The branch, master has been updated via 3b6c1f1a9c4 libcli/security: condtional ACE recursive composites are not supported via 38247d39e1e libcli/security: conditional ace sddl: do not read nested composites via 96dbc71e137 libcli/security: conditional ace sddl: do not write nested composites via 3be69fc3dce fuzzing: fuzz_sddl_parse forgives bad utf-8 via e4da279b1c0 util/str: helper to check for utf-8 validity via 65674cde60c libcli/security: conditional ACE sddl doesn't have string escapes via 310c25404b9 libcl/security: conditional ACE sddl >= ops take literal parens only via 5650b511c1f libcli/security/sddl_conditional_ace: ban empty expressions in SDDL via b3f92b475c3 lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings via a2e6df03112 add comment that ace_condition_composite is not representative of the wire format via 0ac979b2cc6 conditional_aces: Avoid manual parsing for ace_condition_unicode via 5f4197bfab5 libndr: Add support for pulling strings with LIBNDR_FLAG_STR_SIZE4|LIBNDR_FLAG_STR_NOTERM|LIBNDR_FLAG_STR_BYTESIZE via b9e90bae699 conditional_aces: Avoid manual parsing for ace_condition_int via ab531abc52f libcli/security: Check for sddl_from_conditional_ace() failure in test_sddl_conditional_ace via 03d63fb09b8 libcli/security: Make failure parsing where consumed == -1 clear via fe835fc3482 Make blob->data pointer in ace_sid_to_claim_v1_sid() a child of the DATA_BLOB via 793b86f4cbf conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB via 94d1cfbd85b conditional_aces: Avoid manual parsing for ace_condition_sid via 1e45a4d10a5 libcli/security: access_check handles CALLBACK_OBJECT types via c5345f18d71 libcli/security: se_access_check uses new callback checks via 5d6f0927f54 libcli/security: sec_access_check_ds uses new callback ACE checks via 117d4c55006 libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks via 588a339df7c libcli/security: adjust tests for evaluate_claims flag via e3f28c2ecf6 libcli/security: Hook in ability to disable conditional ACE evaluation via c8c86b81036 s3-lib: Modify merge_nt_token() into a GPO-specifc merge with SYSTEM via d9e268db0cf python: Change the generic merge_nt_token() to being specific to the system_token via d027200a02e libgpo: Reimplmeent registry_create_system_token() using get_system_token() via dc7dc6f549b libcli/security: Rename dup_nt_token() -> security_token_duplicate() via 13d3c6156f9 libcli/security: Move dup_nt_token() to libcli/security via 4e8e35de7fe s3-winbind: Use token as parent for token->sids in check_info3_in_group() via 934b0335500 s3-net_rpc: Make the struct user_token array the parent talloc context via a8210ab1ae4 s3-net_rpc: Use security_token_initialise() to create struct security_token via e2cc29d132b libcli/security: Pass in claims evaluation state when building any security token via f1fcbc0f101 s4-auth: pass lp_ctx to auth_generate_session_info() where possible via 1223b89d818 docs-xml: Add new parameter "acl claims evaluation" via 5696f66d1dd librpc: Add context as to if this token should be used for claims evaluation via c9cf90aee86 s3-lib/util_nttoken: Reimplement dup_nt_token() with NDR pull/push via f8215ed3434 librpc/ndr_claims: avoid 'bin/default' in #include via 978a9e46bb6 pytest: conditional_ace assembler assembles full descriptor via 14492945429 libcli/security: beginning of tests for conditional ACE bytes via 15fe49a2f9b pytest: assembler for conditional ACEs via cc17c3e21df lib/fuzzing: adjust access-check seed patch via ea4caa45ab3 lib/fuzzing: fuzz_conditional_ace_blob via c6a62d69ca9 lib/fuzzing: adapt fuzz_sddl_access_check for claims via b7bd1f438be libcli/security: conditional ace access checks for file server via 327861dc1fc libcli/security: conditional ace access checks for AD via b65ac10096b pytest:conditional_ace_claims: ease export of failing tests to C via 30e6249d228 pytest: tests for conditional ACEs with