[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Sep 27 00:42:01 UTC 2023
The branch, master has been updated
via 3b6c1f1a9c4 libcli/security: condtional ACE recursive composites are not supported
via 38247d39e1e libcli/security: conditional ace sddl: do not read nested composites
via 96dbc71e137 libcli/security: conditional ace sddl: do not write nested composites
via 3be69fc3dce fuzzing: fuzz_sddl_parse forgives bad utf-8
via e4da279b1c0 util/str: helper to check for utf-8 validity
via 65674cde60c libcli/security: conditional ACE sddl doesn't have string escapes
via 310c25404b9 libcl/security: conditional ACE sddl >= ops take literal parens only
via 5650b511c1f libcli/security/sddl_conditional_ace: ban empty expressions in SDDL
via b3f92b475c3 lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings
via a2e6df03112 add comment that ace_condition_composite is not representative of the wire format
via 0ac979b2cc6 conditional_aces: Avoid manual parsing for ace_condition_unicode
via 5f4197bfab5 libndr: Add support for pulling strings with LIBNDR_FLAG_STR_SIZE4|LIBNDR_FLAG_STR_NOTERM|LIBNDR_FLAG_STR_BYTESIZE
via b9e90bae699 conditional_aces: Avoid manual parsing for ace_condition_int
via ab531abc52f libcli/security: Check for sddl_from_conditional_ace() failure in test_sddl_conditional_ace
via 03d63fb09b8 libcli/security: Make failure parsing where consumed == -1 clear
via fe835fc3482 Make blob->data pointer in ace_sid_to_claim_v1_sid() a child of the DATA_BLOB
via 793b86f4cbf conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB
via 94d1cfbd85b conditional_aces: Avoid manual parsing for ace_condition_sid
via 1e45a4d10a5 libcli/security: access_check handles CALLBACK_OBJECT types
via c5345f18d71 libcli/security: se_access_check uses new callback checks
via 5d6f0927f54 libcli/security: sec_access_check_ds uses new callback ACE checks
via 117d4c55006 libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks
via 588a339df7c libcli/security: adjust tests for evaluate_claims flag
via e3f28c2ecf6 libcli/security: Hook in ability to disable conditional ACE evaluation
via c8c86b81036 s3-lib: Modify merge_nt_token() into a GPO-specifc merge with SYSTEM
via d9e268db0cf python: Change the generic merge_nt_token() to being specific to the system_token
via d027200a02e libgpo: Reimplmeent registry_create_system_token() using get_system_token()
via dc7dc6f549b libcli/security: Rename dup_nt_token() -> security_token_duplicate()
via 13d3c6156f9 libcli/security: Move dup_nt_token() to libcli/security
via 4e8e35de7fe s3-winbind: Use token as parent for token->sids in check_info3_in_group()
via 934b0335500 s3-net_rpc: Make the struct user_token array the parent talloc context
via a8210ab1ae4 s3-net_rpc: Use security_token_initialise() to create struct security_token
via e2cc29d132b libcli/security: Pass in claims evaluation state when building any security token
via f1fcbc0f101 s4-auth: pass lp_ctx to auth_generate_session_info() where possible
via 1223b89d818 docs-xml: Add new parameter "acl claims evaluation"
via 5696f66d1dd librpc: Add context as to if this token should be used for claims evaluation
via c9cf90aee86 s3-lib/util_nttoken: Reimplement dup_nt_token() with NDR pull/push
via f8215ed3434 librpc/ndr_claims: avoid 'bin/default' in #include
via 978a9e46bb6 pytest: conditional_ace assembler assembles full descriptor
via 14492945429 libcli/security: beginning of tests for conditional ACE bytes
via 15fe49a2f9b pytest: assembler for conditional ACEs
via cc17c3e21df lib/fuzzing: adjust access-check seed patch
via ea4caa45ab3 lib/fuzzing: fuzz_conditional_ace_blob
via c6a62d69ca9 lib/fuzzing: adapt fuzz_sddl_access_check for claims
via b7bd1f438be libcli/security: conditional ace access checks for file server
via 327861dc1fc libcli/security: conditional ace access checks for AD
via b65ac10096b pytest:conditional_ace_claims: ease export of failing tests to C
via 30e6249d228 pytest: tests for conditional ACEs with security tokens
via 044370a0e19 pytest: tools for creating security tokens
via b7ae4304b14 libcli/security: cmocka test for running conditional ACEs
via e2a4f20d409 libcli/security/conditional ACEs: compare composites as sets
via 924d59fd82a security.idl: drop claim v1 reserved field
via fabc2f351eb pytest: sddl tests with conditional ACEs
via c13684e672f libcli/security/tests: add some test strings
via 2a4fc3fedf4 pytest: sddl strings dir can be defined in class
via 2f30103f922 pytest: sddl tests can be only externally defined
via d7c0948d1a6 libcli/security: windows-sddl-test: fix read of text examples
via ee386021706 libcli/security: windows-sddl-test: fix typo in --help
via 28d23377741 pytest:security_descriptors: test collected conditional ACEs
via a392b40328e pytest:security descriptors: hack to capture results as json
via 901f77c5436 pytest: security descriptors: test some conditional and RA ACEs
via 7b9462faf05 pytest: security_descriptors: tests without revision number hack
via afec8524bcd libcli/security: use sec_object_ace() in size_security_ace
via b6a665cc8e8 librpc/ndr:ndr_sec_helper: fix a typo
via 63be8401201 pytest: security_descriptors test for repetitive ACLs
via 5569c17741f pytest: security_descriptors comparison is quieter
via 829d77b4a02 s4/librpc: build conditional ace Python bindings
via 295c609f5a2 lib/fuzzing: fuzz SDDL conditional ACEs
via e4865a3ba15 libcli/security: test SDDL compilation in cmocka
via b08093ed9d2 lbcli/security: callback object ACES fall back with no GUID
via 2923898e88d libcli/security/create_descriptor: calc_inherited handles new types
via 1cc8888b549 libcli/security: SDDL: add callback and resource ace type flags
via 3959fba37a7 libcli/security: sddl_encode_ace encodes resource attribute ACEs
via ed52c9ed36b libcli/security: sddl_encode_ace encodes conditional ACEs
via 6683d611e14 libcli/security: sdd_decode_ace handles resource attribute types
via 84fa39722fe libcli/security: sdd_decode_ace handles callback types
via e88ea32c21e libcli/security: add conditional ace files to samba-security
via d6bd491efcb libcli:security: add code to interpret conditional ACES
via 4b8e9e3f0ca libcli:security: add functions to decode and decode RA ACEs
via 969cb79daef libcli/security: add conditional ACE SDDL functions
via 6f588a1fc50 libcli:security: helpers for converting claim types
via 94f0a1083a4 libcli:security: outline for sddl_conditional_ace.c
via 140f7466a45 libcli/security: add stub of conditional ACE code.
