From 5bc2b8f0a494511800696d6d411a426463089e8b Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Wed, 27 Oct 2010 15:20:49 +0300 Subject: s4-ldb: Added the correct extended check for read access to nTSecurityDescriptor It does not depend on READ_PROPERTY, but on SECURITY_PRIVILEGE and READ_CONTROL Autobuild-User: Nadezhda Ivanova Autobuild-Date: Wed Oct 27 13:18:50 UTC 2010 on sn-devel-104 --- source4/dsdb/samdb/ldb_modules/acl_read.c | 2 +- source4/dsdb/tests/python/acl.py | 62 +++++++++++++++++++++++++++++++ source4/selftest/knownfail | 1 + 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 78a9e28396..bd9e1289f3 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -146,7 +146,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) tmp_ctx, sd, sid, - SEC_FLAG_SYSTEM_SECURITY, + SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL, attr); } else { ret = acl_check_access_on_attribute(ac->module, diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index ae51044c60..d4c55a44ac 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -1621,6 +1621,65 @@ replace: userPassword userPassword: thatsAcomplPASS1 """) +class AclExtendedTests(AclTests): + + def setUp(self): + super(AclExtendedTests, self).setUp() + #regular user, will be the creator + self.u1 = "ext_u1" + #regular user + self.u2 = "ext_u2" + #admin user + self.u3 = "ext_u3" + self.create_enable_user(self.u1) + self.create_enable_user(self.u2) + self.create_enable_user(self.u3) + self.add_group_member(self.ldb_admin, "CN=Domain Admins,CN=Users," + self.base_dn, + self.get_user_dn(self.u3)) + self.ldb_user1 = self.get_ldb_connection(self.u1, self.user_pass) + self.ldb_user2 = self.get_ldb_connection(self.u2, self.user_pass) + self.ldb_user3 = self.get_ldb_connection(self.u3, self.user_pass) + self.user_sid1 = self.get_object_sid(self.get_user_dn(self.u1)) + self.user_sid2 = self.get_object_sid(self.get_user_dn(self.u2)) + + def tearDown(self): + super(AclExtendedTests, self).tearDown() + self.delete_force(self.ldb_admin, self.get_user_dn(self.u1)) + self.delete_force(self.ldb_admin, self.get_user_dn(self.u2)) + self.delete_force(self.ldb_admin, self.get_user_dn(self.u3)) + self.delete_force(self.ldb_admin, "CN=ext_group1,OU=ext_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "ou=ext_ou1," + self.base_dn) + + def test_ntSecurityDescriptor(self): + #create empty ou + self.create_ou(self.ldb_admin, "ou=ext_ou1," + self.base_dn) + #give u1 Create children access + mod = "(A;;CC;;;%s)" % str(self.user_sid1) + self.dacl_add_ace("OU=ext_ou1," + self.base_dn, mod) + mod = "(A;;LC;;;%s)" % str(self.user_sid2) + self.dacl_add_ace("OU=ext_ou1," + self.base_dn, mod) + #create a group under that, grant RP to u2 + self.create_group(self.ldb_user1, "CN=ext_group1,OU=ext_ou1," + self.base_dn) + mod = "(A;;RP;;;%s)" % str(self.user_sid2) + self.dacl_add_ace("CN=ext_group1,OU=ext_ou1," + self.base_dn, mod) + #u2 must not read the descriptor + res = self.ldb_user2.search("CN=ext_group1,OU=ext_ou1," + self.base_dn, + SCOPE_BASE, None, ["nTSecurityDescriptor"]) + self.assertNotEqual(res,[]) + self.assertFalse("nTSecurityDescriptor" in res[0].keys()) + #grant RC to u2 - still no access + mod = "(A;;RC;;;%s)" % str(self.user_sid2) + self.dacl_add_ace("CN=ext_group1,OU=ext_ou1," + self.base_dn, mod) + res = self.ldb_user2.search("CN=ext_group1,OU=ext_ou1," + self.base_dn, + SCOPE_BASE, None, ["nTSecurityDescriptor"]) + self.assertNotEqual(res,[]) + self.assertFalse("nTSecurityDescriptor" in res[0].keys()) + #u3 is member of administrators group, should be able to read sd + res = self.ldb_user3.search("CN=ext_group1,OU=ext_ou1," + self.base_dn, + SCOPE_BASE, None, ["nTSecurityDescriptor"]) + self.assertEqual(len(res),1) + self.assertTrue("nTSecurityDescriptor" in res[0].keys()) + # Important unit running information if not "://" in host: @@ -1641,5 +1700,8 @@ if not runner.run(unittest.makeSuite(AclCARTests)).wasSuccessful(): rc = 1 if not runner.run(unittest.makeSuite(AclSearchTests)).wasSuccessful(): rc = 1 +if not runner.run(unittest.makeSuite(AclExtendedTests)).wasSuccessful(): + rc = 1 + sys.exit(rc) diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail index cc7e2ae513..d3c7277f89 100644 --- a/source4/selftest/knownfail +++ b/source4/selftest/knownfail @@ -78,4 +78,5 @@ samba4.smb2.compound.*.RELATED1 samba4.smb2.compound.*.RELATED2 samba4.smb2.compound.*.INVALID2 samba4.ldap.acl.*.search.* # ACL search behaviour not enabled by default +samba4.ldap.acl.*.ntSecurityDescriptor.* # ACL extended checks on search not enabled by default -- cgit