[SCM] Samba Shared Repository - branch v4-17-test updated
Jule Anger
janger at samba.org
Tue Oct 10 15:17:58 UTC 2023
The branch, v4-17-test has been updated
via e049c2be34d VERSION: Bump version up to Samba 4.17.13...
via ffe7eabdb7c Merge branch 'v4-17-stable' into v4-17-test
via 1006203e495 Merge tag 'samba-4.17.12' into v4-17-stable
via 7ec207cd414 VERSION: Disable GIT_SNAPSHOT for the 4.17.12 release.
via a59469b2a87 WHATSNEW: Add release notes for Samba 4.17.12.
via 2acdaf9860f CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
via 51bc79f85a8 CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
via d4d49635247 CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
via a16b210ec65 CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
via 8f87277b4e9 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via 4c897f5b854 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
via b586f8cc9c7 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via d30349ac4cf CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
via e0cec7f7908 CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
via c18f819f8ce CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
via 23b867c70bd CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
via d7ab8d4c2ea CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
via 3de5d8a0116 CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
via 3c34a51da12 CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
via 2c7710bd5bc CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
via 92cf3328a00 CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
via ebd421306e7 CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
via d038ac36c13 CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
via 60baeea804a CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
via c7fba7218cd CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
via 76091f35016 CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via 38d62aa3b2b CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
via bea7fd5eadc CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
via d7034c4194a CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
via 8c0be1d17a5 CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
via 8b26f634372 CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
via b08a60160e6 CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
via 4b3e5c2f036 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
via 125ce23115b CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
via e5a1c1cfb0a CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
via 1fdc51ffec9 VERSION: Bump version up to Samba 4.17.12...
via 0e746c02f6c CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
via 08f4f363fa6 CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
via 6ff5eed9c5d CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
via 9989568b20c CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
via cbd68f39d52 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via c0d6e6db657 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
via 4e5f060cdc3 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via 4c1f1fe39c6 CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
via 92a4df11b2d CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
via 8a9dac9d4e5 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
via 649bccf87ef CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
via 8de96459777 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
via 68eda471b8f CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
via 8b1f1c9f90f CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
via b59a4266f1b CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
via 22904d2b9dc CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
via 4cfec08d7ee CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
via 10c4b6ea09f CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
via b4849183a68 CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
via d221d0a7902 CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
via 5313a307148 CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via 119ff0ef752 CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
via e8b68aa5c9a CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
via bd5213a918e CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
via 25585fda53f CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
via 347d55084b7 CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
via 45051934ffa CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
via f958415a69f CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
via e6f096c4c8f CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
via 23199e11545 CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
from b0b25f067ba VERSION: Bump version up to Samba 4.17.12...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test
- Log -----------------------------------------------------------------
commit e049c2be34d4584fb796a18bfaee9bee9e0b4204
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 17:13:29 2023 +0200
VERSION: Bump version up to Samba 4.17.13...
Signed-off-by: Jule Anger <janger at samba.org>
commit ffe7eabdb7c6723ae52fba2cb64b4ac1c966198f
Merge: b0b25f067ba 1006203e495