via 672fc0a1abb libcli/security: find SDDL coda for RA and conditional ACEs
via cdd9424e4f3 libcli/security: whitespace repair in sddl.c
via a8e3f5d33f6 ndr_sec_helper: ace length should be multiple of 4
via 5e1ed7b71f0 ndr_sec_helper: ndr_size_security_ace: do less work
via df8eec384fe librpc:security.idl: add conditional ace coda
via e8192dddf3b libcli/sec: reformat long line in wscript_build
via 40d9b08db4b librpc:security.idl: ace->coda can be resource attribute
via 498c4110173 libcli/security: callback object aces are object aces
via 762646b5aaa libcli/security: use tabs in sec_ace_object()
via e81e98c4854 libcli/security: helper to find ACEs with meaningful codas
via 41e1b6957ae libcli/security: helper to find resource attribute ACEs
via 617cfa0e965 libcli/security: helper to find callback/conditional aces
via 34aa33a1a4f security.idl: use sec_ace_object() in object switch
via 4ef7845b570 security.idl: extend security token with device SIDs
from d7394a90f51 testparm: Allow idmap ranges overlap for idmap_nss
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3b6c1f1a9c47d8d76a7cd946468c1c42e4fb097a
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 16:29:51 2023 +1200
libcli/security: condtional ACE recursive composites are not supported
We can't add them via SDDL on Windows, and they aren't useful for
claims.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 27 00:41:26 UTC 2023 on atb-devel-224
commit 38247d39e1e98cab50d9911b0aa0ee4eb309114b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 16:31:36 2023 +1200
libcli/security: conditional ace sddl: do not read nested composites
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96dbc71e137ea65df11d1a8cec089fde2d070ba6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 16:30:41 2023 +1200
libcli/security: conditional ace sddl: do not write nested composites
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3be69fc3dcedee77d8eacf7cf82d0f33df2d42fe
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 15:19:32 2023 +1200
fuzzing: fuzz_sddl_parse forgives bad utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4da279b1c06711c27e2aa1a4e36f35b674eaca4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jul 6 15:31:52 2023 +1200
util/str: helper to check for utf-8 validity
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 65674cde60ca21d2f451f5e68f6b7cb7d1e339a4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 14:16:35 2023 +1200
libcli/security: conditional ACE sddl doesn't have string escapes
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 310c25404b92bf155f375070b1bb637b0f0d6bcf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 12:02:56 2023 +1200
libcl/security: conditional ACE sddl >= ops take literal parens only
You can't do things like '(a == b) == (c < d)'.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5650b511c1fb98106942ca2829bd4fcfdae4eca1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 22 12:53:42 2023 +1200
libcli/security/sddl_conditional_ace: ban empty expressions in SDDL
The trouble is with expressions like "(!(()))", which boil down to a
single NOT operation with no argument, which is invalid and can't be
run or expressed as SDDL.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b3f92b475c31bd2a4423c7531c62cc621bb102e6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Sep 21 15:03:23 2023 +1200
lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings
There is a borderline case where a conditional ACE unicode string
becomes longer than the SDDL parser wants to handle when control
characters are given canonical escaping. This can make the round trip
fail, but it isn't really a problem.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a2e6df03112b31d671288a8db303dff37ecaa054
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 16:08:52 2023 +1200
add comment that ace_condition_composite is not representative of the wire format
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0ac979b2cc67d178327f2171bfac40186c40c70c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 12:26:15 2023 +1200
conditional_aces: Avoid manual parsing for ace_condition_unicode
A consequence of this is that we remove the confusing "length"
from the IDL, as it was the internal UTF8 length, not a wire
value. We use null terminated strings internally now.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5f4197bfab5e30c576b9e5c75720a9f8606686ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 14:55:10 2023 +1200
libndr: Add support for pulling strings with LIBNDR_FLAG_STR_SIZE4|LIBNDR_FLAG_STR_NOTERM|LIBNDR_FLAG_STR_BYTESIZE
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b9e90bae6993ab9d13853e9295f34eee7b469dc6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 12:03:27 2023 +1200
conditional_aces: Avoid manual parsing for ace_condition_int
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ab531abc52f9fff5d27f18861603d1ebfc963bd1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 11:56:58 2023 +1200
libcli/security: Check for sddl_from_conditional_ace() failure in test_sddl_conditional_ace
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 03d63fb09b8d4062f4a7f16e46941fbf2741b6a2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 11:56:25 2023 +1200
libcli/security: Make failure parsing where consumed == -1 clear
This was caught by the next condition, but this is clearer.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fe835fc348284f388446514ee5acc479bd36900d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 20 09:36:43 2023 +1200
Make blob->data pointer in ace_sid_to_claim_v1_sid() a child of the DATA_BLOB
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 793b86f4cbfa763002246b6ff1cd1197622704ca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 21 12:55:53 2023 +1200
conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 94d1cfbd85b60fc2f8495bd3c46377aa8564d074
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 20 09:31:31 2023 +1200
conditional_aces: Avoid manual parsing for ace_condition_sid
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1e45a4d10a5c7b79ae73f6cf4173f9112cbade12
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Sep 25 14:36:59 2023 +1300
libcli/security: access_check handles CALLBACK_OBJECT types
These are like an object type if the callback (i.e. condtional ACE
conditions) succeeds, otherwise they are ignored.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c5345f18d710edff0a67144e2b539e18f1808ede
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 20 17:35:18 2023 +1200
libcli/security: se_access_check uses new callback checks
With the last caller of check_callback_ace_access() gone, so is that
function.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d6f0927f5416c0bae057a2b5d0032bf4607e323
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 13 17:24:57 2023 +1200
libcli/security: sec_access_check_ds uses new callback ACE checks
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 117d4c55006da88c6117f9d4dfec8347bc589ea6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 13 17:25:52 2023 +1200
libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks
To help clarify the logic, we make new functions that separate the
deny and allow cases, which helps keep track of what 'yes' and 'no'
mean and which incorporate the logic of token->evaluate_claims
handling, which determines when we want to run a conditional ACE, when
we want to ignore it, and when we want to take offence. In the case
when we decide to run it, we then need to decide whether to apply it
or ignore it based on the result. This last bit differs between allow
and deny aces, hence the two functions.
