[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Jul 19 04:30:01 UTC 2023
The branch, master has been updated
via bb6fecd9ac5 netcmd: sites: add sites and subnet list and view commands to manpage
via 7f7d68573c3 netcmd: sites: add missing subnet commands to samba-tool manpage
via 5e4a6cd75a1 netcmd: sites: tests for list and view sites and subnet
via 3cf81e98f36 netcmd: sites: make use of ldb_connect from base class
via 752eae68c2a netcmd: add list and view commands for sites and subnets
via b9d01c64207 netcmd: add Subnet and Site models
via 5f69220f0af WHATSNEW: Update minimum GnuTLS version
via f050124a96c lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds
via 9ea606dad11 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant
via 89b02bad3e2 lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
via eb2bed3899b lib/fuzzing: add fuzzer for arbitrary token/sd access checks
via 5ad28bd7605 lib/fuzzing: add fuzz_sddl_access_check
via 3ed1ba6fedd s4:provision: use better values for operatingSystem[Version]
via 9a79bed41e2 s4:pydsdb: add dc_operatingSystemVersion() helper
via b058b39f38b s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]
via 16865d6d439 upgradeprovision: handle operatingSystem similar to operatingSystemVersion
via 85080ba9ea0 ldapcmp: also ignore operatingSystem similar to operatingSystemVersion
via 56ee153cae3 netlogon.idl: add some comments to netr_OsVersionInfoEx
from 81058c60136 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498)
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bb6fecd9ac5ff803e2c74e2a5cc6596c9eb5107c
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Jul 13 00:42:56 2023 +1200
netcmd: sites: add sites and subnet list and view commands to manpage
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jul 19 04:29:15 UTC 2023 on atb-devel-224
commit 7f7d68573c3c39825be89e127f6de37764200319
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Thu Jul 13 00:42:03 2023 +1200
netcmd: sites: add missing subnet commands to samba-tool manpage
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5e4a6cd75a144a8232e3b7302ca74ecb67fc5efd
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Wed Jul 5 17:40:48 2023 +1200
netcmd: sites: tests for list and view sites and subnet
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3cf81e98f3677a45c3cf12319668262345515a3b
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Jul 4 22:02:01 2023 +1200
netcmd: sites: make use of ldb_connect from base class
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 752eae68c2ae1d64cee9452df7b4f87d35458090
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Jul 4 21:47:46 2023 +1200
netcmd: add list and view commands for sites and subnets
* samba-tool sites list
* samba-tool sites view
* samba-tool sites subnet list
* samba-tool sites subnet view
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b9d01c6420760e65012af8beaf46f2bfb5a7b33e
Author: Rob van der Linde <rob at catalyst.net.nz>
Date: Tue Jul 4 21:34:38 2023 +1200
netcmd: add Subnet and Site models
Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5f69220f0afc578a49e7049d6ffba1ef12bc2fe5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 18 10:29:50 2023 +1200
WHATSNEW: Update minimum GnuTLS version
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f050124a96cbd0e3ab73255834126df150ff8525
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Jul 18 12:54:40 2023 +1200
lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds
If this patch is applied, and an environment variable is set, all
access_check calls will be recorded as seeds for
fuzz_security_token_vs_descriptor. See the patch for details.
You probably will never want to apply this patch, but it is here just
in case.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9ea606dad1147734c1877dd054dc769c4df4e005
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Jul 18 08:56:40 2023 +1200
lib/fuzzing: adapt fuzz_sddl_access_check for AD variant
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 89b02bad3e2db7a9a3aceed7122c1d680cef728d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Jul 17 16:20:58 2023 +1200
lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
This of course doesn't exercise the object tree or default SID code,
but it still covers a lot to the *_ds access_check functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eb2bed3899b12ba90050d9530f4909175954b147
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Jul 15 22:49:22 2023 +1200
lib/fuzzing: add fuzzer for arbitrary token/sd access checks
The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).
An upcoming commit will show how to collect seeds for this fuzzer.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5ad28bd76053fcbed5b1833c096c5623e7e34464
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 13:03:53 2023 +1200
lib/fuzzing: add fuzz_sddl_access_check
This fuzzer parses SDDL into a security descriptor and runs an access
check on it using a known security token. This is purely for crash
detection -- we don't know enough to assert whether the check should
succeed or not.
