mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
9b8dd83fd0
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of confidential information. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
105 lines
3.8 KiB
Python
Executable File
105 lines
3.8 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
import optparse
|
|
import sys
|
|
import os
|
|
import samba
|
|
import samba.getopt as options
|
|
|
|
from samba.tests.subunitrun import SubunitOptions, TestProgram
|
|
|
|
from samba.samdb import SamDB
|
|
from samba.auth import system_session
|
|
from samba import sd_utils
|
|
from samba.ndr import ndr_unpack
|
|
from ldb import Message, MessageElement, Dn, LdbError
|
|
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
|
|
from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
|
|
|
|
from match_rules import MatchRulesTestsBase
|
|
|
|
|
|
class MatchRulesTestsUser(MatchRulesTestsBase):
|
|
def setUp(self):
|
|
self.sambaopts = sambaopts
|
|
self.credopts = credopts
|
|
self.host = host
|
|
super().setUp()
|
|
self.sd_utils = sd_utils.SDUtils(self.ldb)
|
|
|
|
self.user_pass = "samba123@"
|
|
self.match_test_user = "matchtestuser"
|
|
self.ldb.newuser(self.match_test_user,
|
|
self.user_pass,
|
|
userou=self.ou_rdn)
|
|
user_creds = self.insta_creds(template=self.creds,
|
|
username=self.match_test_user,
|
|
userpass=self.user_pass)
|
|
self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
|
|
token_res = self.user_ldb.search(scope=SCOPE_BASE,
|
|
base="",
|
|
attrs=["tokenGroups"])
|
|
self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
|
|
token_res[0]["tokenGroups"][0])
|
|
|
|
self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
|
|
|
|
def test_with_denied_link(self):
|
|
|
|
# add an ACE that denies the user Read Property (RP) access to
|
|
# the member attr (which is similar to making the attribute
|
|
# confidential)
|
|
ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
|
|
self.user_sid)
|
|
g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
|
|
|
|
# add the ACE that denies access to the attr under test
|
|
self.sd_utils.dacl_add_ace(g2_dn, ace)
|
|
|
|
# Search without transitive match must return 0 results
|
|
res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
|
|
scope=SCOPE_BASE,
|
|
expression="member=cn=u1,%s" % self.ou_users)
|
|
self.assertEqual(len(res1), 0)
|
|
|
|
# Search with transitive match must return 1 results
|
|
res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
|
|
scope=SCOPE_BASE,
|
|
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
|
|
self.assertEqual(len(res1), 1)
|
|
self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower())
|
|
|
|
# Search as a user match must return 0 results as the intermediate link can't be seen
|
|
res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
|
|
scope=SCOPE_BASE,
|
|
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
|
|
self.assertEqual(len(res1), 0)
|
|
|
|
|
|
|
|
parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
|
|
sambaopts = options.SambaOptions(parser)
|
|
parser.add_option_group(sambaopts)
|
|
parser.add_option_group(options.VersionOptions(parser))
|
|
|
|
# use command line creds if available
|
|
credopts = options.CredentialsOptions(parser)
|
|
parser.add_option_group(credopts)
|
|
opts, args = parser.parse_args()
|
|
subunitopts = SubunitOptions(parser)
|
|
parser.add_option_group(subunitopts)
|
|
|
|
if len(args) < 1:
|
|
parser.print_usage()
|
|
sys.exit(1)
|
|
|
|
host = args[0]
|
|
|
|
if "://" not in host:
|
|
if os.path.isfile(host):
|
|
host = "tdb://%s" % host
|
|
else:
|
|
host = "ldap://%s" % host
|
|
|
|
TestProgram(module=__name__, opts=subunitopts)
|