is still alive 2021-03-29 19:36:37 +00:00
smb2.session s3:smbd: really support AES-256* in the server 2021-07-20 16:13:28 +00:00
smbcacls s3:smbcacls: Add support for DFS path 2020-07-07 23:03:00 +00:00
smbclient-smb3 s3/client: fix dfs deltree, resolve dfs path 2022-06-17 17:12:07 +00:00
source3-epmapper s3:rpc_server: Add samba-dcerpcd helper programs 2021-12-10 14:02:30 +00:00
srvsvc
uac_objectclass_restrict CVE-2020-25722 Ensure the structural objectclass cannot be changed 2021-11-09 19:45:34 +00:00
upn_handling
usage lib:ldb-samba: Migrate samba extensions to new cmdline option parser 2021-06-16 01:25:28 +00:00
vlv CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port 2020-07-02 09:01:41 +00:00
wkssvc

README 

# Files in this directory contain lists of regular expressions
# matching the names of tests that are temporarily expected to fail.
#
# "make test" will not report failures for tests listed here and will consider
# a successful run for any of these tests an error.
#
# Empty lines and lines beginning with '#' are ignored.
# Please don't add tests to this README!