The seed strings used are compatible with those of fuzz_sddl_parse --
anything found by fuzz_sddl_parse is worth trying as a seed here, and
vice versa.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ed1ba6feddbf7ccaddf49319344787bd7506780
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 22 12:44:32 2015 +0200
s4:provision: use better values for operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.
So we better use a value matching the dc functional level.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a79bed41e205823e7eed58a30ade1f40441a22e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 18 17:17:21 2023 +0200
s4:pydsdb: add dc_operatingSystemVersion() helper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b058b39f38b2bade4a347aedc199530382f16279
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 7 14:18:14 2023 +0200
s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.
So we better use a value matching the dc functional level.
While we also fixed operatingSystem[Version] at provision time,
we do it also in dsdb_check_and_update_fl() in order to
handle old provisions and systems joined to an existing domain.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 16865d6d4396fe32ef2e8d6d94243aaec579fd3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 18 11:01:31 2023 +0200
upgradeprovision: handle operatingSystem similar to operatingSystemVersion
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 85080ba9ea0471225b9178746aca4596b449c2fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 18 11:00:56 2023 +0200
ldapcmp: also ignore operatingSystem similar to operatingSystemVersion
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56ee153cae3629adfb6960222ba74cd3cba9dbd2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 20 20:53:35 2021 +0100
netlogon.idl: add some comments to netr_OsVersionInfoEx
[MS-RPRN] 7 Appendix B: Product Behavior contains information
about the products and their announced versions.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 18 ++
docs-xml/manpages/samba-tool.8.xml | 51 +++++
lib/fuzzing/fuzz_sddl_access_check.c | 144 ++++++++++++
lib/fuzzing/fuzz_security_token_vs_descriptor.c | 78 +++++++
lib/fuzzing/patches/collect-access-check-seeds.txt | 253 +++++++++++++++++++++
lib/fuzzing/wscript_build | 23 ++
librpc/idl/netlogon.idl | 68 ++++++
librpc/idl/security.idl | 6 +
python/samba/netcmd/domain/models/__init__.py | 2 +
.../netcmd/domain/models/{user.py => site.py} | 31 +--
.../netcmd/domain/models/{user.py => subnet.py} | 31 +--
python/samba/netcmd/ldapcmp.py | 3 +-
python/samba/netcmd/sites.py | 193 ++++++++++++++--
python/samba/provision/__init__.py | 11 +-
python/samba/tests/samba_tool/sites.py | 71 +++++-
source4/dsdb/common/util.c | 105 ++++++++-
source4/dsdb/pydsdb.c | 24 ++
source4/dsdb/wscript_build | 2 +-
source4/scripting/bin/samba_upgradeprovision | 3 +-
source4/setup/provision_self_join.ldif | 4 +-
20 files changed, 1049 insertions(+), 72 deletions(-)
create mode 100644 lib/fuzzing/fuzz_sddl_access_check.c
create mode 100644 lib/fuzzing/fuzz_security_token_vs_descriptor.c
create mode 100644 lib/fuzzing/patches/collect-access-check-seeds.txt
copy python/samba/netcmd/domain/models/{user.py => site.py} (59%)
copy python/samba/netcmd/domain/models/{user.py => subnet.py} (59%)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b348217e995..7cdb9f32f08 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -90,6 +90,24 @@ samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
+Updated GnuTLS requirement / in-tree cryptography removal
+----------------------------------------------------------
+
+Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
+
+This has allowed Samba to remove all of our in-tree cryptography,
+except that found in our Heimdal import. Samba's runtime cryptography
+needs are now all provided by GnuTLS.
+
+(The GnuTLS vesion requirement is raised to 3.7.2 on systems without
+the Linux getrandom())
+
+We also use Python's cryptography module for our testing.
+
+The use of well known cryptography libraries makes Samba easier for
+end-users to validate and deploy, and for distributors to ship. This
+is the end of a very long journey for Samba.
+
REMOVED FEATURES
================
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 567342b2709..a0ade78c6d1 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -2267,6 +2267,24 @@
<para>Manage sites.</para>
</refsect2>
+<refsect3>
+ <title>sites list [options]</title>
+ <para>List sites.</para>
+ <variablelist>
+ <varlistentry>
+ <term>--json</term>
+ <listitem><para>
+ Output as JSON instead of a list
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>sites view <replaceable>site</replaceable> [options]</title>
+ <para>View site details.</para>
+</refsect3>
+
<refsect3>
<title>sites create <replaceable>site</replaceable> [options]</title>
<para>Create a new site.</para>
@@ -2277,6 +2295,39 @@
<para>Delete an existing site.</para>
</refsect3>
+<refsect3>
+ <title>sites subnet list <replaceable>site</replaceable> [options]</title>
+ <para>List subnets for a site.</para>
+ <variablelist>
+ <varlistentry>
+ <term>--json</term>
+ <listitem><para>
+ Output as JSON instead of a list
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect3>
+
+<refsect3>
+ <title>sites subnet view <replaceable>subnet</replaceable> [options]</title>
+ <para>View subnet details.</para>
+</refsect3>
+
+<refsect3>
+ <title>sites subnet create <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
+ <para>Create a new subnet.</para>
+</refsect3>
+
+<refsect3>
+ <title>sites subnet remove <replaceable>subnet</replaceable> [options]</title>
+ <para>Delete an existing subnet.</para>
+</refsect3>
+
+<refsect3>
+ <title>sites subnet set-site <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
+ <para>Assign a subnet to a site.</para>
+</refsect3>
+
<refsect2>
<title>spn</title>
<para>Manage Service Principal Names (SPN).</para>
diff --git a/lib/fuzzing/fuzz_sddl_access_check.c b/lib/fuzzing/fuzz_sddl_access_check.c
new file mode 100644
index 00000000000..e6231d7da5f
--- /dev/null
+++ b/lib/fuzzing/fuzz_sddl_access_check.c
@@ -0,0 +1,144 @@
+/*
+ Fuzz access chcek using SDDL strings and a known token
+ Copyright (C) Catalyst IT 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "libcli/security/security.h"
+#include "lib/util/attr.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "lib/util/bytearray.h"
+#include "fuzzing/fuzzing.h"
+
+
+static struct security_token token = {0};
+
+static struct dom_sid dom_sid = {0};
+
+/*
+ * For this one we initialise a security token to have a few SIDs. The fuzz
+ * strings contain SDDL that will be tested against this token in
+ * se_access_check() or sec_access_check_ds() -- supposing they compile.
+ *
+ * When we introduce conditional ACEs and claims (soon!), we'll also add some
+ * claims and device SIDs to the token.
+ */
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ size_t i;
+ bool ok;
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ struct dom_sid *sid = NULL;
+
+ const char * user_sids[] = {
+ "S-1-333-66",
+ "S-1-16-8448",
+ "S-1-9-8-7",
+ };
+
+ for (i = 0; i < ARRAY_SIZE(user_sids); i++) {
+ sid = dom_sid_parse_talloc(mem_ctx, user_sids[i]);
+ if (sid == NULL) {
+ abort();
+ }
+ add_sid_to_array(mem_ctx, sid,
+ &token.sids,
+ &token.num_sids);
+ }
+ return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+ TALLOC_CTX *mem_ctx = NULL;
+ struct security_descriptor *sd = NULL;
+ NTSTATUS status;
+ uint32_t access_desired;
+ uint32_t access_granted;
+ const char *sddl;
+ ssize_t i;
+ if (len < 5) {
+ return 0;
+ }
+ access_desired = PULL_LE_U32(input + len - 4, 0);
+
+ /*
+ * check there is a '\0'.
+ *
+ * Note this allows double-dealing for the last 4 bytes: they are used
+ * as the access_desired mask (see just above) but also *could* be
+ * part of the sddl string. But this doesn't matter, for three
+ * reasons:
+ *
+ * 1. the desired access mask doesn't usually matter much.
+ *
+ * 2. the final '\0' is rarely the operative one. Usually the
+ * effective string ends a long time before the end of the input, and
+ * the tail is just junk that comes along for the ride.
+ *
+ * 3. Even if there is a case where the end of the SDDL is part of the
+ * mask, the evolution stategy is very likely to try a different mask,
+ * because it likes to add junk on the end.
+ *
+ * But still, you ask, WHY? So that the seeds from here can be shared
+ * back and forth with the fuzz_sddl_parse seeds, which have the same
+ * form of a null-terminated-string-with-trailing-junk. If we started
+ * the loop at `len - 5` instead of `len - 1`, there might be
+ * interesting seeds that are valid there that would fail here. That's
+ * all.
