summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2019-12-10 15:16:24 +1300
committerKarolin Seeger <kseeger@samba.org>2020-01-10 11:56:20 +0100
commitc5a005a45389c8d8fc0eae7137eab1904ea92d42 (patch)
treecdc94d529f453b65aa12e4aacd742e4c3e377b5d
parent77d55b64af6acd38a08096b89ee051bc4ce72f43 (diff)
downloadsamba-c5a005a45389c8d8fc0eae7137eab1904ea92d42.tar.gz
CVE-2019-14902 selftest: Add test for a special case around replicated renames
It appears Samba is currently string-name based in the ACL inheritence code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--selftest/knownfail.d/repl_secdesc1
-rw-r--r--source4/torture/drs/python/repl_secdesc.py69
2 files changed, 70 insertions, 0 deletions
diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
index 2aa24c61375..7d554ff237a 100644
--- a/selftest/knownfail.d/repl_secdesc
+++ b/selftest/knownfail.d/repl_secdesc
@@ -1,2 +1,3 @@
^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
+^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
index 4ed449a8a18..58861af3bac 100644
--- a/source4/torture/drs/python/repl_secdesc.py
+++ b/source4/torture/drs/python/repl_secdesc.py
@@ -211,6 +211,75 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
+ def test_acl_inheirt_renamed_child_object(self):
+ # Make a new OU
+ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
+ "acl_test_l2")
+
+ # Here is where the new OU will end up at the end.
+ sub2_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
+
+ sub3_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % new_ou)
+ sub3_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % sub2_ou_dn_final)
+
+ self.ldb_dc1.add({"dn": sub3_ou_dn,
+ "objectclass": "organizationalUnit"})
+
+ sub4_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn)
+ sub4_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn_final)
+
+ self.ldb_dc1.add({"dn": sub4_ou_dn,
+ "objectclass": "organizationalUnit"})
+
+ try:
+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
+ base=new_ou,
+ attrs=[])
+ self.fail()
+ except LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
+
+ self._net_drs_replicate(DC=self.dnsname_dc2,
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+ # Confirm it is now replicated
+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
+ base=new_ou,
+ attrs=[])
+
+ #
+ # Given a tree new_ou -> l3 -> l4
+ #
+
+ # Set the inherited ACL on the grandchild OU (l3) on DC1
+ mod = "(A;CIOI;GA;;;SY)"
+ self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod)
+
+ # Rename new_ou (l2) to under self.ou (this must happen second). If the
+ # inheritence between l3 and l4 is name-based, this could
+ # break.
+
+ # The tree is now self.ou -> l2 -> l3 -> l4
+
+ self.ldb_dc1.rename(new_ou, sub2_ou_dn_final)
+
+ # Replicate to DC2
+
+ self._net_drs_replicate(DC=self.dnsname_dc2,
+ fromDC=self.dnsname_dc1,
+ forced=True)
+
+ # Confirm set ACLs (on l3 ) are identical.
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final),
+ self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
+
+ # Confirm inherited ACLs (from l3 to l4) are identical.
+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final),
+ self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final))
+
+
def test_acl_inheirt_renamed_object_in_conflict(self):
# Make a new object to be renamed under self.ou
new_ou = samba.tests.create_test_ou(self.ldb_dc1,