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 10 17:08:22 2023 +0200
Merge branch 'v4-17-stable' into v4-17-test
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 87 +++-
.../smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
lib/param/loadparm.c | 2 +-
lib/replace/replace.h | 15 +
libcli/security/security_descriptor.c | 121 +++++-
libcli/security/security_descriptor.h | 10 +
python/samba/ndr.py | 19 +
python/samba/sd_utils.py | 153 ++++++-
selftest/knownfail | 2 +-
selftest/knownfail.d/dirsync | 13 +
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +-
source3/rpc_client/local_np.c | 13 +
source3/rpc_server/rpc_host.c | 154 +------
source3/rpc_server/rpcd_classic.c | 45 +-
source3/rpc_server/rpcd_epmapper.c | 33 +-
source3/rpc_server/rpcd_lsad.c | 21 +
source3/rpc_server/rpcd_rpcecho.c | 33 +-
source3/rpc_server/wscript_build | 1 +
source3/selftest/tests.py | 15 +
source3/smbd/open.c | 4 +-
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 105 +++++
source3/torture/torture.c | 4 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 33 +-
source4/dsdb/samdb/samdb.h | 1 -
source4/dsdb/tests/python/acl.py | 12 +-
.../dsdb/tests/python/ad_dc_search_performance.py | 2 +-
source4/dsdb/tests/python/confidential_attr.py | 212 ++++-----
source4/dsdb/tests/python/dirsync.py | 473 ++++++++++++++++++---
source4/dsdb/tests/python/ldap.py | 14 +-
source4/dsdb/tests/python/ldap_modify_order.py | 4 +-
source4/dsdb/tests/python/ldap_syntaxes.py | 4 +-
source4/dsdb/tests/python/login_basics.py | 2 +-
source4/dsdb/tests/python/password_settings.py | 4 +-
source4/dsdb/tests/python/passwords.py | 4 +-
source4/dsdb/tests/python/sam.py | 2 +-
source4/dsdb/tests/python/sec_descriptor.py | 14 +-
source4/dsdb/tests/python/token_group.py | 4 +-
source4/dsdb/tests/python/user_account_control.py | 2 +-
source4/librpc/ndr/py_security.c | 62 ++-
source4/rpc_server/wscript_build | 3 +-
source4/torture/smb2/acls.c | 143 +++++++
44 files changed, 1411 insertions(+), 443 deletions(-)
create mode 100644 selftest/knownfail.d/dirsync
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index b0e62dcebcd..47a72534e00 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 0b12f34e798..66ef45dd1b2 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,87 @@
+ ===============================
+ Release Notes for Samba 4.17.12
+ October 10, 2023
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+
+o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
+ existing unix domain sockets on the file system.
+ https://www.samba.org/samba/security/CVE-2023-3961.html
+
+o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
+ OVERWRITE disposition when using the acl_xattr Samba VFS
+ module with the smb.conf setting
+ "acl_xattr:ignore system acls = yes"
+ https://www.samba.org/samba/security/CVE-2023-4091.html
+
+o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
+ attributes, including secrets and passwords. Additionally,
+ the access check fails open on error conditions.
+ https://www.samba.org/samba/security/CVE-2023-4154.html
+
+o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
+ server block for a user-defined amount of time, denying
+ service.
+ https://www.samba.org/samba/security/CVE-2023-42669.html
+
+o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
+ listeners, disrupting service on the AD DC.
+ https://www.samba.org/samba/security/CVE-2023-42670.html
+
+
+Changes since 4.17.11
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15422: CVE-2023-3961.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15424: CVE-2023-4154.
+ * BUG 15473: CVE-2023-42670.
+ * BUG 15474: CVE-2023-42669.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15439: CVE-2023-4091.
+
+o Christian Merten <christian at merten.dev>
+ * BUG 15424: CVE-2023-4154.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15424: CVE-2023-4154.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15424: CVE-2023-4154.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.17.11
September 07, 2023
@@ -85,8 +169,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
===============================
Release Notes for Samba 4.17.10
July 19, 2023
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 8a217cc7f11..c6642b795fd 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
</description>
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
<value type="example">rpcecho</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f70823fe366..664fae70c9b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2732,7 +2732,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index bd7f6e53e81..bcd5c09bf7c 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -889,6 +889,21 @@ typedef unsigned long long ptrdiff_t ;
#define ARRAY_DEL_ELEMENT(a,i,n) \
if((i)<((n)-1)){memmove(&((a)[(i)]),&((a)[(i)+1]),(sizeof(*(a))*((n)-(i)-1)));}
+/**
+ * Insert an array element by moving the rest one up
+ *
+ */
+#define ARRAY_INSERT_ELEMENT(__array,__old_last_idx,__new_elem,__new_idx) do { \
+ if ((__new_idx) < (__old_last_idx)) { \
+ const void *__src = &((__array)[(__new_idx)]); \
+ void *__dst = &((__array)[(__new_idx)+1]); \
+ size_t __num = (__old_last_idx)-(__new_idx); \
+ size_t __len = sizeof(*(__array)) * __num; \
+ memmove(__dst, __src, __len); \
+ } \
