From: Nadezhda Ivanova Date: Fri, 22 Oct 2021 18:10:35 +0000 (+0300) Subject: CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior X-Git-Tag: talloc-2.4.0~996 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8;p=thirdparty%2Fsamba.git CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail.d/bug-14810 b/selftest/knownfail.d/bug-14810 index 74e832fe6ff..513b2516795 100644 --- a/selftest/knownfail.d/bug-14810 +++ b/selftest/knownfail.d/bug-14810 @@ -8,3 +8,5 @@ ^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_admin_computer\(.*\) ^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_computer\(.*\) ^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_user\(.*\) +^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare\(.*\) +^samba4.user_account_control.python\(.*\).__main__.UserAccountControlTests.test_add_computer_sd_cc\(.*\) diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index ed87eb7ff94..ee6b5ae5cf6 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -496,6 +496,7 @@ class AclAddTests(AclTests): user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = f"(OA;CI;CC;{samba.dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})" self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + # servicePrincipalName mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME};;{user_sid})" self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) dn = "CN=%s,OU=test_add_ou1,%s" % (self.test_user3, self.base_dn) @@ -534,8 +535,12 @@ class AclAddTests(AclTests): user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = f"(OA;CI;CC;{samba.dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})" self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + # servicePrincipalName mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME};;{user_sid})" self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + # userAccountControl + mod = f"(OA;CI;WP;{samba.dsdb.DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL};;{user_sid})" + self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) dn = "CN=%s,OU=test_add_ou1,%s" % (self.test_user4, self.base_dn) samaccountname = self.test_user4 + "$" try: @@ -4073,7 +4078,7 @@ class AclSearchTests(AclTests): def test_search4(self): """There is no difference in visibility if the user is also creator""" self.create_clean_ou("OU=ou1," + self.base_dn) - mod = "(A;CI;CC;;;%s)" % (str(self.user_sid)) + mod = "(A;CI;CCWD;;;%s)" % (str(self.user_sid)) self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) @@ -4145,7 +4150,7 @@ class AclSearchTests(AclTests): def test_search6(self): """If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist""" self.create_clean_ou("OU=ou1," + self.base_dn) - mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid)) + mod = "(A;CI;LCCCWD;;;%s)" % (str(self.user_sid)) self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index b22b0c0f10c..62ba057beff 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -693,7 +693,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): _ldb = self.get_ldb_connection(user_name, "samba123@") # Change Schema partition descriptor user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name)) - mod = "(A;;WDCC;;;AU)" + mod = "(A;CI;WDCC;;;AU)" self.sd_utils.dacl_add_ace(self.schema_dn, mod) # Create example Schema class try: @@ -983,7 +983,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name)) - mod = "(A;;WDCC;;;AU)" + mod = "(A;CI;WDCC;;;AU)" self.sd_utils.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn @@ -1122,7 +1122,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name)) - mod = "(A;;CC;;;AU)" + mod = "(A;CI;CCWD;;;AU)" self.sd_utils.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn @@ -1148,7 +1148,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): delete_force(self.ldb_admin, object_dn) self.create_configuration_container(self.ldb_admin, object_dn, ) user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name)) - mod = "(A;;CC;;;AU)" + mod = "(A;CI;CCWD;;;AU)" self.sd_utils.dacl_add_ace(object_dn, mod) # Create child object with user's credentials object_dn = "CN=test-specifier1," + object_dn diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py index 192b382a6a4..b54b33678dc 100755 --- a/source4/dsdb/tests/python/user_account_control.py +++ b/source4/dsdb/tests/python/user_account_control.py @@ -313,7 +313,7 @@ class UserAccountControlTests(samba.tests.TestCase): def test_add_computer_sd_cc(self): user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn) - mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + mod = f"(OA;CI;WDCC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})" old_sd = self.sd_utils.read_sd_on_dn(self.OU) self.sd_utils.dacl_add_ace(self.OU, mod) @@ -451,7 +451,7 @@ class UserAccountControlTests(samba.tests.TestCase): def test_add_computer_cc_normal_bare(self): user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn) - mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) + mod = f"(OA;CI;CC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})" old_sd = self.sd_utils.read_sd_on_dn(self.OU) self.sd_utils.dacl_add_ace(self.OU, mod) @@ -889,9 +889,11 @@ class UserAccountControlTests(samba.tests.TestCase): computername = self.computernames[0] user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn) - mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - + ace_cc = f"(OA;;CC;{dsdb.DS_GUID_SCHEMA_CLASS_COMPUTER};;{user_sid})" + ace_wp_dnshostname = f"(OA;CI;WP;{dsdb.DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME};;{user_sid})" + ace_wp_primarygroupid = f"(OA;CI;WP;{dsdb.DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID};;{user_sid})" old_sd = self.sd_utils.read_sd_on_dn(self.OU) + mod = ace_cc + ace_wp_dnshostname + ace_wp_primarygroupid self.sd_utils.dacl_add_ace(self.OU, mod) try: