The Samba-Bugzilla – Attachment 12763 Details for
Bug 12466
se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.5.next
bug-12466-4.5 (text/plain), 13.63 KB, created by
Jeremy Allison
on 2016-12-12 19:47:06 UTC
(
hide
)
Description:
git-am fix for 4.5.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2016-12-12 19:47:06 UTC
Size:
13.63 KB
patch
obsolete
>From 3b0496d74731d1958cbd7a3db2d69aadef045821 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 8 Dec 2016 10:40:18 -0800 >Subject: [PATCH 1/2] lib: security: se_access_check() incorrectly processes > owner rights (S-1-3-4) DENY ace entries > >Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>. > >When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the >code OR's in the deny access mask bits without taking into account if >they were being requested in the requested access mask. > >E.g. The current logic has: > >An ACL containining: > >[0] SID: S-1-3-4 > TYPE: DENY > MASK: WRITE_DATA >[1] SID: S-1-3-4 > TYPE: ALLOW > MASK: ALLOW_ALL > >prohibits an open request by the owner for READ_DATA - even though this >is explicitly allowed. > >Furthermore a non-canonical ACL containing: > >[0] SID: User SID 1-5-21-something > TYPE: ALLOW > MASK: READ_DATA > >[1] SID: S-1-3-4 > TYPE: DENY > MASK: READ_DATA > >[2] SID: User SID 1-5-21-something > TYPE: ALLOW > MASK: WRITE_DATA > >prohibits an open request by the owner for READ_DATA|WRITE_DATA - even >though READ_DATA is explicitly allowed in ACE no 0 and is thus already >filtered out of the "access-still-needed" mask when the deny ACE no 1 is >evaluated. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 29b02cf22f3c0f2d556408e9e768d68c1efc3b96) >--- > libcli/security/access_check.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c >index 2be5928..b4c850b 100644 >--- a/libcli/security/access_check.c >+++ b/libcli/security/access_check.c >@@ -220,7 +220,7 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, > owner_rights_allowed |= ace->access_mask; > owner_rights_default = false; > } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { >- owner_rights_denied |= ace->access_mask; >+ owner_rights_denied |= (bits_remaining & ace->access_mask); > owner_rights_default = false; > } > continue; >-- >2.8.0.rc3.226.g39d4020 > > >From a414437f22e9b9908904f47d6d3ec6da50fd6929 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 8 Dec 2016 10:40:27 -0800 >Subject: [PATCH 2/2] s3: torture: Adds regression test case for > se_access_check() owner rights issue. > >This test passes against Win2K12 but fails against smbd >without the previous commit. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Sat Dec 10 10:11:10 CET 2016 on sn-devel-144 > >(cherry picked from commit b5c0745b0c99d6cef21b5e7eb695e15aae5d4e38) >--- > selftest/skip | 1 + > source3/selftest/tests.py | 2 +- > source3/torture/torture.c | 386 ++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 388 insertions(+), 1 deletion(-) > >diff --git a/selftest/skip b/selftest/skip >index 478e6c9..a61e970 100644 >--- a/selftest/skip >+++ b/selftest/skip >@@ -49,6 +49,7 @@ > ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-OFD-LOCK # Fails against the s4 ntvfs server > ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-STREAM-DELETE # Fails against the s4 ntvfs server > ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).RENAME-ACCESS # Fails against the s4 ntvfs server >+^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).OWNER-RIGHTS # Don't test against the s4 ntvfs server anymore > ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).PIDHIGH # Fails against the s4 ntvfs server > ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).NTTRANS-FSCTL # Fails against the s4 ntvfs server > ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).SMB2-NEGPROT # Fails against the s4 ntvfs server >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 6d06548..9a2d586 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -49,7 +49,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7" > "OPLOCK1", "OPLOCK2", "OPLOCK4", "STREAMERROR", > "DIR", "DIR1", "DIR-CREATETIME", "TCON", "TCONDEV", "RW1", "RW2", "RW3", "LARGE_READX", "RW-SIGNING", > "OPEN", "XCOPY", "RENAME", "DELETE", "DELETE-LN", "WILDDELETE", "PROPERTIES", "W2K", >- "TCON2", "IOCTL", "CHKPATH", "FDSESS", "CHAIN1", "CHAIN2", >+ "TCON2", "IOCTL", "CHKPATH", "FDSESS", "CHAIN1", "CHAIN2", "OWNER-RIGHTS", > "CHAIN3", "PIDHIGH", > "GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST", > "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT", >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index 90d46dd..c978741 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -5089,6 +5089,391 @@ static bool run_rename_access(int dummy) > return false; > } > >+/* >+ Test owner rights ACE. >+ */ >+static bool run_owner_rights(int dummy) >+{ >+ static struct cli_state *cli = NULL; >+ const char *fname = "owner_rights.txt"; >+ uint16_t fnum = (uint16_t)-1; >+ struct security_descriptor *sd = NULL; >+ struct security_descriptor *newsd = NULL; >+ NTSTATUS status; >+ TALLOC_CTX *frame = NULL; >+ >+ frame = talloc_stackframe(); >+ printf("starting owner rights test\n"); >+ >+ /* Windows connection. */ >+ if (!torture_open_connection(&cli, 0)) { >+ goto fail; >+ } >+ >+ smbXcli_conn_set_sockopt(cli->conn, sockops); >+ >+ /* Start with a clean slate. */ >+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); >+ >+ /* Create the test file. */ >+ /* Now try and open for read and write-dac. */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ GENERIC_ALL_ACCESS, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_CREATE, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("Create of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Get the original SD. */ >+ status = cli_query_secdesc(cli, >+ fnum, >+ frame, >+ &sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_query_secdesc failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* >+ * Add an "owner-rights" ACE denying WRITE_DATA, >+ * and an "owner-rights" ACE allowing READ_DATA. >+ */ >+ >+ newsd = security_descriptor_dacl_create(frame, >+ 0, >+ NULL, >+ NULL, >+ SID_OWNER_RIGHTS, >+ SEC_ACE_TYPE_ACCESS_DENIED, >+ FILE_WRITE_DATA, >+ 0, >+ SID_OWNER_RIGHTS, >+ SEC_ACE_TYPE_ACCESS_ALLOWED, >+ FILE_READ_DATA, >+ 0, >+ NULL); >+ if (newsd == NULL) { >+ goto fail; >+ } >+ sd->dacl = security_acl_concatenate(frame, >+ newsd->dacl, >+ sd->dacl); >+ if (sd->dacl == NULL) { >+ goto fail; >+ } >+ status = cli_set_secdesc(cli, fnum, sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_set_secdesc failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ status = cli_close(cli, fnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("close failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ fnum = (uint16_t)-1; >+ >+ /* Try and open for FILE_WRITE_DATA */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ FILE_WRITE_DATA, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_OPEN, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { >+ printf("Open of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Now try and open for FILE_READ_DATA */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ FILE_READ_DATA, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_OPEN, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("Open of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ status = cli_close(cli, fnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("close failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Restore clean slate. */ >+ TALLOC_FREE(sd); >+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); >+ >+ /* Create the test file. */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ GENERIC_ALL_ACCESS, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_CREATE, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("Create of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Get the original SD. */ >+ status = cli_query_secdesc(cli, >+ fnum, >+ frame, >+ &sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_query_secdesc failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* >+ * Add an "owner-rights ACE denying WRITE_DATA, >+ * and an "owner-rights ACE allowing READ_DATA|WRITE_DATA. >+ */ >+ >+ newsd = security_descriptor_dacl_create(frame, >+ 0, >+ NULL, >+ NULL, >+ SID_OWNER_RIGHTS, >+ SEC_ACE_TYPE_ACCESS_DENIED, >+ FILE_WRITE_DATA, >+ 0, >+ SID_OWNER_RIGHTS, >+ SEC_ACE_TYPE_ACCESS_ALLOWED, >+ FILE_READ_DATA|FILE_WRITE_DATA, >+ 0, >+ NULL); >+ if (newsd == NULL) { >+ goto fail; >+ } >+ sd->dacl = security_acl_concatenate(frame, >+ newsd->dacl, >+ sd->dacl); >+ if (sd->dacl == NULL) { >+ goto fail; >+ } >+ status = cli_set_secdesc(cli, fnum, sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_set_secdesc failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ status = cli_close(cli, fnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("close failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ fnum = (uint16_t)-1; >+ >+ /* Try and open for FILE_WRITE_DATA */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ FILE_WRITE_DATA, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_OPEN, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { >+ printf("Open of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Now try and open for FILE_READ_DATA */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ FILE_READ_DATA, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_OPEN, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("Open of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ status = cli_close(cli, fnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("close failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Restore clean slate. */ >+ TALLOC_FREE(sd); >+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); >+ >+ >+ /* Create the test file. */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ GENERIC_ALL_ACCESS, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_CREATE, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("Create of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* Get the original SD. */ >+ status = cli_query_secdesc(cli, >+ fnum, >+ frame, >+ &sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_query_secdesc failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ /* >+ * Add an "authenticated users" ACE allowing READ_DATA, >+ * add an "owner-rights" denying READ_DATA, >+ * and an "authenticated users" ACE allowing WRITE_DATA. >+ */ >+ >+ newsd = security_descriptor_dacl_create(frame, >+ 0, >+ NULL, >+ NULL, >+ SID_NT_AUTHENTICATED_USERS, >+ SEC_ACE_TYPE_ACCESS_ALLOWED, >+ FILE_READ_DATA, >+ 0, >+ SID_OWNER_RIGHTS, >+ SEC_ACE_TYPE_ACCESS_DENIED, >+ FILE_READ_DATA, >+ 0, >+ SID_NT_AUTHENTICATED_USERS, >+ SEC_ACE_TYPE_ACCESS_ALLOWED, >+ FILE_WRITE_DATA, >+ 0, >+ NULL); >+ if (newsd == NULL) { >+ printf("newsd == NULL\n"); >+ goto fail; >+ } >+ sd->dacl = security_acl_concatenate(frame, >+ newsd->dacl, >+ sd->dacl); >+ if (sd->dacl == NULL) { >+ printf("sd->dacl == NULL\n"); >+ goto fail; >+ } >+ status = cli_set_secdesc(cli, fnum, sd); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_set_secdesc failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ status = cli_close(cli, fnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("close failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ fnum = (uint16_t)-1; >+ >+ /* Now try and open for FILE_READ_DATA|FILE_WRITE_DATA */ >+ status = cli_ntcreate(cli, >+ fname, >+ 0, >+ FILE_READ_DATA|FILE_WRITE_DATA, >+ FILE_ATTRIBUTE_NORMAL, >+ FILE_SHARE_READ|FILE_SHARE_WRITE| >+ FILE_SHARE_DELETE, >+ FILE_OPEN, >+ 0, >+ 0, >+ &fnum, >+ NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("Open of %s - %s\n", fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ status = cli_close(cli, fnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("close failed for %s (%s)\n", >+ fname, nt_errstr(status)); >+ goto fail; >+ } >+ >+ cli_unlink(cli, fname, >+ FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); >+ >+ TALLOC_FREE(frame); >+ return true; >+ >+ fail: >+ >+ if (cli) { >+ if (fnum != -1) { >+ cli_close(cli, fnum); >+ } >+ cli_unlink(cli, fname, >+ FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); >+ torture_close_connection(cli); >+ } >+ >+ TALLOC_FREE(frame); >+ return false; >+} >+ > static bool run_pipe_number(int dummy) > { > struct cli_state *cli1; >@@ -10646,6 +11031,7 @@ static struct { > {"XCOPY", run_xcopy, 0}, > {"RENAME", run_rename, 0}, > {"RENAME-ACCESS", run_rename_access, 0}, >+ {"OWNER-RIGHTS", run_owner_rights, 0}, > {"DELETE", run_deletetest, 0}, > {"WILDDELETE", run_wild_deletetest, 0}, > {"DELETE-LN", run_deletetest_ln, 0}, >-- >2.8.0.rc3.226.g39d4020 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 12466
:
12752
|
12755
|
12758
| 12763 |
12764