samba.git/source4/dsdb/tests/python/user_account_control.py, branch master Unnamed repository; edit this file 'description' to name the repository. s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite() 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T02:07:54+00:00 9e3a858969a035518ed5b1a87c378e2371efd3b5 makeSuite() is deprecated and will be removed in Python 3.13. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
makeSuite() is deprecated and will be removed in Python 3.13.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:tests: Fix assertion messages 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T01:25:52+00:00 bb77f36f49c7866f8353b68129202a1e7793bc14 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:tests: Remove unused variables 2023-10-13T03:50:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-02T01:25:16+00:00 1513a4592c0aa95d52dc5adce45be602cdacc354 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:tests: Remove unused imports 2023-08-30T02:15:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-08-24T23:12:34+00:00 fec8d228ad1ad3215a125ba0719d503f89a9f35f Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:tests: Fix code spelling 2023-08-03T14:31:34+00:00 Andreas Schneider asn@samba.org 2023-08-02T08:44:32+00:00 b29793ffdee5d9b9c1c05830622e80f7faec7670 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 s4/dsdb: fix unnecessary backslash 2023-05-05T04:58:30+00:00 Rob van der Linde rob@catalyst.net.nz 2023-02-23T23:57:57+00:00 3eccaf5d1ebf397f4900d4126765f7a21a951f10 Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-22T18:10:35+00:00 6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8 Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Test using non-priviledged accounts now need to make sure they have
WP access on the prvided attributes, or Write-DACL
Some test create organizational units with a specific SD, and those now
need the user to have WD or else they give errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720: s4-acl: Change behavior of Create Children check 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-25T10:10:56+00:00 08187833fee57a8dba6c67546dfca516cd1f9d7a Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify an attribute, they can still specify any value during object creation, and the validated writes were not checked. This patch changes this behavior. During an add operation, a security descriptor is created that does not include the one provided by the user, and is used to verify that the user has the right to modify the supplied attributes. Exception is made for an object's mandatory attributes, and if the user has Write DACL right, further checks are skipped. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock 2021-11-09T19:45:32+00:00 Andrew Bartlett abartlet@samba.org 2021-10-22T10:41:23+00:00 ccd94963bd3c0600e1b6ae6b94e01fb5d2cbca9e This new restriction breaks a large number of assumptions in the tests, like that you can remove some UF_ flags, because it turns out doing so will make the 'computer' a 'user' again, and this will fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This new restriction breaks a large number of assumptions in the tests, like
that you can remove some UF_ flags, because it turns out doing so will
make the 'computer' a 'user' again, and this will fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors 2021-11-09T19:45:32+00:00 Andrew Bartlett abartlet@samba.org 2021-10-22T09:54:52+00:00 b001f91668a17e128e709d8e548d053091e5337b This favors a test that confirms we got an error over getting exactly the right error, at least for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This favors a test that confirms we got an error over getting exactly
the right error, at least for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>