The Samba-Bugzilla – Attachment 13962 Details for
Bug 13031
Rename of site can crash ldap process (signal 6)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Additional patch for master testing if non-admin users can trigger this bug
0001-python-tests-sites-ensure-we-can-t-manipulate-subnet.patch (text/plain), 5.41 KB, created by
Douglas Bagnall
on 2018-02-15 02:46:45 UTC
(
hide
)
Description:
Additional patch for master testing if non-admin users can trigger this bug
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2018-02-15 02:46:45 UTC
Size:
5.41 KB
patch
obsolete
>From f3164060f954fba426677cbff58924c90b9cab8a Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Thu, 15 Feb 2018 15:08:03 +1300 >Subject: [PATCH] python/tests/sites: ensure we can't manipulate subnets as > non-admin > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source4/dsdb/tests/python/sites.py | 88 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 87 insertions(+), 1 deletion(-) > >diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py >index 123e1ece60f..f4c6781408a 100755 >--- a/source4/dsdb/tests/python/sites.py >+++ b/source4/dsdb/tests/python/sites.py >@@ -30,9 +30,12 @@ from samba import sites > from samba import subnets > from samba.auth import system_session > from samba.samdb import SamDB >+from samba import gensec >+from samba.credentials import Credentials, DONT_USE_KERBEROS > import samba.tests >+from samba.tests import delete_force > from samba.dcerpc import security >-from ldb import SCOPE_SUBTREE >+from ldb import SCOPE_SUBTREE, LdbError, ERR_INSUFFICIENT_ACCESS_RIGHTS > > parser = optparse.OptionParser("sites.py [options] <host>") > sambaopts = options.SambaOptions(parser) >@@ -183,6 +186,89 @@ class SimpleSubnetTests(SitesBaseTests): > self.assertRaises(subnets.SubnetNotFound, > subnets.delete_subnet, self.ldb, basedn, cidr) > >+ def get_user_and_ldb(self, username, password, hostname=ldaphost): >+ """Get a connection for a temporarily user that will vanish as soon as >+ the test is over.""" >+ user = self.ldb.newuser(username, password) >+ creds_tmp = Credentials() >+ creds_tmp.set_username(username) >+ creds_tmp.set_password(password) >+ creds_tmp.set_domain(creds.get_domain()) >+ creds_tmp.set_realm(creds.get_realm()) >+ creds_tmp.set_workstation(creds.get_workstation()) >+ creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() >+ | gensec.FEATURE_SEAL) >+ creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) >+ ldb_target = SamDB(url=hostname, credentials=creds_tmp, lp=lp) >+ self.addCleanup(delete_force, self.ldb, self.get_user_dn(username)) >+ return (user, ldb_target) >+ >+ def test_rename_delete_good_subnet_to_good_subnet_other_user(self): >+ """Make sure that we can't rename or delete subnets when we aren't >+ admin.""" >+ basedn = self.ldb.get_config_basedn() >+ cidr = "10.16.0.0/24" >+ new_cidr = "10.16.1.0/24" >+ subnets.create_subnet(self.ldb, basedn, cidr, self.sitename) >+ user, non_admin_ldb = self.get_user_and_ldb("notadmin", "samba123@") >+ try: >+ subnets.rename_subnet(non_admin_ldb, basedn, cidr, new_cidr) >+ except LdbError as e: >+ self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS, >+ ("subnet rename by non-admin failed " >+ "in the wrong way: %s" % e)) >+ else: >+ self.fail("subnet rename by non-admin succeeded: %s" % e) >+ >+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE, >+ expression='(&(objectclass=subnet)(cn=%s))' % cidr) >+ >+ self.assertEqual(len(ret), 1, ('Subnet %s destroyed or renamed ' >+ 'by non-admin' % cidr)) >+ >+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE, >+ expression=('(&(objectclass=subnet)(cn=%s))' >+ % new_cidr)) >+ >+ self.assertEqual(len(ret), 0, >+ 'New subnet %s created by non-admin' % cidr) >+ >+ try: >+ subnets.delete_subnet(non_admin_ldb, basedn, cidr) >+ except LdbError as e: >+ self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS, >+ ("subnet delete by non-admin failed " >+ "in the wrong way: %s" % e)) >+ else: >+ self.fail("subnet delete by non-admin succeeded: %s" % e) >+ >+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE, >+ expression='(&(objectclass=subnet)(cn=%s))' % cidr) >+ >+ self.assertEqual(len(ret), 1, 'Subnet %s deleted non-admin' % cidr) >+ >+ subnets.delete_subnet(self.ldb, basedn, cidr) >+ >+ def test_create_good_subnet_other_user(self): >+ """Make sure that we can't create subnets when we aren't admin.""" >+ basedn = self.ldb.get_config_basedn() >+ cidr = "10.16.0.0/24" >+ user, non_admin_ldb = self.get_user_and_ldb("notadmin", "samba123@") >+ try: >+ subnets.create_subnet(non_admin_ldb, basedn, cidr, self.sitename) >+ except LdbError as e: >+ self.assertEqual(e.args[0], ERR_INSUFFICIENT_ACCESS_RIGHTS, >+ ("subnet create by non-admin failed " >+ "in the wrong way: %s" % e)) >+ else: >+ subnets.delete_subnet(self.ldb, basedn, cidr) >+ self.fail("subnet create by non-admin succeeded: %s") >+ >+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE, >+ expression='(&(objectclass=subnet)(cn=%s))' % cidr) >+ >+ self.assertEqual(len(ret), 0, 'New subnet %s created by non-admin' % cidr) >+ > def test_rename_good_subnet_to_good_subnet(self): > """Make sure that we can rename subnets""" > basedn = self.ldb.get_config_basedn() >-- >2.14.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review?
(
garming
)
Actions:
View
Attachments on
bug 13031
:
13607
|
13611
|
13890
| 13962