The Samba-Bugzilla – Attachment 14930 Details for
Bug 13834
CVE-2019-3870 [SECURITY] pysmbd: missing restoration of original umask after umask(0)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Integration test to highlight the problem
integration-test-patch.txt (text/plain), 4.05 KB, created by
Tim Beale
on 2019-03-15 01:13:52 UTC
(
hide
)
Description:
Integration test to highlight the problem
Filename:
MIME Type:
Creator:
Tim Beale
Created:
2019-03-15 01:13:52 UTC
Size:
4.05 KB
patch
obsolete
>From 1524da3c41757461cf994e8f2367403332d1af24 Mon Sep 17 00:00:00 2001 >From: Tim Beale <timbeale@catalyst.net.nz> >Date: Fri, 15 Mar 2019 13:52:50 +1300 >Subject: [PATCH] tests: Add test to check file-permissions are correct after > provision > >This provisions a new DC are checks there are no world-writable or >world-readable files in the new DC's private directory. > >Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> >--- > selftest/knownfail.d/provision_fileperms | 2 + > source4/selftest/tests.py | 1 + > source4/setup/tests/provision_fileperms.sh | 64 ++++++++++++++++++++++++++++++ > 3 files changed, 67 insertions(+) > create mode 100644 selftest/knownfail.d/provision_fileperms > create mode 100755 source4/setup/tests/provision_fileperms.sh > >diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms >new file mode 100644 >index 0000000..3d77be3 >--- /dev/null >+++ b/selftest/knownfail.d/provision_fileperms >@@ -0,0 +1,2 @@ >+samba4.blackbox.provision_fileperms.provision-fileperms\(none\) >+ >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index c6355f3..2c226ce 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -959,6 +959,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_default)", "ad_dc_default > plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")]) > plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision']) > plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision']) >+plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision']) > plantestsuite("samba4.blackbox.supported_features", "none", > ["PYTHON=%s" % python, > os.path.join(samba4srcdir, >diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh >new file mode 100755 >index 0000000..1238b4f >--- /dev/null >+++ b/source4/setup/tests/provision_fileperms.sh >@@ -0,0 +1,64 @@ >+#!/bin/sh >+ >+if [ $# -lt 1 ]; then >+cat <<EOF >+Usage: $0 PREFIX >+EOF >+exit 1; >+fi >+ >+PREFIX="$1" >+shift 1 >+ >+. `dirname $0`/../../../testprogs/blackbox/subunit.sh >+ >+# checks that the files in the 'private' directory created are not >+# world-reable/-writable >+check_private_file_perms() >+{ >+ target_dir="$1/private" >+ result=0 >+ >+ for file in `ls $target_dir/` >+ do >+ filepath="$target_dir/$file" >+ >+ # skip directories/sockets for now >+ if [ ! -f $filepath ] ; then >+ continue; >+ fi >+ >+ # use stat to get the file permissions in numeric form, >+ # then use cut to drop the first digit (i.e. the owner) >+ global_perm=`stat -c "%a" $filepath | cut -c2-` >+ >+ # what's left is the group and other users, both of which >+ # should have no permissions (zero in numeric form) >+ if [ "$global_perm" != "00" ] ; then >+ # display the permissions in human-readable format >+ file_perm=`stat -c "%A" $filepath` >+ echo "Error: $file has $file_perm permissions" >+ result=1 >+ fi >+ done >+ return $result >+} >+ >+TARGET_DIR=$PREFIX/basic-dc >+rm -rf $TARGET_DIR >+ >+# create a dummy smb.conf - we need to use fake ACLs for the file system here >+# (but passing --option args with spaces in it proved too difficult in bash) >+SMB_CONF=$TARGET_DIR/tmp/smb.conf >+mkdir -p `dirname $SMB_CONF` >+echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF >+ >+# provision a basic DC >+testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF >+ >+# check the file permissions in the 'private' directory really are private >+testit "provision-fileperms" check_private_file_perms $TARGET_DIR >+ >+rm -rf $TARGET_DIR >+ >+exit $failed >-- >2.7.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14930">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13834
:
14923
|
14928
|
14929
|
14930
|
14931
|
14932
|
14968
|
14985
|
14986
|
14987
|
14988
|
14989
|
14990
|
14995
|
15018
|
15029