[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sat Oct 14 09:32:02 UTC 2017
The branch, master has been updated
via 7d47f75 man pages: properly ident lists
via 543c0af smb.conf.5: sort parameters alphabetically
via 4c9b380 selftest: Add sanity-check RODC can't use cache to reveal secrets
from 7abf0ac selftest: prevent interpretation of escape sequences in test_give_owner.sh
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7d47f75be460977894ca11b2ecc1e74e08ffb9f3
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Oct 6 22:52:36 2017 +0300
man pages: properly ident lists
It took me some time (original bug was filed in 2013!) but now
lists in smb.conf.5 are properly idented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9613
Signed-Off-By: Alexander Bokovoy <ab at samba.org>
Reviewed-By: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Oct 14 11:31:07 CEST 2017 on sn-devel-144
commit 543c0af4767f5be723594b87d078357e1e04f02e
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Oct 6 22:49:11 2017 +0300
smb.conf.5: sort parameters alphabetically
Content of each separate parameter description file is added
into a parameters.all.xml file before compiling smb.conf.5.
The issue is that POSIX file systems generally don't give any
promises over how glob-produced files are sorted. Thus, we need to sort
them in a predictable way.
This patch adds sorting based on a file name as a string. Since all
parameter files named after the parameter itself (plus .xml), we can
use file name sorting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13081
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-By: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c9b380527ac091fa496675e8b887d2437a47d2c
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Oct 2 14:33:47 2017 +1300
selftest: Add sanity-check RODC can't use cache to reveal secrets
Bug 12977 highlighted that Samba only checks exop GetNcChanges requests
once, when they're first received. This makes sense because valid exop
requests should only ever involve a single request. For regular
(non-exop) GetNcChanges requests, the server stores a cache of the
object GUIDs to return.
What we don't want to happen is for a malicious/compromised RODC to use
this cache to circumvent privilege checks, and receive secrets that it's
normally not permitted to access (e.g. the administrator's password).
The specific scenario we're concerned about is:
- The RODC sends a regular GetNcChanges request for all objects (without
secrets). (This causes the server to build its GUID array cache).
- The RODC then sends a follow-on request for the next chunk, but sets
the REPL_SECRET exop this time.
The only thing inadvertently preventing Samba from leaking secrets in
this case is updating msDS-RevealedUsers for auditing. It's possible
that a future code change may alter the codepath and open up a
security-hole without realizing. This patch adds a test case so if that
ever did happen, the selftests would detect the problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12977
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/wscript_build | 9 ++++++++-
docs-xml/xslt/man.xsl | 1 +
source4/torture/drs/python/repl_rodc.py | 33 +++++++++++++++++++++++++++++++++
3 files changed, 42 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index e329ad4..5670572 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -1,5 +1,6 @@
#!/usr/bin/env python
from samba_utils import save_file
+import os
manpages='''
manpages/cifsdd.8
manpages/dbwrap_tool.1
@@ -131,7 +132,13 @@ def smbdotconf_generate_parameter_list(task):
save_file(parameter_all, t , create_dir=True)
return 0
-articles = bld.path.ant_glob("smbdotconf/**/*.xml", flat=True)
+# Since nothing really forces sorting in glob, we have to sort by file name
+# POSIX file systems aren't required to return sorted content but we want
+# smb.conf parameters to be sorted alphabetically
+sources = bld.path.ant_glob("smbdotconf/**/*.xml", flat=False)
+articles = " ".join(sorted([x.relpath_gen(bld.path) for x in sources],
+ key=lambda m: m.split(os.sep)[-1]))
+
parameter_all = 'smbdotconf/parameters.all.xml'
bld.SAMBA_GENERATOR(parameter_all,
source=articles,
diff --git a/docs-xml/xslt/man.xsl b/docs-xml/xslt/man.xsl
index d9cc1de..e252b56 100644
--- a/docs-xml/xslt/man.xsl
+++ b/docs-xml/xslt/man.xsl
@@ -43,6 +43,7 @@
<!-- * content (if any) before getting the list items -->
<xsl:apply-templates
select="*[not(self::listitem) and not(self::title)]"/>
+ <xsl:text>
.RS
</xsl:text>
<xsl:apply-templates select="listitem"/>
<xsl:if test="(parent::para or parent::listitem) or following-sibling::node()">
<xsl:text>.sp
</xsl:text>
diff --git a/source4/torture/drs/python/repl_rodc.py b/source4/torture/drs/python/repl_rodc.py
index ca3744c..57679ee 100644
--- a/source4/torture/drs/python/repl_rodc.py
+++ b/source4/torture/drs/python/repl_rodc.py
@@ -215,6 +215,39 @@ class DrsRodcTestCase(drs_base.DrsBaseTestCase):
# Check that the user has been added to msDSRevealedUsers
self._assert_in_revealed_users(user_dn, expected_user_attributes)
+ def test_rodc_repl_secrets_follow_on_req(self):
+ """
+ Checks that an RODC can't subvert an existing (valid) GetNCChanges
+ request to reveal secrets it shouldn't have access to.
+ """
+
+ # send an acceptable request that will match as many GUIDs as possible.
+ # Here we set the SPECIAL_SECRET_PROCESSING flag so that the request gets accepted.
+ # (On the server, this builds up the getnc_state->guids array)
+ req8 = self._exop_req8(dest_dsa=str(self.rodc_ctx.ntds_guid),
+ invocation_id=self.ldb_dc1.get_invocation_id(),
+ nc_dn_str=self.ldb_dc1.domain_dn(),
+ exop=drsuapi.DRSUAPI_EXOP_NONE,
+ max_objects=1,
+ replica_flags=drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
+ (level, ctr) = self.rodc_drs.DsGetNCChanges(self.rodc_drs_handle, 8, req8)
+
+ # Get the next replication chunk, but set REPL_SECRET this time. This
+ # is following on the the previous accepted request, but we've changed
+ # exop to now request secrets. This request should fail
+ try:
+ req8 = self._exop_req8(dest_dsa=str(self.rodc_ctx.ntds_guid),
+ invocation_id=self.ldb_dc1.get_invocation_id(),
+ nc_dn_str=self.ldb_dc1.domain_dn(),
+ exop=drsuapi.DRSUAPI_EXOP_REPL_SECRET)
+ req8.highwatermark = ctr.new_highwatermark
+
+ (level, ctr) = self.rodc_drs.DsGetNCChanges(self.rodc_drs_handle, 8, req8)
+
+ self.fail("Successfully replicated secrets to an RODC that shouldn't have been replicated.")
+ except RuntimeError as (enum, estr):
+ pass
+
def test_msDSRevealedUsers_admin(self):
"""
When a secret attribute is to be replicated to an RODC, the contents
--
Samba Shared Repository
More information about the samba-cvs
mailing list