These functions will replace check_callback_ace_access() over the next
few commits.
In the case where token->evaluate_claims is
CLAIMS_EVALUATION_INVALID_STATE and the DACL contains a conditional
ACE, the maximum allowed is 0, as if it was a "deny everything" ACE.
This is an unexpected case. Most likely the evaluate_claims state
will be NEVER or ALWAYS. In the NEVER case the conditional ACE is
skipped, as would have happened in all cases before 4.20, while in the
ALWAYS case the conditional ACE is run and applied if successful.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 588a339df7c178741ffdc0e5ecffc0e21c8118ba
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 20 10:30:23 2023 +1200
libcli/security: adjust tests for evaluate_claims flag
Most tests were prepared in advance, but we left these ones to test
the change.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e3f28c2ecf6a8cd335d21e1dbf8d247520de2177
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 12:36:56 2023 +1200
libcli/security: Hook in ability to disable conditional ACE evaluation
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c8c86b81036f5f1b38264b3120e04d4f80e8f3a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 12:08:20 2023 +1200
s3-lib: Modify merge_nt_token() into a GPO-specifc merge with SYSTEM
By making this specific to the only use case, merging with the SYSTEM
token for GPOs, we avoid having to merge the claims, as there are none
for SYSTEM.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d9e268db0cf3c605aad25cd3b3c065afc6b993b5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 12:07:25 2023 +1200
python: Change the generic merge_nt_token() to being specific to the system_token
This allows us to punt on the question of merging the claims, as there are
none on the system token.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d027200a02e07c6a80e5bf3854af836d10b01b7d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 10:52:51 2023 +1200
libgpo: Reimplmeent registry_create_system_token() using get_system_token()
This helps ensure we have a smaller number of places that
a struct security_token starts from.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dc7dc6f549b8e3df31d3b5c92d6cca4a0152d8f1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 10:08:01 2023 +1200
libcli/security: Rename dup_nt_token() -> security_token_duplicate()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 13d3c6156f9f17d433f96dca9124d10187aac874
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 17:31:44 2023 +1200
libcli/security: Move dup_nt_token() to libcli/security
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4e8e35de7fe18495604744cbfcb922121c42a257
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 27 09:42:55 2023 +1300
s3-winbind: Use token as parent for token->sids in check_info3_in_group()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 934b033550038ee84befff005946c3fa11b6b5cf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 27 09:35:19 2023 +1300
s3-net_rpc: Make the struct user_token array the parent talloc context
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a8210ab1ae4639723b666c494c17a59bc8fe601f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 27 08:39:04 2023 +1300
s3-net_rpc: Use security_token_initialise() to create struct security_token
This ensures that the full structure is initialised now and in the
future.
Because this is now a talloc based structure, we can now use
add_sid_to_array_unique() rather than a reimplementation in this file.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e2cc29d132b9f99417e8a522c97571438ca51e5a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 14 22:09:50 2023 +1200
libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f1fcbc0f101993c6e461d56446f4bca6b672905f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 15 10:28:34 2023 +1200
s4-auth: pass lp_ctx to auth_generate_session_info() where possible
For non-testing callers of auth_generate_session_info(), passing
lp_ctx will allow us to correctly set a flag indicating if claims
should be evaluated.
For testing applications, the default will allow safe operation
inspecting the SID list.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1223b89d81892ead52267a31afea40f14c4f2a09
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 14 21:20:39 2023 +1200
docs-xml: Add new parameter "acl claims evaluation"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5696f66d1dd2a5c46e336ff7029aac687b88cdf7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 14 21:04:34 2023 +1200
librpc: Add context as to if this token should be used for claims evaluation
Claims evaluation is added to the core se_access_check() library, but
not all callers provide claims in the security_token and we want to
be able to disable this new and complex code if needed.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c9cf90aee864d8131dc386d61f3e35602c2ed63c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 14 18:24:36 2023 +1200
s3-lib/util_nttoken: Reimplement dup_nt_token() with NDR pull/push
The struct security_token can now contain complex claims as well as SIDs
so we can no longer just duplicate it by hand. Instead let PIDL and libndr
do the hard work for us.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f8215ed3434cee9107fb8e58d67bd7e36bbf2a73
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 13 11:31:55 2023 +1200
librpc/ndr_claims: avoid 'bin/default' in #include
Obviously it works fine, but we don't do it anywhere else.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 978a9e46bb624aa8e6d13ca589d3c99b438328be
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Sep 15 15:24:20 2023 +1200
pytest: conditional_ace assembler assembles full descriptor
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 144929454293aac034e80ff8204ac76205f0ead1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 13 15:12:52 2023 +1200
libcli/security: beginning of tests for conditional ACE bytes
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 15fe49a2f9ba006f298616ff7376a7bb4cb4178e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Sep 4 10:11:51 2023 +1200
pytest: assembler for conditional ACEs
This is a helper module to construct conditional ACEs that can't be
created from SDDL.
There is a semi-infinite number of valid conditional ACEs that don't
have SDDL representations, and an even larger number of invalid (or
borderline invalid) ACEs.
This allows us to create those ACEs without having to deal with too
many array of numbers.
The next commit provides an example of its use.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc17c3e21dfc88f5344696b53686b233f4419c28
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 10:51:29 2023 +1200
lib/fuzzing: adjust access-check seed patch
Now that access_check.c includes headers for conditional ACEs, the patch
should take that into account.
Also, we check for a talloc failure.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea4caa45ab3c76c47b965df913e1286367a0d07f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 29 15:15:08 2023 +1200
lib/fuzzing: fuzz_conditional_ace_blob
This parses the blob as a conditional ACE, and if possible tries
decompiling it into SDDL.
