[PATCH] samba-tool: Easily edit a users object in AD V2 with test

Alexander Bokovoy ab at samba.org
Tue Jul 4 11:11:23 UTC 2017 

On ti, 04 heinä 2017, Rowland Penny via samba-technical wrote:
> On Tue, 4 Jul 2017 12:39:00 +0300
> Alexander Bokovoy <ab at samba.org> wrote:
> 
> > On ti, 04 heinä 2017, Rowland Penny via samba-technical wrote:
> > > On Mon, 3 Jul 2017 18:07:49 +0300
> > > Alexander Bokovoy <ab at samba.org> wrote:
> > > 
> > > > Looks like it works! Great!
> > > 
> > > OK, one step forward, three steps back ;-)
> > > 
> > > How do you create a new file ?
> > > 
> > > I have created the edit.sh file in my local git, but when I run:
> > > 
> > > git commit -s -a
> > > 
> > > I get:
> > > 
> > > On branch master
> > > Your branch is ahead of 'origin/master' by 1 commit.
> > >   (use "git push" to publish your local commits)
> > > Untracked files:
> > > 	python/samba/tests/samba_tool/edit.sh
> > > 
> > > nothing added to commit but untracked files present
> > > 
> > > I don't think I should run 'git push' as, from reading the manpage,
> > > it looks like this will try to create 'edit.sh' in the Samba git.
> > git add <file>
> > https://www.atlassian.com/git/tutorials/saving-changes
> 
> I did wonder about that, but 'man git commit' said this:
> 
>        The command git commit -a first looks at your working tree, notices
>        that you have modified hello.c and removed goodbye.c, and performs
>        necessary git add and git rm for you.
> 
> Looks like the manpage lies, because I was using '-a' and it didn't
> add the file ;-)
> 
> I followed the suggestion and it worked, so I have attached my new
> patches for editing users and the test for this.
Ok, I have only one comment I'd like to be addressed before we accept
this changeset:

+# create editor.sh
+echo "#!/usr/bin/env bash" > /tmp/editor.sh
+echo "user_ldif=\"\$1\"" >> /tmp/editor.sh
+echo "SED=\$(which sed)" >> /tmp/editor.sh
+echo "\$SED -i -e 's/userAccountControl: 512/userAccountControl: 514/' \$user_ldif" >> /tmp/editor.sh
+
+chmod +x /tmp/editor.sh
+

Please don't use a static path here. It would prevent multiple parallel 'make
test' runs on the same machine by different users. And also would allow
an attacker (whoever that be) to rewrite your editor.sh and inject an
execution into your 'make test' run.

Instead, create a temporary file:

tmpeditor=$(mktemp --suffix .sh samba-tool-editor-XXXXXXXX)

And put the content into it:

cat >$tmpeditor <<-'EOF'
	#!/usr/bin/env bash
	user_ldif="$1"
	SED=$(which sed)
	$SED -i -e 's/userAccountControl: 512/userAccountControl: 514/' $user_ldif
	EOF

chmod +x $tmpeditor

<<-'EOF' means to start here document which ends with EOF, strip leading
tabs, do not perform interpolation within the document. This allows you
to keep the content of the script clean from shell expansion protection.


-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list