+ (__array)[(__new_idx)] = (__new_elem); \
+} while(0)
+
/**
* Pointer difference macro
*/
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index ba142016389..08f2cf19ee8 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -267,9 +267,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
bool add_to_sacl,
- const struct security_ace *ace)
+ const struct security_ace *ace,
+ ssize_t _idx)
{
struct security_acl *acl = NULL;
+ ssize_t idx;
if (add_to_sacl) {
acl = sd->sacl;
@@ -288,15 +290,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
acl->aces = NULL;
}
+ if (_idx < 0) {
+ idx = (acl->num_aces + 1) + _idx;
+ } else {
+ idx = _idx;
+ }
+
+ if (idx < 0) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ } else if (idx > acl->num_aces) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ }
+
acl->aces = talloc_realloc(acl, acl->aces,
struct security_ace, acl->num_aces+1);
if (acl->aces == NULL) {
return NT_STATUS_NO_MEMORY;
}
- acl->aces[acl->num_aces] = *ace;
+ ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
+ acl->num_aces++;
- switch (acl->aces[acl->num_aces].type) {
+ switch (acl->aces[idx].type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
@@ -307,8 +322,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
break;
}
- acl->num_aces++;
-
if (add_to_sacl) {
sd->sacl = acl;
sd->type |= SEC_DESC_SACL_PRESENT;
@@ -327,7 +340,21 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, true, ace);
+ return security_descriptor_acl_add(sd, true, ace, -1);
+}
+
+/*
+ insert an ACE at a given index to the SACL of a security_descriptor
+
+ idx can be negative, which means it's related to the new size from the
+ end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx)
+{
+ return security_descriptor_acl_add(sd, true, ace, idx);
}
/*
@@ -337,7 +364,21 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, false, ace);
+ return security_descriptor_acl_add(sd, false, ace, -1);
+}
+
+/*
+ insert an ACE at a given index to the DACL of a security_descriptor
+
+ idx can be negative, which means it's related to the new size from the
+ end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx)
+{
+ return security_descriptor_acl_add(sd, false, ace, idx);
}
/*
@@ -419,6 +460,72 @@ NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
return security_descriptor_acl_del(sd, true, trustee);
}
+/*
+ delete the given ACE in the SACL or DACL of a security_descriptor
+*/
+static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
+ bool sacl_del,
+ const struct security_ace *ace)
+{
+ uint32_t i;
+ bool found = false;
+ struct security_acl *acl = NULL;
+
+ if (sacl_del) {
+ acl = sd->sacl;
+ } else {
+ acl = sd->dacl;
+ }
+
+ if (acl == NULL) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ for (i=0;i<acl->num_aces;i++) {
+ if (security_ace_equal(ace, &acl->aces[i])) {
+ ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
+ acl->num_aces--;
+ if (acl->num_aces == 0) {
+ acl->aces = NULL;
+ }
+ found = true;
+ i--;
+ }
+ }
+
+ if (!found) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ acl->revision = SECURITY_ACL_REVISION_NT4;
+
+ for (i=0;i<acl->num_aces;i++) {
+ switch (acl->aces[i].type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ acl->revision = SECURITY_ACL_REVISION_ADS;
+ return NT_STATUS_OK;
+ default:
+ break; /* only for the switch statement */
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace)
+{
+ return security_descriptor_acl_del_ace(sd, false, ace);
+}
+
+NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace)
+{
+ return security_descriptor_acl_del_ace(sd, true, ace);
+}
/*
compare two security ace structures
*/
diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h
index 7e6df87fefa..354bc17e925 100644
--- a/libcli/security/security_descriptor.h
+++ b/libcli/security/security_descriptor.h
@@ -33,12 +33,22 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
struct security_descriptor **_csd);
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx);
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx);
NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
const struct dom_sid *trustee);
NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
const struct dom_sid *trustee);
+NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace);
+NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace);
bool security_ace_equal(const struct security_ace *ace1,
const struct security_ace *ace2);
bool security_acl_equal(const struct security_acl *acl1,
diff --git a/python/samba/ndr.py b/python/samba/ndr.py
index 35b2414e8ae..8369abfb2d0 100644
--- a/python/samba/ndr.py
+++ b/python/samba/ndr.py
@@ -56,6 +56,25 @@ def ndr_print(object):
return ndr_print()
+def ndr_deepcopy(object):
+ """Create a deep copy of a NDR object, using pack/unpack
+
+ :param object: Object to copy
+ :return: The object copy
+ """
+ ndr_pack = getattr(object, "__ndr_pack__", None)
+ if ndr_pack is None:
+ raise TypeError("%r is not a NDR object" % object)
+ data = ndr_pack()
+ cls = type(object)
+ copy = cls()
+ ndr_unpack = getattr(copy, "__ndr_unpack__", None)
+ if ndr_unpack is None:
+ raise TypeError("%r is not a NDR object" % copy)
+ ndr_unpack(data, allow_remaining=False)
+ return copy
+
+
def ndr_pack_in(object, bigendian=False, ndr64=False):
"""Pack the input of an NDR function object.
diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py
index 26e80ee2f4a..462bbfbaf18 100644
--- a/python/samba/sd_utils.py
+++ b/python/samba/sd_utils.py
@@ -21,8 +21,11 @@
import samba
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_REPLACE, SCOPE_BASE
-from samba.ndr import ndr_pack, ndr_unpack
+from samba.ndr import ndr_pack, ndr_unpack, ndr_deepcopy
from samba.dcerpc import security
+from samba.ntstatus import (
+ NT_STATUS_OBJECT_NAME_NOT_FOUND,
+)
class SDUtils(object):
@@ -63,19 +66,145 @@ class SDUtils(object):
res = self.ldb.search(object_dn)
return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
+ def update_aces_in_dacl(self, dn, del_aces=None, add_aces=None,
+ sddl_attr=None, controls=None):
+ if del_aces is None:
+ del_aces=[]
+ if add_aces is None:
+ add_aces=[]
+
+ def ace_from_sddl(ace_sddl):
+ ace_sd = security.descriptor.from_sddl("D:" + ace_sddl, self.domain_sid)
+ assert(len(ace_sd.dacl.aces)==1)
+ return ace_sd.dacl.aces[0]
+
+ if sddl_attr is None:
+ if controls is None:
+ controls=["sd_flags:1:%d" % security.SECINFO_DACL]
+ sd = self.read_sd_on_dn(dn, controls=controls)
+ if not sd.type & security.SEC_DESC_DACL_PROTECTED:
+ # if the DACL is not protected remove all
+ # inherited aces, as they will be re-inherited
+ # on the server, we need a ndr_deepcopy in order
+ # to avoid reference problems while deleting
+ # the aces while looping over them
+ dacl_copy = ndr_deepcopy(sd.dacl)
+ for ace in dacl_copy.aces:
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ try:
+ sd.dacl_del_ace(ace)
+ except samba.NTSTATUSError as err:
+ if err.args[0] != NT_STATUS_OBJECT_NAME_NOT_FOUND:
+ raise err
+ # dacl_del_ace may remove more than
+ # one ace, so we may not find it anymore
+ pass
+ else:
+ if controls is None:
+ controls=[]
+ res = self.ldb.search(dn, SCOPE_BASE, None,
+ [sddl_attr], controls=controls)
+ old_sddl = str(res[0][sddl_attr][0])
+ sd = security.descriptor.from_sddl(old_sddl, self.domain_sid)
+
+ num_changes = 0
+ del_ignored = []
+ add_ignored = []
+ inherited_ignored = []
+
+ for ace in del_aces:
+ if isinstance(ace, str):
+ ace = ace_from_sddl(ace)
+ assert(isinstance(ace, security.ace))
+
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ inherited_ignored.append(ace)
+ continue
+
+ if ace not in sd.dacl.aces:
+ del_ignored.append(ace)
+ continue
+
+ sd.dacl_del_ace(ace)
+ num_changes += 1
+
+ for ace in add_aces:
+ add_idx = -1
+ if isinstance(ace, dict):
+ if "idx" in ace:
+ add_idx = ace["idx"]
+ ace = ace["ace"]
+ if isinstance(ace, str):
+ ace = ace_from_sddl(ace)
+ assert(isinstance(ace, security.ace))
+
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ inherited_ignored.append(ace)
+ continue
+
+ if ace in sd.dacl.aces:
+ add_ignored.append(ace)
+ continue
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list