There are not many round-trip assertions we can honestly make, but we
keep the trip going as long as possible, in case it reveals anything.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c6a62d69ca9dfef2062e0ce1df0c003cafc4e4ce
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 13:03:53 2023 +1200
lib/fuzzing: adapt fuzz_sddl_access_check for claims
The token has more stuff in it.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b7bd1f438bef450dec891d6cab672d689e8c555f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 13 17:25:34 2023 +1200
libcli/security: conditional ace access checks for file server
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 327861dc1fce1c1cd1b7046ef2aab86d30fc9f5d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 29 15:15:43 2023 +1200
libcli/security: conditional ace access checks for AD
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b65ac10096be77db572526110f378a4edc38cb35
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 15:23:29 2023 +1200
pytest:conditional_ace_claims: ease export of failing tests to C
When a test fails, this prints a little stanza like
static void test_something(void **state)
{
INIT();
USER_SIDS("WD", "AA");
DEVICE_SIDS("BA", "BG");
SD("D:(XA;;0x1f;;;AA;(! Member_of{SID(AA)}))");
DENY_CHECK(0x10);
}
which is exactly right for copying into
libcli/security/tests/test_run_conditional_ace.c
which is much easier to iterate over with compiling and debugging.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 30e6249d228dd2c499038e512c8065edb99c53f5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 24 13:44:17 2023 +1200
pytest: tests for conditional ACEs with security tokens
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 044370a0e193d95722d975555ab216ea42c8e639
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 17:22:24 2023 +1200
pytest: tools for creating security tokens
Sometimes we need security tokens for tests, and the raw constructor
is not very ergonomic. This wraps it so you can do this:
from samba.tests.token_factory import token as Token
t = Token(['WD', 'AA'],
privileges=['SEC_PRIV_DEBUG'],
rights=0x840,
device_claims={'wheels': 2, 'smelly': 'no'},
device_sids=['BG'])
and get a security.token object with the expected qualities.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b7ae4304b14648112bc199e571abdacb19e84cea
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 17:21:22 2023 +1200
libcli/security: cmocka test for running conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2a4f20d40909efea2421c7ab3b714f005639b7d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 13 10:21:49 2023 +1200
libcli/security/conditional ACEs: compare composites as sets
... or at least settishly.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 924d59fd82abf3694da67b0b6714a130c81f8459
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Sep 12 13:51:37 2023 +1200
security.idl: drop claim v1 reserved field
It isn't used and ended up filled with junk. The alignment works out.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fabc2f351ebde9986c75316dcf0a7376b9eefe6a
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 24 13:44:41 2023 +1200
pytest: sddl tests with conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c13684e672f356b02aba85fca2e5625f0650afc4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Sep 7 15:38:07 2023 +1200
libcli/security/tests: add some test strings
These will soon be used by python/samba/tests/sddl_conditional_ace.py,
and are a format understood by the Windows programs in
libcli/security/tests/windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a4fc3fedf46faa78063de3de6841936cc24720e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Sep 7 15:27:21 2023 +1200
pytest: sddl strings dir can be defined in class
Before we had to do this in an environment variable. In that case we
are probably wanting to monitor changes, so we like it to print more
messages than we want to see in an autobuild run that will hopefully
never do anything interesting.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f30103f922e755901132600cc8ea6924df0e75c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Sep 7 11:19:21 2023 +1200
pytest: sddl tests can be only externally defined
Currently a test suite needs a strings list in order to import new
strings. This lets us avoid that and have the actual tests defined
only in external lists, making it easier to see we're testing the same
thing on Windows and reducing duplication.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7c0948d1a6d14a65da638c5f58e7627aaa204e9
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Sep 12 11:55:55 2023 +1200
libcli/security: windows-sddl-test: fix read of text examples
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee386021706fe7410864c2afd8c7f690393fc90f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Sep 7 14:38:49 2023 +1200
libcli/security: windows-sddl-test: fix typo in --help
found by Rob van der Linde.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28d23377741562468f283ff752fdb7efe54848b7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 6 11:51:15 2023 +1200
pytest:security_descriptors: test collected conditional ACEs
These tests were named in the superclass, but were not actually run,
nor was the file in git.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a392b40328e7e5aae339c89da898ee78dc166e4c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Sep 5 11:27:33 2023 +1200
pytest:security descriptors: hack to capture results as json
This makes it easy to separate a large number of examples into
successes and knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 901f77c54369125734371e02d6ab837406995723
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Sep 5 11:27:00 2023 +1200
pytest: security descriptors: test some conditional and RA ACEs
We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".
In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b9462faf05e1235d0a09dbf061ea65cf22e5c12
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 9 14:15:27 2023 +1200
pytest: security_descriptors: tests without revision number hack
ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.
Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.
It would not be hard to fix.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit afec8524bcd39ca3a2a8465fd9d95522c902243c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 11:25:41 2023 +1200
libcli/security: use sec_object_ace() in size_security_ace
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6a665cc8e8bcc771df513ce005a04fe5f03a441
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 11:24:46 2023 +1200
librpc/ndr:ndr_sec_helper: fix a typo
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 63be840120157e4587465f5435aa7829762e34bf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Sep 5 10:56:43 2023 +1200
pytest: security_descriptors test for repetitive ACLs
If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.
In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.
The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.
There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5569c17741f1e06d267d40a345709566bcef62f2
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 9 14:15:27 2023 +1200
pytest: security_descriptors comparison is quieter
This matters when we have a millions failures.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 829d77b4a029b622ed0fef317150df98d112e05e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 29 15:13:58 2023 +1200
s4/librpc: build conditional ace Python bindings
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 295c609f5a25f20f01abe9321c5c6a75df6ed21b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 29 15:15:23 2023 +1200
lib/fuzzing: fuzz SDDL conditional ACEs
Here we're not compiling the whole SD, just the single conditional
ACE.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4865a3ba156124c111956b94abbc05d6da41f4c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 17:24:33 2023 +1200
libcli/security: test SDDL compilation in cmocka
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b08093ed9d25c2ad6f0b253c19be970214ec78c1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 20 11:12:42 2023 +1200
lbcli/security: callback object ACES fall back with no GUID
As with other object ACEs, if there is not a GUID to refer to the ACE
becomes the corresponding non-object ACE.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2923898e88d5baa7cd056f75e7c7333b70197d2f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 14:36:20 2023 +1200
libcli/security/create_descriptor: calc_inherited handles new types
*_CALLBACK_OBJECT types inherit like other _OBJECT types.
*_CALLBACK types do nothing, like other non-OBJECT types.