+ */
+ for (i = len - 1; i >= 0; i--) {
+ if (input[i] != 0) {
+ break;
+ }
+ }
+ if (i < 0) {
+ return 0;
+ }
+
+ sddl = (const char *)input;
+ mem_ctx = talloc_new(NULL);
+
+ sd = sddl_decode(mem_ctx, sddl, &dom_sid);
+ if (sd == NULL) {
+ goto end;
+ }
+
+#ifdef FUZZ_SEC_ACCESS_CHECK_DS
+ /*
+ * The sec_access_check_ds() function has two arguments not found in
+ * se_access_check, and also not found in our fuzzing examples.
+ *
+ * One is a struct object_tree, which is used for object ACE types.
+ * The other is a SID, which is used as a default if an ACE lacks a
+ * SID.
+ */
+ sec_access_check_ds(sd,
+ &token,
+ access_desired,
+ &access_granted,
+ NULL,
+ NULL);
+#else
+ status = se_access_check(sd, &token, access_desired, &access_granted);
+#endif
+
+end:
+ talloc_free(mem_ctx);
+ return 0;
+}
diff --git a/lib/fuzzing/fuzz_security_token_vs_descriptor.c b/lib/fuzzing/fuzz_security_token_vs_descriptor.c
new file mode 100644
index 00000000000..925c54672d5
--- /dev/null
+++ b/lib/fuzzing/fuzz_security_token_vs_descriptor.c
@@ -0,0 +1,78 @@
+/*
+ Fuzz a security token and descriptor through an access check
+ Copyright (C) Catalyst IT 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "fuzzing/fuzzing.h"
+
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+ TALLOC_CTX *mem_ctx = NULL;
+ struct security_token_descriptor_fuzzing_pair p = {0};
+ enum ndr_err_code ndr_err;
+ uint32_t access_granted;
+
+ DATA_BLOB blob = {
+ .data = input,
+ .length = len
+ };
+
+ mem_ctx = talloc_new(NULL);
+
+ ndr_err = ndr_pull_struct_blob(
+ &blob, mem_ctx, &p,
+ (ndr_pull_flags_fn_t)ndr_pull_security_token_descriptor_fuzzing_pair);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ goto end;
+ }
+
+#ifdef FUZZ_SEC_ACCESS_CHECK_DS
+ /*
+ * The sec_access_check_ds() function has two arguments not found in
+ * se_access_check, and also not found in our fuzzing examples.
+ *
+ * One is a struct object_tree, which is used for object ACE types.
+ * The other is a SID, which is used as a default if an ACE lacks a
+ * SID.
+ */
+ sec_access_check_ds(&p.sd,
+ &p.token,
+ p.access_desired,
+ &access_granted,
+ NULL,
+ NULL);
+#else
+ se_access_check(&p.sd,
+ &p.token,
+ p.access_desired,
+ &access_granted);
+#endif
+
+end:
+ talloc_free(mem_ctx);
+ return 0;
+}
diff --git a/lib/fuzzing/patches/collect-access-check-seeds.txt b/lib/fuzzing/patches/collect-access-check-seeds.txt
new file mode 100644
index 00000000000..75e2b29226b
--- /dev/null
+++ b/lib/fuzzing/patches/collect-access-check-seeds.txt
@@ -0,0 +1,253 @@
+From bf2adac3a271fae551a726dc21dc9111bd7320be Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Date: Mon, 17 Jul 2023 16:17:16 +1200
+Subject: [PATCH 1/2] libcli/security: save access check attempts for fuzz
+ examples
+
+If this patch is applied to a Samba tree, and the
+SAMBA_SAVE_ACCESS_CHECK_DIR environment variable points to a
+directory, the tokens and descriptors of all access checks will be
+stored in that directory in the form used by
+fuzz_security_token_vs_descriptor. This can be used to build up a
+corpus of seeds for the fuzzer.
+
+The steps to create the corpus go something like this:
+
+$ export SAMBA_SAVE_ACCESS_CHECK_DIR=/tmp/samba-seeds
+$ mkdir $SAMBA_SAVE_ACCESS_CHECK_DIR
+$ mkdir /tmp/final-seeds-go-here
+$ make test
+
+at this point you'd want to do something like this:
+
+$ for f in $SAMBA_SAVE_ACCESS_CHECK_DIR/*; do \
+ cp -n $f /tmp/final-seeds-go-here/$(md5sum $f | cut -d' ' -f 1) \
+ done
+
+but it takes way too long, so use the script in the second patch in
+this series, like so:
+
+$ script/find-unique-access-seeds \
+ $SAMBA_SAVE_ACCESS_CHECK_DIR \
+ /tmp/final-seeds-go-here/
+
+Think before applying this patch in production. It won't slow things
+down much, but it will capture your SIDs and ACLs.
