samba.git/source4/dsdb/tests/python/sec_descriptor.py, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-22T18:33:03+00:00 5073d5997cb1d7f654423655e0d1eeb117bdab38 The implicit right of an object's owner to modify its security descriptor no longer exists, according to the new access rules. However, we continue to grant this implicit right for fileserver access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The implicit right of an object's owner to modify its security
descriptor no longer exists, according to the new access rules. However,
we continue to grant this implicit right for fileserver access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-22T18:10:35+00:00 6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8 Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Test using non-priviledged accounts now need to make sure they have
WP access on the prvided attributes, or Write-DACL
Some test create organizational units with a specific SD, and those now
need the user to have WD or else they give errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720: s4-acl: Change behavior of Create Children check 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-25T10:10:56+00:00 08187833fee57a8dba6c67546dfca516cd1f9d7a Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify an attribute, they can still specify any value during object creation, and the validated writes were not checked. This patch changes this behavior. During an add operation, a security descriptor is created that does not include the one provided by the user, and is used to verify that the user has the right to modify the supplied attributes. Exception is made for an object's mandatory attributes, and if the user has Write DACL right, further checks are skipped. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720 s4:tests/sec_descriptor: Add missing security descriptor modify 2022-09-16T02:32:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-28T09:00:56+00:00 cbbf3fd7412ba073b26b0d0a32fe25b343fed5ca The variable sub_sddl1 previously went unused, so this call to modify_sd_on_dn() was presumably intended to go here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The variable sub_sddl1 previously went unused, so this call to
modify_sd_on_dn() was presumably intended to go here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python: Don't use deprecated escape sequences 2022-06-14T07:21:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-28T08:31:50+00:00 5045382c6dd04b1bae0eaaae823be908213ff079 Certain escape sequences are not valid in Python string literals, and will eventually result in a SyntaxError. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Certain escape sequences are not valid in Python string literals, and
will eventually result in a SyntaxError.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 python: remove all 'from __future__ import print_function' 2021-04-28T03:43:34+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-04-28T01:02:37+00:00 aecb2b779b88c13784b7c2691ae08da716d65ab2 This made Python 2's print behave like Python 3's print(). In some cases, where we had: from __future__ import print_function """Intended module documentation...""" this will have the side effect of making the intended module documentation work as the actual module documentation (i.e. becoming __doc__), because it is once again the first statement in the module. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This made Python 2's print behave like Python 3's print().

In some cases, where we had:

   from __future__ import print_function
   """Intended module documentation..."""

this will have the side effect of making the intended module documentation
work as the actual module documentation (i.e. becoming __doc__), because
it is once again the first statement in the module.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
pytests: heed assertEquals deprecation warning en-masse 2020-02-07T10:37:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2020-02-06T22:02:38+00:00 c247afbda00013bf4821e5a2d4f3166bf31814f0 TestCase.assertEquals() is an alias for TestCase.assertEqual() and has been deprecated since Python 2.7. When we run our tests with in python developer mode (`PYTHONDEVMODE=1 make test`) we get 580 DeprecationWarnings about this. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 
TestCase.assertEquals() is an alias for TestCase.assertEqual() and
has been deprecated since Python 2.7.

When we run our tests with in python developer mode (`PYTHONDEVMODE=1
make test`) we get 580 DeprecationWarnings about this.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
selftest: correcting empty attribute usage in requests 2019-05-06T05:45:55+00:00 Aaron Haslett aaronhaslett@catalyst.net.nz 2019-03-28T02:54:06+00:00 bc1583d368902c2e384ed0080c8de003b982a6f7 Many parts of Samba use an empty attribute list in requests expecting all attributes to be returned in the response, which is incorrect. This patch corrects the instances found by current CI tests. Static analysis and debugging will need to be done before changing ildap to the correct semantics. Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Mon May 6 05:45:55 UTC 2019 on sn-devel-184 
Many parts of Samba use an empty attribute list in requests expecting
all attributes to be returned in the response, which is incorrect.  This
patch corrects the instances found by current CI tests.  Static analysis
and debugging will need to be done before changing ildap to the correct
semantics.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon May  6 05:45:55 UTC 2019 on sn-devel-184
Fix typos and ban the rams from samba 2019-01-10T01:41:29+00:00 Swen Schillig swen@linux.ibm.com 2019-01-07T14:07:22+00:00 e29cb5095b519cd12ecc1029b22a120f14d93db5 Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE> 
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
PY3: change shebang to python3 in source4/dsdb dir 2018-12-14T13:40:20+00:00 Joe Guo joeg@catalyst.net.nz 2018-12-12T00:40:43+00:00 8e3c194453f206152b40fa7a5efb1436b13424e9 Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org> 
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>