The branch, v4-17-stable has been updated via 0e746c02f6c CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup via 08f4f363fa6 CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC via 6ff5eed9c5d CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC via 9989568b20c CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default via cbd68f39d52 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY via c0d6e6db657 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests via 4e5f060cdc3 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour via 4c1f1fe39c6 CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once via 92a4df11b2d CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever. via 8a9dac9d4e5 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start via 649bccf87ef CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force() via 8de96459777 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice via 68eda471b8f CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers via 8b1f1c9f90f CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position via b59a4266f1b CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper via 22904d2b9dc CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper via 4cfec08d7ee CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add() via 10c4b6ea09f CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers via b4849183a68 CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper via d221d0a7902 CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG via 5313a307148 CVE-2023-4154 s4:dsdb:tests: Fix code spelling via 119ff0ef752 CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test via e8b68aa5c9a CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL via bd5213a918e CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python via 25585fda53f CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor via 347d55084b7 CVE-2023-4091: smbd: use open_access_mask for access check in open_file() via 45051934ffa CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file via f958415a69f CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames. via e6f096c4c8f CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code. via 23199e11545 CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir. from f3e7be14a36 VERSION: Disable GIT_SNAPSHOT for the 4.17.11 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable - Log ----------------------------------------------------------------- commit 0e746c02f6cc3b53b941f2b2d9624427020a6890 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 12 16:23:49 2023 +1200 CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup We now have ensured that no conflicting services attempt to start so we do not need the runtime lookup and so avoid the risk that the lookup may fail. This means that any duplicates will be noticed early not just in a race condition. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 08f4f363fa6e2ee62a6e32db577ee12e26927735 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 12 12:28:49 2023 +1200 CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC Just as we refuse to start NETLOGON except on the DC, we must refuse to start all of the RPC services that are provided by the AD DC. Most critically of course this applies to netlogon, lsa and samr. This avoids the supression of these services being the result of a runtime epmapper lookup, as if that fails these services can disrupt service to end users by listening on the same socket as the AD DC servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 6ff5eed9c5dbb5b8b27ef34586e63208e958dc2e Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 12 19:01:03 2023 +1200 CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC The rpcecho server in source3 does have samba the sleep() feature that the s4 version has, but the task architecture is different, so there is not the same impact. Hoever equally this is not something that should be enabled on production builds of Samba, so restrict to selftest builds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 9989568b20c8f804140c22f51548d766a18ed887 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 12 18:59:44 2023 +1200 CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default The rpcecho server is useful in development and testing, but should never have been allowed into production, as it includes the facility to do a blocking sleep() in the single-threaded rpc worker. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit cbd68f39d5255336ddf1559e46c841f14598d2a8 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 8 17:58:27 2023 +1200 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by Samba. Having a second access control system withing the LDAP stack is unsafe and this layer is incomplete. The current system gives all accounts that have been given the GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba this equates to full access to passwords as well as "RODC Filtered attributes" (often used with confidential attributes). Rather than attempting to correctly filter for secrets (passwords) and these filtered attributes, as well as preventing search expressions for both, we leave this complexity to the acl_read module which has this facility already well tested. The implication is that callers will only see and filter by attribute in DirSync that they could without DirSync. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit c0d6e6db657135f772fc2b4d1ee8b57bd50a1d54 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 22 15:08:17 2023 +1200 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests The aim here is to document the expected (even if not implemented) SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so that any change once CVE-2023-4154 is fixed can be noted. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 4e5f060cdc3ca03cc1d6509ee9b9cdc0b24b5ca9 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 8 14:30:19 2023 +1200 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL, but for DirSync and DRS replication. Accounts with GUID_DRS_GET_CHANGES rights should not be able to read this attribute. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 4c1f1fe39c6e75a377f46d2f9a60749244c1247a Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 8 11:18:46 2023 +1200 CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once When we (expect to) get back a result, do not waste time against a potentially slow server confirming we also get back results for all the other attribute combinations. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 92a4df11b2dd696f5ba1c283602a6b3435d082ea Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 7 11:56:56 2023 +1200 CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 8a9dac9d4e52713152a085730c5d12462322f760 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 7 14:44:28 2023 +1200 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start Rather than fail, if the last run failed to reset things, just force the DC into the required state. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 649bccf87ef1ad90c2a7219c59285af30ae7ba03 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 7 13:15:40 2023 +1200 CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force() Thie helps ensure this test is reliable even in spite of errors while running. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 8de964597772cbbdef8b0fd7cb0d3e71aacd698c Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 7 11:55:55 2023 +1200 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice To re-use setup code, the super-class must have no test_*() methods otherwise these will be run as well as the class-local tests. We rename tests that would otherwise have duplicate names BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 68eda471b8f4aeb64bb0e6f2dd72201e47949be7 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 16 10:03:44 2023 +0100 CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed) commit 8b1f1c9f90fd66c333ce1effab8ab78165266bd5 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 16 10:00:11 2023 +0100 CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position Often it is important to insert an ace at a specific position in the ACL. As a default we still append by default by using -1, which is the generic version of passing the number of existing aces. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada) commit b59a4266f1b17d9aaf1485b09db15b911b470228 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 16 09:57:43 2023 +0100 CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b) commit 22904d2b9dc4c0db5b7642b3dd3f44ac2fbf4247 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 17 14:08:34 2023 +0100 CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper This uses ndr_pack/unpack in order to create a deep copy of the given object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34) commit 4cfec08d7ee7dae1bf42528b31b7c65cdd4600d4 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 16 10:11:05 2023 +0100 CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74) commit 10c4b6ea09f70aebf7cc7381e947ac49c559b27a Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 16 18:03:10 2023 +0100 CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers They better represent what they are doing, we keep dacl_add_ace() as wrapper of dacl_prepend_aces() in order to let existing callers work as before. In future it would be good to have a dacl_insert_aces() that would canonicalize the ace order before storing, but that a task for another day. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b) commit b4849183a68c35e06f06f5b1ee2539fbfa990b29 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 10 18:25:18 2023 +0100 CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper This is a more generic api that can be re-used in other places as well in future. It operates on a security descriptor object instead of SDDL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> (cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930) commit d221d0a79022b65df7eecc7b47a859b003345a0f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Feb 14 17:19:27 2023 +1300 CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG It's no longer used anywhere. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf) commit 5313a30714889ba96c68a8809a16697f99febb55 Author: Andreas Schneider <a...@samba.org> Date: Wed Aug 2 10:44:32 2023 +0200 CVE-2023-4154 s4:dsdb:tests: Fix code spelling BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> (cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670) commit 119ff0ef75212d21fea5147cf197ef3e53cca33d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jan 27 07:43:40 2023 +1300 CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test Use more specific unittest methods, and remove unused code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3) commit e8b68aa5c9ad4ad6fbe11cdfe67d313b41326625 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 1 14:49:06 2023 +1300 CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now remove the complexity. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> (cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091) commit bd5213a918edef9397ef41c1fe93d3d03264a396 Author: Christian Merten <christ...@merten.dev> Date: Mon Sep 19 23:01:34 2022 +0200 CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the security descriptor class to python. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Christian Merten <christ...@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 84a54d2fa2b1590fdb4e2ea986ded9c39a82cf78) commit 25585fda53fd2b6c2d7e21e7829945b51e984d07 Author: Christian Merten <christ...@merten.dev> Date: Mon Sep 19 22:47:10 2022 +0200 CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Christian Merten <christ...@merten.dev> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 7efe673fbdcd27ddd23f36281c5f5338681a68fe) commit 347d55084b76f53f752e9aae9e84a9f775cbec9d Author: Ralph Boehme <s...@samba.org> Date: Tue Aug 1 13:04:36 2023 +0200 CVE-2023-4091: smbd: use open_access_mask for access check in open_file() If the client requested FILE_OVERWRITE[_IF], we're implicitly adding FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the access check we're using access_mask which doesn't contain the additional right, which means we can end up truncating a file for which the user has only read-only access via an SD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme <s...@samba.org> commit 45051934ffa479b25193f409a0c0fe7740f2415d Author: Ralph Boehme <s...@samba.org> Date: Tue Aug 1 12:30:00 2023 +0200 CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme <s...@samba.org> commit f958415a69fdd6324810e16a050e25b821ba204b Author: Jeremy Allison <j...@samba.org> Date: Tue Jul 25 17:54:41 2023 -0700 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames. We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND). Remove knowfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 Signed-off-by: Jeremy Allison <j...@samba.org> commit e6f096c4c8fb3e19fff954c2ddd9c329fb86b06a Author: Jeremy Allison <j...@samba.org> Date: Tue Jul 25 17:49:21 2023 -0700 CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code. The raw SMB2-INVALID-PIPENAME test passes against Windows 2022, as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND. Add the knownfail. BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422 Signed-off-by: Jeremy Allison <j...@samba.org> [abart...@samba.org backported to Samba 4.17 due to conflicts from context of other new torture tests missing in this version and changes in smb2cli_create() arguments] commit 23199e115457e8054c905eedee95ebee114809e0 Author: Jeremy Allison <j...@samba.org> Date: Tue Jul 25 17:41:04 2023 -0700 CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir. For now, SMB_ASSERT() to exit the server. We will remove this once the test code is in place. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 Signed-off-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: .../smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- lib/param/loadparm.c | 2 +- lib/replace/replace.h | 15 + libcli/security/security_descriptor.c | 121 +++++- libcli/security/security_descriptor.h | 10 + python/samba/ndr.py | 19 + python/samba/sd_utils.py | 153 ++++++- selftest/knownfail | 2 +- selftest/knownfail.d/dirsync | 13 + selftest/target/Samba4.pm | 2 +- source3/param/loadparm.c | 2 +- source3/rpc_client/local_np.c | 13 + source3/rpc_server/rpc_host.c | 154 +------ source3/rpc_server/rpcd_classic.c | 45 +- source3/rpc_server/rpcd_epmapper.c | 33 +- source3/rpc_server/rpcd_lsad.c | 21 + source3/rpc_server/rpcd_rpcecho.c | 33 +- source3/rpc_server/wscript_build | 1 + source3/selftest/tests.py | 15 + source3/smbd/open.c | 4 +- source3/torture/proto.h | 1 + source3/torture/test_smb2.c | 105 +++++ source3/torture/torture.c | 4 + source4/dsdb/samdb/ldb_modules/dirsync.c | 33 +- source4/dsdb/samdb/samdb.h | 1 - source4/dsdb/tests/python/acl.py | 12 +- .../dsdb/tests/python/ad_dc_search_performance.py | 2 +- source4/dsdb/tests/python/confidential_attr.py | 212 ++++----- source4/dsdb/tests/python/dirsync.py | 473 ++++++++++++++++++--- source4/dsdb/tests/python/ldap.py | 14 +- source4/dsdb/tests/python/ldap_modify_order.py | 4 +- source4/dsdb/tests/python/ldap_syntaxes.py | 4 +- source4/dsdb/tests/python/login_basics.py | 2 +- source4/dsdb/tests/python/password_settings.py | 4 +- source4/dsdb/tests/python/passwords.py | 4 +- source4/dsdb/tests/python/sam.py | 2 +- source4/dsdb/tests/python/sec_descriptor.py | 14 +- source4/dsdb/tests/python/token_group.py | 4 +- source4/dsdb/tests/python/user_account_control.py | 2 +- source4/librpc/ndr/py_security.c | 62 ++- source4/rpc_server/wscript_build | 3 +- source4/torture/smb2/acls.c | 143 +++++++ 42 files changed, 1325 insertions(+), 440 deletions(-) create mode 100644 selftest/knownfail.d/dirsync Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml index 8a217cc7f11..c6642b795fd 100644 --- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml @@ -6,6 +6,6 @@ <para>Specifies which DCE/RPC endpoint servers should be run.</para> </description> -<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> +<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> <value type="example">rpcecho</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index f70823fe366..664fae70c9b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2732,7 +2732,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); - lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); /* the winbind method for domain controllers is for both RODC diff --git a/lib/replace/replace.h b/lib/replace/replace.h index bd7f6e53e81..bcd5c09bf7c 100644 --- a/lib/replace/replace.h +++ b/lib/replace/replace.h @@ -889,6 +889,21 @@ typedef unsigned long long ptrdiff_t ; #define ARRAY_DEL_ELEMENT(a,i,n) \ if((i)<((n)-1)){memmove(&((a)[(i)]),&((a)[(i)+1]),(sizeof(*(a))*((n)-(i)-1)));} +/** + * Insert an array element by moving the rest one up + * + */ +#define ARRAY_INSERT_ELEMENT(__array,__old_last_idx,__new_elem,__new_idx) do { \ + if ((__new_idx) < (__old_last_idx)) { \ + const void *__src = &((__array)[(__new_idx)]); \ + void *__dst = &((__array)[(__new_idx)+1]); \ + size_t __num = (__old_last_idx)-(__new_idx); \ + size_t __len = sizeof(*(__array)) * __num; \ + memmove(__dst, __src, __len); \ + } \ + (__array)[(__new_idx)] = (__new_elem); \ +} while(0) + /** * Pointer difference macro */ diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index ba142016389..08f2cf19ee8 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -267,9 +267,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, bool add_to_sacl, - const struct security_ace *ace) + const struct security_ace *ace, + ssize_t _idx) { struct security_acl *acl = NULL; + ssize_t idx; if (add_to_sacl) { acl = sd->sacl; @@ -288,15 +290,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, acl->aces = NULL; } + if (_idx < 0) { + idx = (acl->num_aces + 1) + _idx; + } else { + idx = _idx; + } + + if (idx < 0) { + return NT_STATUS_ARRAY_BOUNDS_EXCEEDED; + } else if (idx > acl->num_aces) { + return NT_STATUS_ARRAY_BOUNDS_EXCEEDED; + } + acl->aces = talloc_realloc(acl, acl->aces, struct security_ace, acl->num_aces+1); if (acl->aces == NULL) { return NT_STATUS_NO_MEMORY; } - acl->aces[acl->num_aces] = *ace; + ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx); + acl->num_aces++; - switch (acl->aces[acl->num_aces].type) { + switch (acl->aces[idx].type) { case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: @@ -307,8 +322,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, break; } - acl->num_aces++; - if (add_to_sacl) { sd->sacl = acl; sd->type |= SEC_DESC_SACL_PRESENT; @@ -327,7 +340,21 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, const struct security_ace *ace) { - return security_descriptor_acl_add(sd, true, ace); + return security_descriptor_acl_add(sd, true, ace, -1); +} + +/* + insert an ACE at a given index to the SACL of a security_descriptor + + idx can be negative, which means it's related to the new size from the + end, so -1 means the ace is appended at the end. +*/ + +NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd, + const struct security_ace *ace, + ssize_t idx) +{ + return security_descriptor_acl_add(sd, true, ace, idx); } /* @@ -337,7 +364,21 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, const struct security_ace *ace) { - return security_descriptor_acl_add(sd, false, ace); + return security_descriptor_acl_add(sd, false, ace, -1); +} + +/* + insert an ACE at a given index to the DACL of a security_descriptor + + idx can be negative, which means it's related to the new size from the + end, so -1 means the ace is appended at the end. +*/ + +NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd, + const struct security_ace *ace, + ssize_t idx) +{ + return security_descriptor_acl_add(sd, false, ace, idx); } /* @@ -419,6 +460,72 @@ NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, return security_descriptor_acl_del(sd, true, trustee); } +/* + delete the given ACE in the SACL or DACL of a security_descriptor +*/ +static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd, + bool sacl_del, + const struct security_ace *ace) +{ + uint32_t i; + bool found = false; + struct security_acl *acl = NULL; + + if (sacl_del) { + acl = sd->sacl; + } else { + acl = sd->dacl; + } + + if (acl == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + for (i=0;i<acl->num_aces;i++) { + if (security_ace_equal(ace, &acl->aces[i])) { + ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces); + acl->num_aces--; + if (acl->num_aces == 0) { + acl->aces = NULL; + } + found = true; + i--; + } + } + + if (!found) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + acl->revision = SECURITY_ACL_REVISION_NT4; + + for (i=0;i<acl->num_aces;i++) { + switch (acl->aces[i].type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + acl->revision = SECURITY_ACL_REVISION_ADS; + return NT_STATUS_OK; + default: + break; /* only for the switch statement */ + } + } + + return NT_STATUS_OK; +} + +NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_del_ace(sd, false, ace); +} + +NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace) +{ + return security_descriptor_acl_del_ace(sd, true, ace); +} /* compare two security ace structures */ diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h index 7e6df87fefa..354bc17e925 100644 --- a/libcli/security/security_descriptor.h +++ b/libcli/security/security_descriptor.h @@ -33,12 +33,22 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, struct security_descriptor **_csd); NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, const struct security_ace *ace); +NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd, + const struct security_ace *ace, + ssize_t idx); NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, const struct security_ace *ace); +NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd, + const struct security_ace *ace, + ssize_t idx); NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, const struct dom_sid *trustee); NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd, const struct dom_sid *trustee); +NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace); +NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd, + const struct security_ace *ace); bool security_ace_equal(const struct security_ace *ace1, const struct security_ace *ace2); bool security_acl_equal(const struct security_acl *acl1, diff --git a/python/samba/ndr.py b/python/samba/ndr.py index 35b2414e8ae..8369abfb2d0 100644 --- a/python/samba/ndr.py +++ b/python/samba/ndr.py @@ -56,6 +56,25 @@ def ndr_print(object): return ndr_print() +def ndr_deepcopy(object): + """Create a deep copy of a NDR object, using pack/unpack + + :param object: Object to copy + :return: The object copy + """ + ndr_pack = getattr(object, "__ndr_pack__", None) + if ndr_pack is None: + raise TypeError("%r is not a NDR object" % object) + data = ndr_pack() + cls = type(object) + copy = cls() + ndr_unpack = getattr(copy, "__ndr_unpack__", None) + if ndr_unpack is None: + raise TypeError("%r is not a NDR object" % copy) + ndr_unpack(data, allow_remaining=False) + return copy + + def ndr_pack_in(object, bigendian=False, ndr64=False): """Pack the input of an NDR function object. diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py index 26e80ee2f4a..462bbfbaf18 100644 --- a/python/samba/sd_utils.py +++ b/python/samba/sd_utils.py @@ -21,8 +21,11 @@ import samba from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_REPLACE, SCOPE_BASE -from samba.ndr import ndr_pack, ndr_unpack +from samba.ndr import ndr_pack, ndr_unpack, ndr_deepcopy from samba.dcerpc import security +from samba.ntstatus import ( + NT_STATUS_OBJECT_NAME_NOT_FOUND, +) class SDUtils(object): @@ -63,19 +66,145 @@ class SDUtils(object): res = self.ldb.search(object_dn) return ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) + def update_aces_in_dacl(self, dn, del_aces=None, add_aces=None, + sddl_attr=None, controls=None): + if del_aces is None: + del_aces=[] + if add_aces is None: + add_aces=[] + + def ace_from_sddl(ace_sddl): + ace_sd = security.descriptor.from_sddl("D:" + ace_sddl, self.domain_sid) + assert(len(ace_sd.dacl.aces)==1) + return ace_sd.dacl.aces[0] + + if sddl_attr is None: + if controls is None: + controls=["sd_flags:1:%d" % security.SECINFO_DACL] + sd = self.read_sd_on_dn(dn, controls=controls) + if not sd.type & security.SEC_DESC_DACL_PROTECTED: + # if the DACL is not protected remove all + # inherited aces, as they will be re-inherited + # on the server, we need a ndr_deepcopy in order + # to avoid reference problems while deleting + # the aces while looping over them + dacl_copy = ndr_deepcopy(sd.dacl) + for ace in dacl_copy.aces: + if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: + try: + sd.dacl_del_ace(ace) + except samba.NTSTATUSError as err: + if