diff options
author | Nadezhda Ivanova <nivanova@symas.com> | 2021-10-22 21:33:03 +0300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2022-09-16 02:32:36 +0000 |
commit | 5073d5997cb1d7f654423655e0d1eeb117bdab38 (patch) | |
tree | 6066c5ea83b4dcb71e5217e986a70d21d00fd9c6 /source4/dsdb/tests/python/sec_descriptor.py | |
parent | 72b8e98252b0231868f04d40456459057126980c (diff) | |
download | samba-5073d5997cb1d7f654423655e0d1eeb117bdab38.tar.gz |
CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/tests/python/sec_descriptor.py')
-rwxr-xr-x | source4/dsdb/tests/python/sec_descriptor.py | 45 |
1 files changed, 36 insertions, 9 deletions
diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 62ba057beff..5410e9f7246 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -1303,7 +1303,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertEqual(desc_sddl, sddl) sddl = "O:AUG:AUD:AI(D;;CC;;;LG)" - self.sd_utils.modify_sd_on_dn(group_dn, sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, sddl) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertEqual(desc_sddl, sddl) @@ -1329,7 +1332,10 @@ class DaclDescriptorTests(DescriptorTests): self.assertFalse("ID" in desc_sddl) for x in re.findall(r"\(.*?\)", mod): self.assertFalse(x in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertFalse("ID" in desc_sddl) for x in re.findall(r"\(.*?\)", mod): @@ -1356,7 +1362,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") self.assertTrue(mod in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) @@ -1382,7 +1391,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) @@ -1408,7 +1420,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) @@ -1434,7 +1449,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) @@ -1460,7 +1478,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) @@ -1486,7 +1507,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like self.assertTrue(mod in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue(mod in desc_sddl) @@ -1512,7 +1536,10 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) - self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) self.assertTrue(moded in desc_sddl) self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl) |