CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute

Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/bug-14832 b/selftest/knownfail.d/bug-14832
new file mode 100644 (file)
index 0000000..059a177
--- /dev/null
+++ b/selftest/knownfail.d/bug-14832
@@ -0,0 +1 @@
+^samba4.ldap.acl.python\(.*\).__main__.AclSPNTests.test_user_spn\(.*\)
\ No newline at end of file

diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index abe91942f4f11755becbdd47eeaef24abc639c6e..53acb99c29655b759bcb9e5152713b8e34198f17 100755 (executable)
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -1926,6 +1926,8 @@ class AclSPNTests(AclTests):
         self.computername = "testcomp8"
         self.test_user = "spn_test_user8"
         self.computerdn = "CN=%s,CN=computers,%s" % (self.computername, self.base_dn)
+        self.user_object = "user_with_spn"
+        self.user_object_dn = "CN=%s,CN=Users,%s" % (self.user_object, self.base_dn)
         self.dc_dn = "CN=%s,OU=Domain Controllers,%s" % (self.dcname, self.base_dn)
         self.site = "Default-First-Site-Name"
         self.rodcctx = DCJoinContext(server=host, creds=creds, lp=lp,
@@ -1947,6 +1949,7 @@ class AclSPNTests(AclTests):
         self.dcctx.cleanup_old_join()
         delete_force(self.ldb_admin, "cn=%s,cn=computers,%s" % (self.computername, self.base_dn))
         delete_force(self.ldb_admin, self.get_user_dn(self.test_user))
+        delete_force(self.ldb_admin, self.user_object_dn)
 
         del self.ldb_user1
 
@@ -2222,6 +2225,20 @@ class AclSPNTests(AclTests):
     def test_spn_rodc(self):
         self.dc_spn_test(self.rodcctx)
 
+    def test_user_spn(self):
+        #grant SW to a regular user and try to set the spn on a user object
+        #should get  ERR_INSUFFICIENT_ACCESS_RIGHTS, since Validate-SPN only applies to computer
+        self.ldb_admin.newuser(self.user_object, self.user_pass)
+        mod = "(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;%s)" % str(self.user_sid1)
+        self.sd_utils.dacl_add_ace(self.user_object_dn, mod)
+        try:
+            self.replace_spn(self.ldb_user1, self.user_object_dn, "nosuchservice/%s/%s" % ("abcd", "abcd"))
+        except LdbError as e60:
+            (num, _) = e60.args
+            self.assertEqual(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            self.fail()
+
     def test_delete_add_spn(self):
         # Grant Validated-SPN property.
         mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})'