err.args[0] != NT_STATUS_OBJECT_NAME_NOT_FOUND: + raise err + # dacl_del_ace may remove more than + # one ace, so we may not find it anymore + pass + else: + if controls is None: + controls=[] + res = self.ldb.search(dn, SCOPE_BASE, None, + [sddl_attr], controls=controls) + old_sddl = str(res[0][sddl_attr][0]) + sd = security.descriptor.from_sddl(old_sddl, self.domain_sid) + + num_changes = 0 + del_ignored = [] + add_ignored = [] + inherited_ignored = [] + + for ace in del_aces: + if isinstance(ace, str): + ace = ace_from_sddl(ace) + assert(isinstance(ace, security.ace)) + + if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: + inherited_ignored.append(ace) + continue + + if ace not in sd.dacl.aces: + del_ignored.append(ace) + continue + + sd.dacl_del_ace(ace) + num_changes += 1 + + for ace in add_aces: + add_idx = -1 + if isinstance(ace, dict): + if "idx" in ace: + add_idx = ace["idx"] + ace = ace["ace"] + if isinstance(ace, str): + ace = ace_from_sddl(ace) + assert(isinstance(ace, security.ace)) + + if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: + inherited_ignored.append(ace) + continue + + if ace in sd.dacl.aces: + add_ignored.append(ace) + continue + + sd.dacl_add(ace, add_idx) + num_changes += 1 + + if num_changes == 0: + return del_ignored, add_ignored, inherited_ignored + + if sddl_attr is None: + self.modify_sd_on_dn(dn, sd, controls=controls) + else: + new_sddl = sd.as_sddl(self.domain_sid) + m = Message() + m.dn = dn + m[sddl_attr] = MessageElement(new_sddl.encode('ascii'), + FLAG_MOD_REPLACE, + sddl_attr) + self.ldb.modify(m, controls=controls) + + return del_ignored, add_ignored, inherited_ignored + + def dacl_prepend_aces(self, object_dn, aces, controls=None): + """Prepend an ACE (or more) to an objects security descriptor + """ + ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid) + add_aces = [] + add_idx = 0 + for ace in ace_sd.dacl.aces: + add_aces.append({"idx": add_idx, "ace": ace}) + add_idx += 1 + _,ai,ii = self.update_aces_in_dacl(object_dn, add_aces=add_aces, + controls=controls) + return ai, ii + def dacl_add_ace(self, object_dn, ace): - """Add an ACE to an objects security descriptor + """Add an ACE (or more) to an objects security descriptor """ - desc = self.read_sd_on_dn(object_dn, ["show_deleted:1"]) - desc_sddl = desc.as_sddl(self.domain_sid) - if ace in desc_sddl: - return - if desc_sddl.find("(") >= 0: - desc_sddl = (desc_sddl[:desc_sddl.index("(")] + ace + - desc_sddl[desc_sddl.index("("):]) - else: - desc_sddl = desc_sddl + ace - self.modify_sd_on_dn(object_dn, desc_sddl, ["show_deleted:1"]) + _,_ = self.dacl_prepend_aces(object_dn, ace, + controls=["show_deleted:1"]) + + def dacl_append_aces(self, object_dn, aces, controls=None): + """Append an ACE (or more) to an objects security descriptor + """ + ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid) + add_aces = [] + for ace in ace_sd.dacl.aces: + add_aces.append(ace) + _,ai,ii = self.update_aces_in_dacl(object_dn, add_aces=add_aces, + controls=controls) + return ai, ii + + def dacl_delete_aces(self, object_dn, aces, controls=None): + """Delete an ACE (or more) to an objects security descriptor + """ + del_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid) + del_aces = [] + for ace in del_sd.dacl.aces: + del_aces.append(ace) + di,_,ii = self.update_aces_in_dacl(object_dn, del_aces=del_aces, + controls=controls) + return di, ii def get_sd_as_sddl(self, object_dn, controls=[]): """Return object nTSecutiryDescriptor in SDDL format diff --git a/selftest/knownfail b/selftest/knownfail index f9ca4984176..a89616c1dbe 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -151,7 +151,7 @@ ^samba4.smb2.acls.*.inheritflags ^samba4.smb2.acls.*.owner ^samba4.smb2.acls.*.ACCESSBASED -^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items +^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.SimpleDirsyncTests.test_dirsync_deleted_items_OBJECT_SECURITY #^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.* ^samba4.libsmbclient.opendir.(NT1|SMB3).opendir # This requires netbios browsing ^samba4.rpc.drsuapi.*.drsuapi.DsGetDomainControllerInfo\(.*\)$ diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync new file mode 100644 index 00000000000..fcf4d469d6e --- /dev/null +++ b/selftest/knownfail.d/dirsync @@ -0,0 +1,13 @@ +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_OBJ_SEC_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_OBJ_SEC_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES_OBJECT_SECURITY_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_with_GET_CHANGES_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\) +^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 5cbc5ccf2b8..7033146f46a 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -782,7 +782,7 @@ sub provision_raw_step1($$) wins support = yes server role = $ctx->{server_role} server services = +echo $services - dcerpc endpoint servers = +winreg +srvsvc + dcerpc endpoint servers = +winreg +srvsvc +rpcecho -- Samba Shared Repository