We also explicitly throw unused alarm callback types and
SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL and
SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID into the fire.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1cc8888b549b55568e54a43715c178fab571e43c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 17:00:50 2023 +1200
libcli/security: SDDL: add callback and resource ace type flags
With this, Conditional ACEs and Resource Attribute ACEs in SDDL will
be parsed.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3959fba37a7f068be26aa626825bdc7db9f49c6f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 16:53:45 2023 +1200
libcli/security: sddl_encode_ace encodes resource attribute ACEs
Will work when the ace_flags table is updated.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ed52c9ed36b076102f0e59b21a365d9908e51694
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 16:53:08 2023 +1200
libcli/security: sddl_encode_ace encodes conditional ACEs
Will work when the ace_flags table is updated.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6683d611e14b358f2cbb2c5f4576cd780e07993f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 24 16:10:35 2023 +1200
libcli/security: sdd_decode_ace handles resource attribute types
The decoding will not happen until "RA" is added to the ace_types table.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 84fa39722fe653759cb7402af482b4ae099b2d3e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 24 15:12:01 2023 +1200
libcli/security: sdd_decode_ace handles callback types
Conditional ACEs will not actually be decoded until the CALLBACK types
are added to the ace_types flag table.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e88ea32c21e251e6460b1774b6382226504be6db
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 17 16:39:46 2023 +1200
libcli/security: add conditional ace files to samba-security
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6bd491efcb4ebb90259d9770eca67e8ec6f91ce
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 6 15:10:37 2023 +1200
libcli:security: add code to interpret conditional ACES
This doesn't actually *do* anything yet, for two reasons:
1. conditional ACEs are not checked in the
libcli/security/access_check.c functions (or anywhere else), and
will be treated just as they are now, as unknown types.
2. this file isn't mentioned in the wscript, so aren't compiled.
We'll get to point 2 first.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b8e9e3f0ca1295ea177523fd8f0b97679c8a729
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 6 15:51:23 2023 +1200
libcli:security: add functions to decode and decode RA ACEs
Resource Attribute ACEs have similar syntactical components to
conditional ACEs -- enough so that it is worth reusing the same
functions, but not quite enough so that it is exactly simple.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 969cb79daef7ba40240a5bdf51351bcacf3584a4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 6 15:50:43 2023 +1200
libcli/security: add conditional ACE SDDL functions
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f588a1fc50cd947ff18aeefade17527850b2275
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 29 15:16:20 2023 +1200
libcli:security: helpers for converting claim types
There are three different forms for claims, and we need to convert
between them.
For now, we are only going to be converting between conditional ACE
type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by
resource ACEs and in the security token, and later we will add the PAC
claim types.
It doesn't help that these all have incompatible definitions, but we
do our best.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 94f0a1083a411d3733919d899386fbb5feed1a63
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 17:21:06 2023 +1200
libcli:security: outline for sddl_conditional_ace.c
This is to show where we're going to end up.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 140f7466a457607dce2156e0de695cf31d7a3236
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 12 17:20:44 2023 +1200
libcli/security: add stub of conditional ACE code.
This is just the outline of what will come, but first we'll add
conditional ACE SDDL decoding in sddl_conditional_ace.c
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 672fc0a1abbf65eca63337e75296a828c79aaabf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 24 15:08:13 2023 +1200
libcli/security: find SDDL coda for RA and conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cdd9424e4f3ad161ec138f334a6e86761820a077
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jul 21 16:51:53 2023 +1200
libcli/security: whitespace repair in sddl.c
tabs not spaces.
It appears that my emacs got its configuration mixed up and was using
spaces.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a8e3f5d33f6e0b9d4d98d7a2753217f924d1cb2b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 30 12:14:14 2023 +1200
ndr_sec_helper: ace length should be multiple of 4
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e1ed7b71f0643210e04fe5f15debc1a551a5576
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 17 10:46:23 2023 +1200
ndr_sec_helper: ndr_size_security_ace: do less work
Almost always the ACE has an `ignored` DATA_BLOB as the coda, and the
length of the coda is the length field of the blob, which is usually
zero.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit df8eec384fe3fa36249ac28f99787e3387eb9063
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:09:11 2023 +1200
librpc:security.idl: add conditional ace coda
Conditional ACEs go into a DATA_BLOB just like the default ignored
coda, but we add a union field with a different name to preserve
sanity.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e8192dddf3bb72d0e12dd391650e1b62608371f5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jan 4 15:56:05 2023 +1300
libcli/sec: reformat long line in wscript_build
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 40d9b08db4ba4ede58f034abab2c35280e549d22
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:08:41 2023 +1200
librpc:security.idl: ace->coda can be resource attribute
And now we see why security_ace_coda was a union.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 498c41101732bd0dd8c15952327798bcc6e236a5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Jun 4 11:43:57 2023 +1200
libcli/security: callback object aces are object aces
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 762646b5aaaa0e4b916cd5df6bd133d69772a8f5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Jun 4 11:43:13 2023 +1200
libcli/security: use tabs in sec_ace_object()
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e81e98c485479f4558c53cc0b7c9f2e31d6b1c67
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:47:53 2023 +1200
libcli/security: helper to find ACEs with meaningful codas
Only Resource Attribute ACEs and Conditional ACEs are expected to have
trailing data. Others sometimes might, but we don't care what it is.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41e1b6957ae3aee07fa3abc18237d353bafb92e5
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:44:26 2023 +1200
libcli/security: helper to find resource attribute ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 617cfa0e96539d2188b69f14c38246d7ad267c30
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Dec 9 11:42:38 2022 +1300
libcli/security: helper to find callback/conditional aces
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 34aa33a1a4f92546d8dd3cddc743b80ae03dab9c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 23 12:05:45 2023 +1200
security.idl: use sec_ace_object() in object switch
At some point sec_ace_object() is going to gain awareness of
SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT and the like.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ef7845b5709e25583f6cebcb432bc108cf5c735
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 24 11:58:05 2023 +1200
security.idl: extend security token with device SIDs
A device has SIDs too, and a modern security token needs to know
them in order to interpret conditional expressions like
"Device_member_of".
