CVE-2018-10919 tests: Add test case for object visibility with limited rights

Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e. attribute=*) searches compared to Windows. All the acl.py tests are based on objectClass=* searches, where Windows will happily tell a user about objects they have List Contents rights, but not Read Property rights for. However, if you change the attribute being searched for, suddenly the objects are no longer visible on Windows (whereas they are on Samba). This is a problem, because Samba can tell you about which objects have confidential attributes, which in itself could be disclosive. This patch adds a acl.py test-case that highlights this behaviour. The test passes against Windows but fails against Samba. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
author: Tim Beale <timbeale@catalyst.net.nz> 2018-07-25 10:08:34 +1200
committer: Karolin Seeger <kseeger@samba.org> 2018-08-14 13:57:16 +0200
commit: 9eb8340e328757b1a1c6238f47d2a2404f7fbe38 (patch)
tree: 19c3333bbf6d4e46dbfbeb882e179634bd92be8a /selftest
parent: 375f48f779fd6c62080efb03949cc25fa9515c3b (diff)
download: samba-9eb8340e328757b1a1c6238f47d2a2404f7fbe38.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/selftest/knownfail.d/acl b/selftest/knownfail.d/acl
new file mode 100644
index 00000000000..6772ea1f943
--- /dev/null
+++ b/selftest/knownfail.d/acl
@@ -0,0 +1 @@
+^samba4.ldap.acl.python.*test_search7
author	Tim Beale <timbeale@catalyst.net.nz>	2018-07-25 10:08:34 +1200
committer	Karolin Seeger <kseeger@samba.org>	2018-08-14 13:57:16 +0200
commit	9eb8340e328757b1a1c6238f47d2a2404f7fbe38 (patch)
tree	19c3333bbf6d4e46dbfbeb882e179634bd92be8a /selftest
parent	375f48f779fd6c62080efb03949cc25fa9515c3b (diff)
download	samba-9eb8340e328757b1a1c6238f47d2a2404f7fbe38.tar.gz