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+---
+ libcli/security/access_check.c | 76 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 76 insertions(+)
+
+diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
+index 81bacc90e78..9c3e4cfe966 100644
+--- a/libcli/security/access_check.c
++++ b/libcli/security/access_check.c
+@@ -24,6 +24,8 @@
+ #include "replace.h"
+ #include "lib/util/debug.h"
+ #include "libcli/security/security.h"
++#include "ndr/libndr.h"
++#include "gen_ndr/ndr_security.h"
+
+ /* Map generic access rights to object specific rights. This technique is
+ used to give meaning to assigning read, write, execute and all access to
+@@ -103,6 +105,74 @@ void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mappi
+ }
+ }
+
++
++static bool write_token_and_descriptor(const struct security_descriptor *sd,
++ const struct security_token *token,
++ uint32_t access_desired)
++{
++ /*
++ * You should not be seeing this function in master or a release
++ * branch! It should only be here if you have patched Samba to
++ * generate fuzz seeds for fuzz_security_token_vs_descriptor.
++ *
++ * It hooks into access_check functions, saving copies of each access
++ * request in a structure for use as a fuzz seed, into the directory
++ * specified by the SAMBA_SAVE_ACCESS_CHECK_DIR environment variable.
++ *
++ * If the environment variable is not set, nothing will happen.
++ *
++ * A full `make test` saves about four million files, but only about
++ * forty thousand of them are unique.
++ */
++ FILE *f = NULL;
++ char buf[200];
++ int len;
++ DATA_BLOB blob = {0};
++ uint pid;
++ struct security_token_descriptor_fuzzing_pair p = {
++ .token = *token,
++ .sd = *sd,
++ .access_desired = access_desired
++ };
++ static size_t n = 0;
++ enum ndr_err_code ndr_err;
++ static const char *dir = NULL;
++ TALLOC_CTX *tmp_ctx = NULL;
++
++ if (dir == NULL) {
++ if (n == SIZE_MAX) {
++ return true;
++ }
++ dir = getenv("SAMBA_SAVE_ACCESS_CHECK_DIR");
++ if (dir == NULL) {
++ n = SIZE_MAX;
++ return false;
++ }
++ }
++ tmp_ctx = talloc_new(NULL);
++
++ n++;
++ ndr_err = ndr_push_struct_blob(
++ &blob, tmp_ctx, &p,
++ (ndr_push_flags_fn_t)ndr_push_security_token_descriptor_fuzzing_pair);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ TALLOC_FREE(tmp_ctx);
++ return false;
++ }
++ pid = getpid();
++ len = snprintf(buf, sizeof(buf), "%s/%08u-%05zu.seed", dir, pid, n);
++ if (len >= sizeof(buf)) {
++ TALLOC_FREE(tmp_ctx);
++ return false;
++ }
++ f = fopen(buf, "w");
++ fwrite(blob.data, 1, blob.length, f);
++ fclose(f);
++ TALLOC_FREE(tmp_ctx);
++ return true;
++}
++
++
+ /*
+ perform a SEC_FLAG_MAXIMUM_ALLOWED access check
+ */
+@@ -115,6 +185,8 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
+ bool have_owner_rights_ace = false;
+ unsigned i;
+
++ write_token_and_descriptor(sd, token, SEC_FLAG_MAXIMUM_ALLOWED);
++
+ if (sd->dacl == NULL) {
+ if (security_token_has_sid(token, sd->owner_sid)) {
+ switch (implicit_owner_rights) {
+@@ -211,6 +283,8 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
+ bool am_owner = false;
+ bool have_owner_rights_ace = false;
+
++ write_token_and_descriptor(sd, token, access_desired);
++
+ *access_granted = access_desired;
+ bits_remaining = access_desired;
+
+@@ -528,6 +602,8 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd
+ uint32_t bits_remaining;
+ struct dom_sid self_sid;
+
++ write_token_and_descriptor(sd, token, access_desired);
++
+ dom_sid_parse(SID_NT_SELF, &self_sid);
+
+ *access_granted = access_desired;
+--
+2.34.1
+
+
+From d79328bdac90ed16b9162cbfe10a4ed8bedbc073 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
--
Samba Shared Repository
More information about the samba-cvs
mailing list