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/security/aclclaimsevaluation.xml | 42 +
lib/fuzzing/fuzz_conditional_ace_blob.c | 144 +
lib/fuzzing/fuzz_sddl_access_check.c | 82 +-
lib/fuzzing/fuzz_sddl_conditional_ace.c | 119 +
lib/fuzzing/fuzz_sddl_parse.c | 45 +
lib/fuzzing/patches/collect-access-check-seeds.txt | 27 +-
lib/fuzzing/wscript_build | 5 +
lib/param/loadparm.c | 4 +
lib/param/loadparm.h | 6 +
lib/param/param_table.c | 6 +
lib/util/charset/charset.h | 5 +
lib/util/charset/util_unistr.c | 121 +
lib/util/data_blob.c | 1 +
libcli/security/access_check.c | 288 +-
libcli/security/claims-conversions.c | 667 ++++
.../security/claims-conversions.h | 32 +-
libcli/security/conditional_ace.c | 2165 +++++++++++++
libcli/security/conditional_ace.h | 91 +
libcli/security/create_descriptor.c | 31 +-
libcli/security/sddl.c | 242 +-
libcli/security/sddl_conditional_ace.c | 3340 ++++++++++++++++++++
libcli/security/secace.c | 54 +-
libcli/security/secace.h | 3 +
libcli/security/security_token.c | 63 +-
libcli/security/security_token.h | 5 +-
libcli/security/tests/data/conditional_aces.txt | 83 +
.../security/tests/data/conditional_aces.txt.json | 1 +
.../data/conditional_aces_case_insensitive.txt | 1 +
.../tests/data/conditional_aces_should_fail.txt | 14 +
.../tests/data/conditional_aces_windows_only.txt | 14 +
libcli/security/tests/data/oversize-acls.json.gz | Bin 0 -> 2676 bytes
...conditional-and-resource-aces-successes.json.gz | Bin 0 -> 17815 bytes
...rt-conditional-and-resource-aces-tx-int.json.gz | Bin 0 -> 2183 bytes
.../tests/data/short-ordinary-acls-v2.json.gz | Bin 0 -> 7223 bytes
libcli/security/tests/test_run_conditional_ace.c | 668 ++++
libcli/security/tests/test_sddl_conditional_ace.c | 880 ++++++
.../tests/windows/conditional_aces.txt.json | 1 +
.../security/tests/windows/windows-sddl-tests.py | 3 +-
libcli/security/wscript_build | 41 +-
libgpo/gpo_reg.c | 18 +-
libgpo/gpo_util.c | 4 +-
librpc/idl/conditional_ace.idl | 24 +-
librpc/idl/security.idl | 44 +-
librpc/ndr/ndr_claims.c | 2 +-
librpc/ndr/ndr_sec_helper.c | 31 +-
librpc/ndr/ndr_string.c | 6 +
librpc/wscript_build | 5 +
python/samba/gp/gpclass.py | 13 +-
python/samba/tests/conditional_ace_assembler.py | 227 ++
python/samba/tests/conditional_ace_bytes.py | 98 +
python/samba/tests/conditional_ace_claims.py | 397 +++
python/samba/tests/sddl.py | 27 +-
python/samba/tests/sddl_conditional_ace.py | 52 +
python/samba/tests/security_descriptors.py | 90 +-
python/samba/tests/token_factory.py | 239 ++
selftest/knownfail.d/security-descriptors | 3 +
selftest/tests.py | 6 +
source3/auth/token_util.c | 27 +-
source3/include/proto.h | 8 +-
source3/lib/util_nttoken.c | 50 +-
source3/locking/locking.c | 4 +-
source3/param/loadparm.c | 2 +
source3/registry/reg_api.c | 2 +-
source3/smbd/sec_ctx.c | 6 +-
source3/utils/net_rpc.c | 116 +-
source3/utils/ntlm_auth.c | 16 +-
source3/winbindd/winbindd_pam.c | 10 +-
source4/auth/system_session.c | 6 +-
source4/dns_server/dlz_bind9.c | 2 +-
source4/dsdb/samdb/samdb.c | 27 +-
source4/librpc/ndr/py_security.c | 13 +-
source4/librpc/wscript_build | 8 +
source4/selftest/tests.py | 9 +
73 files changed, 10593 insertions(+), 293 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/aclclaimsevaluation.xml
create mode 100644 lib/fuzzing/fuzz_conditional_ace_blob.c
create mode 100644 lib/fuzzing/fuzz_sddl_conditional_ace.c
create mode 100644 libcli/security/claims-conversions.c
copy source3/lib/smbconf/smbconf_reg.h => libcli/security/claims-conversions.h (52%)
create mode 100644 libcli/security/conditional_ace.c
create mode 100644 libcli/security/conditional_ace.h
create mode 100644 libcli/security/sddl_conditional_ace.c
create mode 100644 libcli/security/tests/data/conditional_aces.txt
create mode 100644 libcli/security/tests/data/conditional_aces.txt.json
create mode 100644 libcli/security/tests/data/conditional_aces_case_insensitive.txt
create mode 100644 libcli/security/tests/data/conditional_aces_should_fail.txt
create mode 100644 libcli/security/tests/data/conditional_aces_windows_only.txt
create mode 100644 libcli/security/tests/data/oversize-acls.json.gz
create mode 100644 libcli/security/tests/data/short-conditional-and-resource-aces-successes.json.gz
create mode 100644 libcli/security/tests/data/short-conditional-and-resource-aces-tx-int.json.gz
create mode 100644 libcli/security/tests/data/short-ordinary-acls-v2.json.gz
create mode 100644 libcli/security/tests/test_run_conditional_ace.c
create mode 100644 libcli/security/tests/test_sddl_conditional_ace.c
create mode 100644 libcli/security/tests/windows/conditional_aces.txt.json
create mode 100644 python/samba/tests/conditional_ace_assembler.py
create mode 100644 python/samba/tests/conditional_ace_bytes.py
create mode 100644 python/samba/tests/conditional_ace_claims.py
create mode 100644 python/samba/tests/sddl_conditional_ace.py
create mode 100644 python/samba/tests/token_factory.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/aclclaimsevaluation.xml b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml
new file mode 100644
index 00000000000..ab72617facd
--- /dev/null
+++ b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="acl claims evaluation"
+ context="G"
+ type="enum"
+ enumlist="enum_acl_claims_evaluation"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls the way Samba handles evaluation of
+ security descriptors in Samba, with regards to Active
+ Directory Claims. AD Claims, introduced with Windows 2012,
+ are essentially administrator-defined key-value pairs that can
+ be set both in Active Directory (communicated via the Kerberos
+ PAC) and in the security descriptor themselves.
+ </para>
+
+ <para>Active Directory claims are new with Samba 4.20.
+ Because the claims are evaluated against a very flexible
+ expression language within the security descriptor, this option provides a mechanism
+ to disable this logic if required by the administrator.</para>
+
+ <para>This default behaviour is that claims evaluation is
+ enabled in the AD DC only. Additionally, claims evaluation on
+ the AD DC is only enabled if the DC functional level
+ is 2012 or later. See <smbconfoption name="ad dc functional
+ level"/>.</para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem>
+ <para><constant>AD DC only</constant>: Enabled for the Samba AD
+ DC (for DC functional level 2012 or higher).</para>
+ </listitem>
+ <listitem>
+ <para><constant>never</constant>: Disabled in all cases.
