[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Jan 15 06:04:03 MST 2013 

The branch, master has been updated
       via  065c0ec dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
       via  b7b91c8 dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
       via  b26668c libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
      from  8f8ca58 tevent: Fix bug 9550 - sigprocmask does not work on FreeBSD to stop further signals in a signal handler

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 065c0ec16259f8d57baec5dfe4e6eb9bdea0002a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jan 10 09:30:38 2013 +1100

    dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
    
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 8bafe0871526cd5d5e7fdbe123ab661379f64cb1)
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Jan 15 14:03:47 CET 2013 on sn-devel-104

commit b7b91c85945fab87e55cd8fd65a5b4c50a61d03b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jan 9 16:59:18 2013 +1100

    dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
    
    This seems inefficient, but is needed for correctness.  The
    alternative might be to have the sec_access_check_ds code confirm that
    *all* of the nodes in the object tree have been cleared to
    node->remaining_bits == 0.
    
    Otherwise, I fear that write access to one attribute will become write
    access to all attributes.
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit d776fd807e0c9a62f428ce666ff812655f98bc47)

commit b26668c606057fb30b20efd912284c3e79d547ff
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jan 3 20:39:23 2013 +1100

    libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
    
    It is critically important that we initialise this element as otherwise
    all access is permitted.
    
    Andrew Bartlett
    
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit a75805490d96a85786287f5d0522dd7671d6816e)

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/object_tree.c        |    1 +
 source4/dsdb/samdb/ldb_modules/acl.c |   55 ++++++++++++++++-----------------
 source4/dsdb/tests/python/acl.py     |   15 +++++++++
 3 files changed, 43 insertions(+), 28 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c
index 6809c8e..dcbd310 100644
--- a/libcli/security/object_tree.c
+++ b/libcli/security/object_tree.c
@@ -53,6 +53,7 @@ bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
 			return false;
 		}
 		(*root)->guid = *guid;
+		(*root)->remaining_access = init_access;
 		*new_node = *root;
 		return true;
 	}
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 2de16b7..9056a41 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -977,8 +977,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 	unsigned int i;
 	const struct GUID *guid;
 	uint32_t access_granted;
-	struct object_tree *root = NULL;
-	struct object_tree *new_node = NULL;
 	NTSTATUS status;
 	struct ldb_result *acl_res;
 	struct security_descriptor *sd;
@@ -1044,12 +1042,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				 "acl_modify: Error retrieving object class GUID.");
 	}
 	sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
-	if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
-				   &root, &new_node)) {
-		talloc_free(tmp_ctx);
-		return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
-				 "acl_modify: Error adding new node in object tree.");
-	}
 	for (i=0; i < req->op.mod.message->num_elements; i++){
 		const struct dsdb_attribute *attr;
 		attr = dsdb_attribute_by_lDAPDisplayName(schema,
@@ -1130,6 +1122,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				goto fail;
 			}
 		} else {
+			struct object_tree *root = NULL;
+			struct object_tree *new_node = NULL;
 
 		/* This basic attribute existence check with the right errorcode
 		 * is needed since this module is the first one which requests
@@ -1144,6 +1138,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				ret =  LDB_ERR_NO_SUCH_ATTRIBUTE;
 				goto fail;
 			}
+
+			if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
+						   &root, &new_node)) {
+				talloc_free(tmp_ctx);
+				return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+						 "acl_modify: Error adding new node in object tree.");
+			}
+
 			if (!insert_in_object_tree(tmp_ctx,
 						   &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
 						   &new_node, &new_node)) {
@@ -1160,27 +1162,24 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 				ret = LDB_ERR_OPERATIONS_ERROR;
 				goto fail;
 			}
-		}
-	}
-
-	if (root->num_of_children > 0) {
-		status = sec_access_check_ds(sd, acl_user_token(module),
-					     SEC_ADS_WRITE_PROP,
-					     &access_granted,
-					     root,
-					     sid);
 
-		if (!NT_STATUS_IS_OK(status)) {
-			ldb_asprintf_errstring(ldb_module_get_ctx(module),
-					       "Object %s has no write property access\n",
-					       ldb_dn_get_linearized(req->op.mod.message->dn));
-			dsdb_acl_debug(sd,
-				       acl_user_token(module),
-				       req->op.mod.message->dn,
-				       true,
-				       10);
-			ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
-			goto fail;
+			status = sec_access_check_ds(sd, acl_user_token(module),
+						     SEC_ADS_WRITE_PROP,
+						     &access_granted,
+						     root,
+						     sid);
+			if (!NT_STATUS_IS_OK(status)) {
+				ldb_asprintf_errstring(ldb_module_get_ctx(module),
+						       "Object %s has no write property access\n",
+						       ldb_dn_get_linearized(req->op.mod.message->dn));
+				dsdb_acl_debug(sd,
+					       acl_user_token(module),
+					       req->op.mod.message->dn,
+					       true,
+					       10);
+				ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+				goto fail;
+			}
 		}
 	}
 
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 94bc504..ecda3c5 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -389,6 +389,21 @@ url: www.samba.org"""
         else:
             # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
             self.fail()
+        # Modify on attribute you do not have rights for granted while also modifying something you do have rights for
+        ldif = """
+dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
+changetype: modify
+replace: url
+url: www.samba.org
+replace: displayName
+displayName: test_changed"""
+        try:
+            self.ldb_user.modify_ldif(ldif)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+            self.fail()
         # Second test object -- Organizational Unit
         print "Testing modify on OU object"
         self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn)


-- 
Samba Shared Repository

More information about the samba-cvs mailing list