diff options
author | Tim Beale <timbeale@catalyst.net.nz> | 2018-07-09 15:57:59 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-08-11 08:16:01 +0200 |
commit | 77421f33f853aed254ed67a6541f86e4070c4128 (patch) | |
tree | f929b61335b7130fee8f3bc12e22ee6c90070a5c /source4/selftest | |
parent | a81f32e73026c02491983a3136834c3c72d1d03f (diff) | |
download | samba-77421f33f853aed254ed67a6541f86e4070c4128.tar.gz |
CVE-2018-10919 tests: Add tests for guessing confidential attributes
Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.
The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls
These tests all pass when run against a Windows Dc and all fail against
a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Diffstat (limited to 'source4/selftest')
-rwxr-xr-x | source4/selftest/tests.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 226617f3b6a..918d7b7eaa5 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -793,6 +793,9 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc"]: # therefore skip it in that configuration plantestsuite_loadlist("samba4.ldap.passwords.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/passwords.py"), "$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN", '$LOADLIST', '$LISTOPT']) +env = "ad_dc_ntvfs" +plantestsuite_loadlist("samba4.ldap.confidential_attr.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/tests/python/confidential_attr.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) + for env in ["ad_dc_ntvfs"]: # This test takes a lot of time, so we run it against a minimum of # environments, please only add new ones if there's really a |