+ This option disables some but not all of the
+ Authentication Policies and Authentication Policy Silos features of
+ the Windows 2012R2 functional level in the AD DC.</para>
+ </listitem>
+ </itemizedlist>
+</description>
+
+<value type="default">AD DC only</value>
+</samba:parameter>
diff --git a/lib/fuzzing/fuzz_conditional_ace_blob.c b/lib/fuzzing/fuzz_conditional_ace_blob.c
new file mode 100644
index 00000000000..aed1cd37c73
--- /dev/null
+++ b/lib/fuzzing/fuzz_conditional_ace_blob.c
@@ -0,0 +1,144 @@
+/*
+ Fuzz conditional ace decoding and encoding
+ Copyright (C) Catalyst IT 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "libcli/security/security.h"
+#include "lib/util/attr.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/conditional_ace.h"
+#include "librpc/gen_ndr/conditional_ace.h"
+#include "fuzzing/fuzzing.h"
+
+
+#define MAX_LENGTH (1024 * 1024 - 1)
+
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
+{
+ TALLOC_CTX *mem_ctx = NULL;
+ bool ok;
+ struct ace_condition_script *s1 = NULL;
+ struct ace_condition_script *s2 = NULL;
+ const char *message = NULL;
+ size_t message_offset;
+ const char *sddl = NULL;
+ DATA_BLOB e1, e2;
+ size_t length;
+
+ if (len > MAX_LENGTH) {
+ return 0;
+ }
+
+ /*
+ * In this one we are treating the input data as an ACE blob,
+ * and decoding it into the structure and thence SDDL.
+ *
+ * This doesn't run the conditional ACE, for which we would
+ * need a security token.
+ */
+
+ e1.data = input;
+ e1.length = len;
+
+ mem_ctx = talloc_new(NULL);
+
+ s1 = parse_conditional_ace(mem_ctx, e1);
+ if (s1 == NULL) {
+ /* no worries, it was nonsense */
+ TALLOC_FREE(mem_ctx);
+ return 0;
+ }
+
+ /* back to blob form */
+ ok = conditional_ace_encode_binary(mem_ctx, s1, &e2);
+ if (! ok) {
+ abort();
+ }
+
+ if (data_blob_cmp(&e1, &e2) != 0) {
+ abort();
+ }
+
+ sddl = sddl_from_conditional_ace(mem_ctx, s1);
+ if (sddl == NULL) {
+ /*
+ * we can't call this a failure, because the blob
+ * could easily have nonsensical programs that the
+ * SDDL decompiler is unwilling to countenance. For
+ * example, it could have an operator that requires
+ * arguments as the first token, when of course the
+ * arguments need to come first.
+ */
+ TALLOC_FREE(mem_ctx);
+ return 0;
+ }
+
+ s2 = ace_conditions_compile_sddl(mem_ctx,
+ sddl,
+ &message,
+ &message_offset,
+ &length);
+ if (s2 == NULL) {
+ /*
+ * We also don't complain when the SDDL decompiler
+ * produces an uncompilable program, because the
+ * decompiler is meant to be a display tool, not a
+ * verifier in itself.
+ */
+ TALLOC_FREE(mem_ctx);
+ return 0;
+ }
+
+ ok = conditional_ace_encode_binary(mem_ctx, s2, &e2);
+ if (! ok) {
+ abort();
+ }
+
+ /*
+ * It would be nice here to go:
+ *
+ * if (data_blob_cmp(&e1, &e2) != 0) {
+ * abort();
+ * }
+ *
+ * but that isn't really fair. The docompilation into SDDL
+ * does not make thorough sanity checks because that is not
+ * its job -- it is just trying to depict what is there -- and
+ * there are many ambiguous decompilations.
+ *
+ * For example, a blob with a single literal integer token,
+ * say 42, can only really be shown in the SDDL syntax as
+ * "(42)", but when the compiler reads that it knows that a
+ * literal number is invalid except in a RHS argument, so it
+ * assumes "42" is a local attribute name.
+ *
+ * Even if the decompiler was a perfect verifier, a round trip
+ * through SDDL could not be guaranteed because, for example,
+ * an 8 bit integer can only be displayed in SDDL in the form
+ * that compiles to a 64 bit integer.
+ */
+
+ TALLOC_FREE(mem_ctx);
+ return 0;
+}
diff --git a/lib/fuzzing/fuzz_sddl_access_check.c b/lib/fuzzing/fuzz_sddl_access_check.c
index 3d9ebdc6111..a7bf7b306ab 100644
--- a/lib/fuzzing/fuzz_sddl_access_check.c
+++ b/lib/fuzzing/fuzz_sddl_access_check.c
@@ -18,8 +18,11 @@
#include "replace.h"
#include "libcli/security/security.h"
+#include "libcli/security/conditional_ace.h"
+#include "libcli/security/claims-conversions.h"
#include "lib/util/attr.h"
#include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/ndr_conditional_ace.h"
#include "lib/util/bytearray.h"
#include "fuzzing/fuzzing.h"
@@ -29,21 +32,55 @@ static struct security_token token = {0};
static struct dom_sid dom_sid = {0};
/*
- * For this one we initialise a security token to have a few SIDs. The fuzz
- * strings contain SDDL that will be tested against this token in
- * se_access_check() or sec_access_check_ds() -- supposing they compile.
- *
- * When we introduce conditional ACEs and claims (soon!), we'll also add some
- * claims and device SIDs to the token.
+ * For this one we initialise a security token to have a few claims
+ * and SIDs. The fuzz strings contain SDDL that will be tested against
+ * this token in se_access_check() or sec_access_check_ds() --
+ * supposing they compile.
