[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Wed Oct 27 07:19:01 MDT 2010
The branch, master has been updated
via 5bc2b8f s4-ldb: Added the correct extended check for read access to nTSecurityDescriptor
from 3003bd4 s4-ldb: Changes the aclread module to use LDB_HANDLE_FLAG_UNTRUSTED to determine the source of the request
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5bc2b8f0a494511800696d6d411a426463089e8b
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Wed Oct 27 15:20:49 2010 +0300
s4-ldb: Added the correct extended check for read access to nTSecurityDescriptor
It does not depend on READ_PROPERTY, but on SECURITY_PRIVILEGE and READ_CONTROL
Autobuild-User: Nadezhda Ivanova <nivanova at samba.org>
Autobuild-Date: Wed Oct 27 13:18:50 UTC 2010 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl_read.c | 2 +-
source4/dsdb/tests/python/acl.py | 62 +++++++++++++++++++++++++++++
source4/selftest/knownfail | 1 +
3 files changed, 64 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 78a9e28..bd9e128 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -146,7 +146,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
tmp_ctx,
sd,
sid,
- SEC_FLAG_SYSTEM_SECURITY,
+ SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL,
attr);
} else {
ret = acl_check_access_on_attribute(ac->module,
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index ae51044..d4c55a4 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -1621,6 +1621,65 @@ replace: userPassword
userPassword: thatsAcomplPASS1
""")
+class AclExtendedTests(AclTests):
+
+ def setUp(self):
+ super(AclExtendedTests, self).setUp()
+ #regular user, will be the creator
+ self.u1 = "ext_u1"
+ #regular user
+ self.u2 = "ext_u2"
+ #admin user
+ self.u3 = "ext_u3"
+ self.create_enable_user(self.u1)
+ self.create_enable_user(self.u2)
+ self.create_enable_user(self.u3)
+ self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn,
+ self.get_user_dn(self.u3))
+ self.ldb_user1 = self.get_ldb_connection(self.u1, self.user_pass)
+ self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass)
+ self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass)
+ self.user_sid1 = self.get_object_sid(self.get_user_dn(self.u1))
+ self.user_sid2 = self.get_object_sid(self.get_user_dn(self.u2))
+
+ def tearDown(self):
+ super(AclExtendedTests, self).tearDown()
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.u1))
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.u2))
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.u3))
+ self.delete_force(self.ldb_admin, "CN=ext_group1,OU=ext_ou1," + self.base_dn)
+ self.delete_force(self.ldb_admin, "ou=ext_ou1," + self.base_dn)
+
+ def test_ntSecurityDescriptor(self):
+ #create empty ou
+ self.create_ou(self.ldb_admin, "ou=ext_ou1," + self.base_dn)
+ #give u1 Create children access
+ mod = "(A;;CC;;;%s)" % str(self.user_sid1)
+ self.dacl_add_ace("OU=ext_ou1," + self.base_dn, mod)
+ mod = "(A;;LC;;;%s)" % str(self.user_sid2)
+ self.dacl_add_ace("OU=ext_ou1," + self.base_dn, mod)
+ #create a group under that, grant RP to u2
+ self.create_group(self.ldb_user1, "CN=ext_group1,OU=ext_ou1," + self.base_dn)
+ mod = "(A;;RP;;;%s)" % str(self.user_sid2)
+ self.dacl_add_ace("CN=ext_group1,OU=ext_ou1," + self.base_dn, mod)
+ #u2 must not read the descriptor
+ res = self.ldb_user2.search("CN=ext_group1,OU=ext_ou1," + self.base_dn,
+ SCOPE_BASE, None, ["nTSecurityDescriptor"])
+ self.assertNotEqual(res,[])
+ self.assertFalse("nTSecurityDescriptor" in res[0].keys())
+ #grant RC to u2 - still no access
+ mod = "(A;;RC;;;%s)" % str(self.user_sid2)
+ self.dacl_add_ace("CN=ext_group1,OU=ext_ou1," + self.base_dn, mod)
+ res = self.ldb_user2.search("CN=ext_group1,OU=ext_ou1," + self.base_dn,
+ SCOPE_BASE, None, ["nTSecurityDescriptor"])
+ self.assertNotEqual(res,[])
+ self.assertFalse("nTSecurityDescriptor" in res[0].keys())
+ #u3 is member of administrators group, should be able to read sd
+ res = self.ldb_user3.search("CN=ext_group1,OU=ext_ou1," + self.base_dn,
+ SCOPE_BASE, None, ["nTSecurityDescriptor"])
+ self.assertEqual(len(res),1)
+ self.assertTrue("nTSecurityDescriptor" in res[0].keys())
+
# Important unit running information
if not "://" in host:
@@ -1641,5 +1700,8 @@ if not runner.run(unittest.makeSuite(AclCARTests)).wasSuccessful():
rc = 1
if not runner.run(unittest.makeSuite(AclSearchTests)).wasSuccessful():
rc = 1
+if not runner.run(unittest.makeSuite(AclExtendedTests)).wasSuccessful():
+ rc = 1
+
sys.exit(rc)
diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail
index cc7e2ae..d3c7277 100644
--- a/source4/selftest/knownfail
+++ b/source4/selftest/knownfail
@@ -78,4 +78,5 @@ samba4.smb2.compound.*.RELATED1
samba4.smb2.compound.*.RELATED2
samba4.smb2.compound.*.INVALID2
samba4.ldap.acl.*.search.* # ACL search behaviour not enabled by default
+samba4.ldap.acl.*.ntSecurityDescriptor.* # ACL extended checks on search not enabled by default
--
Samba Shared Repository
More information about the samba-cvs
mailing list