*/
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
size_t i;
- bool ok;
TALLOC_CTX *mem_ctx = talloc_new(NULL);
struct dom_sid *sid = NULL;
+ struct claim_def {
+ const char *type;
+ const char *name;
+ const char *claim_sddl;
+ } claims[] = {
+ {
+ "user",
+ "shoe size",
+ "44"
+ },
+ {
+ "user",
+ "©",
+ "{\"unknown\", \"\", \" ←ā\"}"
+ },
+ {
+ "device",
+ "©",
+ "{\"unknown\", \" \", \" ←ā\"}"
+ },
+ {
+ "device",
+ "least favourite groups",
+ "{SID(S-1-1-0),SID(S-1-5-3),SID(S-1-57777-333-33-33-2)}"
+ },
+ {
+ "local",
+ "birds",
+ "{\"tern\"}"
+ },
+ };
+
+ const char * device_sids[] = {
+ "S-1-1-0",
+ "S-1-333-66",
+ "S-1-2-3-4-5-6-7-8-9",
+ };
const char * user_sids[] = {
"S-1-333-66",
"S-1-16-8448",
@@ -51,7 +88,7 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
};
for (i = 0; i < ARRAY_SIZE(user_sids); i++) {
- sid = dom_sid_parse_talloc(mem_ctx, user_sids[i]);
+ sid = sddl_decode_sid(mem_ctx, &user_sids[i], NULL);
if (sid == NULL) {
abort();
}
@@ -59,6 +96,32 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
&token.sids,
&token.num_sids);
}
+
+ for (i = 0; i < ARRAY_SIZE(device_sids); i++) {
+ sid = sddl_decode_sid(mem_ctx, &device_sids[i], NULL);
+ if (sid == NULL) {
+ abort();
+ }
+ add_sid_to_array(mem_ctx, sid,
+ &token.device_sids,
+ &token.num_device_sids);
+ }
+
+ for (i = 0; i < ARRAY_SIZE(claims); i++) {
+ struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL;
+ struct claim_def c = claims[i];
+
+ claim = parse_sddl_literal_as_claim(mem_ctx,
+ c.name,
+ c.claim_sddl);
+ if (claim == NULL) {
+ abort();
+ }
+ add_claim_to_token(mem_ctx, &token, claim, c.type);
+ }
+
+ /* we also need a global domain SID */
+ string_to_sid(&dom_sid, device_sids[2]);
return 0;
}
@@ -67,7 +130,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
{
TALLOC_CTX *mem_ctx = NULL;
struct security_descriptor *sd = NULL;
- NTSTATUS status;
uint32_t access_desired;
uint32_t access_granted;
const char *sddl;
@@ -135,7 +197,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
NULL,
NULL);
#else
- status = se_access_check(sd, &token, access_desired, &access_granted);
+ se_access_check(sd, &token, access_desired, &access_granted);
#endif
end:
diff --git a/lib/fuzzing/fuzz_sddl_conditional_ace.c b/lib/fuzzing/fuzz_sddl_conditional_ace.c
new file mode 100644
index 00000000000..e21c2ec9b12
--- /dev/null
+++ b/lib/fuzzing/fuzz_sddl_conditional_ace.c
@@ -0,0 +1,119 @@
+/*
+ Fuzz sddl conditional ace decoding and encoding
+ Copyright (C) Catalyst IT 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "libcli/security/security.h"
+#include "lib/util/attr.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/conditional_ace.h"
+#include "librpc/gen_ndr/conditional_ace.h"
+#include "fuzzing/fuzzing.h"
+
+
+#define MAX_LENGTH (1024 * 1024 - 1)
+static char sddl_string[MAX_LENGTH + 1] = {0};
+
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
+{
+ TALLOC_CTX *mem_ctx = NULL;
+ bool ok;
+ struct ace_condition_script *s1 = NULL;
+ struct ace_condition_script *s2 = NULL;
+ const char *message = NULL;
+ size_t message_offset;
+ const char *resddl = NULL;
+ DATA_BLOB e1, e2, e3;
+ size_t length;
+
+ if (len > MAX_LENGTH) {
+ return 0;
+ }
+
+ memcpy(sddl_string, input, len);
+ sddl_string[len] = '\0';
+
+ mem_ctx = talloc_new(NULL);
+
+ s1 = ace_conditions_compile_sddl(mem_ctx,
+ sddl_string,
+ &message,
+ &message_offset,
+ &length);
+ if (s1 == NULL) {
+ /* could assert message is non-empty */
+ TALLOC_FREE(mem_ctx);
+ return 0;
+ }
+
+ ok = conditional_ace_encode_binary(mem_ctx, s1, &e1);
+ if (! ok) {
+ abort();
+ }
+
+ s2 = parse_conditional_ace(mem_ctx, e1);
+ if (s2 == NULL) {
+ abort();
+ }
+
+ ok = conditional_ace_encode_binary(mem_ctx, s2, &e2);
+ if (! ok) {
+ abort();
+ }
+ if (data_blob_cmp(&e1, &e2) != 0) {
+ abort();
+ }
+
+ /*
+ * We know now the SDDL representation compiles to a valid structure
+ * that survives a round trip through serialisation.
+ *
+ * A remaining question is whether it can be re-rendered as SDDL that
+ * compiles to the same blob.
+ */
+ resddl = sddl_from_conditional_ace(mem_ctx, s2);
+ if (resddl == NULL) {
+ abort();
+ }
+
+ s2 = ace_conditions_compile_sddl(mem_ctx,
+ resddl,
+ &message,
+ &message_offset,
+ &length);
+ if (s2 == NULL) {
+ abort();
+ }
+
+ ok = conditional_ace_encode_binary(mem_ctx, s2, &e3);
+ if (! ok) {
+ abort();
+ }
+ if (data_blob_cmp(&e1, &e3) != 0) {
+ abort();
+ }
+
+ TALLOC_FREE(mem_ctx);
+ return 0;
+}
diff --git a/lib/fuzzing/fuzz_sddl_parse.c b/lib/fuzzing/fuzz_sddl_parse.c
index 1f8c32c595b..05900b02e2f 100644
--- a/lib/fuzzing/fuzz_sddl_parse.c
+++ b/lib/fuzzing/fuzz_sddl_parse.c
@@ -18,7 +18,9 @@
#include "includes.h"
#include "libcli/security/security.h"
+#include "librpc/gen_ndr/conditional_ace.h"
#include "fuzzing/fuzzing.h"
+#include "util/charset/charset.h"
#define MAX_LENGTH (100 * 1024 - 1)
static char sddl_string[MAX_LENGTH + 1] = {0};
@@ -54,7 +56,50 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
goto end;
}
result = sddl_encode(mem_ctx, sd1, &dom_sid);
+ if (result == NULL) {
+ /*
+ * Because Samba currently doesn't enforce strict
+ * utf-8 parsing, illegal utf-8 sequences in
+ * sddl_string could have ferried bad characters
+ * through into the security descriptor conditions
+ * that we then find we can't encode.
+ *
+ * The proper solution is strict UTF-8 enforcement in
+ * sddl_decode, but for now we forgive unencodable
+ * security descriptors made from bad utf-8.
+ */
+ size_t byte_len, char_len, utf16_len;
+ ok = utf8_check(sddl_string, len,
+ &byte_len, &char_len, &utf16_len);
+ if (!ok) {
+ goto end;
+ }
+ /* utf-8 was fine, but we couldn't encode! */
+ abort();
+ }
--
Samba Shared Repository
More information about the samba-cvs
mailing list