security tokens via 044370a0e19 pytest: tools for creating security tokens via b7ae4304b14 libcli/security: cmocka test for running conditional ACEs via e2a4f20d409 libcli/security/conditional ACEs: compare composites as sets via 924d59fd82a security.idl: drop claim v1 reserved field via fabc2f351eb pytest: sddl tests with conditional ACEs via c13684e672f libcli/security/tests: add some test strings via 2a4fc3fedf4 pytest: sddl strings dir can be defined in class via 2f30103f922 pytest: sddl tests can be only externally defined via d7c0948d1a6 libcli/security: windows-sddl-test: fix read of text examples via ee386021706 libcli/security: windows-sddl-test: fix typo in --help via 28d23377741 pytest:security_descriptors: test collected conditional ACEs via a392b40328e pytest:security descriptors: hack to capture results as json via 901f77c5436 pytest: security descriptors: test some conditional and RA ACEs via 7b9462faf05 pytest: security_descriptors: tests without revision number hack via afec8524bcd libcli/security: use sec_object_ace() in size_security_ace via b6a665cc8e8 librpc/ndr:ndr_sec_helper: fix a typo via 63be8401201 pytest: security_descriptors test for repetitive ACLs via 5569c17741f pytest: security_descriptors comparison is quieter via 829d77b4a02 s4/librpc: build conditional ace Python bindings via 295c609f5a2 lib/fuzzing: fuzz SDDL conditional ACEs via e4865a3ba15 libcli/security: test SDDL compilation in cmocka via b08093ed9d2 lbcli/security: callback object ACES fall back with no GUID via 2923898e88d libcli/security/create_descriptor: calc_inherited handles new types via 1cc8888b549 libcli/security: SDDL: add callback and resource ace type flags via 3959fba37a7 libcli/security: sddl_encode_ace encodes resource attribute ACEs via ed52c9ed36b libcli/security: sddl_encode_ace encodes conditional ACEs via 6683d611e14 libcli/security: sdd_decode_ace handles resource attribute types via 84fa39722fe libcli/security: sdd_decode_ace handles callback types via e88ea32c21e libcli/security: add conditional ace files to samba-security via d6bd491efcb libcli:security: add code to interpret conditional ACES via 4b8e9e3f0ca libcli:security: add functions to decode and decode RA ACEs via 969cb79daef libcli/security: add conditional ACE SDDL functions via 6f588a1fc50 libcli:security: helpers for converting claim types via 94f0a1083a4 libcli:security: outline for sddl_conditional_ace.c via 140f7466a45 libcli/security: add stub of conditional ACE code. via 672fc0a1abb libcli/security: find SDDL coda for RA and conditional ACEs via cdd9424e4f3 libcli/security: whitespace repair in sddl.c via a8e3f5d33f6 ndr_sec_helper: ace length should be multiple of 4 via 5e1ed7b71f0 ndr_sec_helper: ndr_size_security_ace: do less work via df8eec384fe librpc:security.idl: add conditional ace coda via e8192dddf3b libcli/sec: reformat long line in wscript_build via 40d9b08db4b librpc:security.idl: ace->coda can be resource attribute via 498c4110173 libcli/security: callback object aces are object aces via 762646b5aaa libcli/security: use tabs in sec_ace_object() via e81e98c4854 libcli/security: helper to find ACEs with meaningful codas via 41e1b6957ae libcli/security: helper to find resource attribute ACEs via 617cfa0e965 libcli/security: helper to find callback/conditional aces via 34aa33a1a4f security.idl: use sec_ace_object() in object switch via 4ef7845b570 security.idl: extend security token with device SIDs from d7394a90f51 testparm: Allow idmap ranges overlap for idmap_nss
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 3b6c1f1a9c47d8d76a7cd946468c1c42e4fb097a Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 16:29:51 2023 +1200 libcli/security: condtional ACE recursive composites are not supported We can't add them via SDDL on Windows, and they aren't useful for claims. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Sep 27 00:41:26 UTC 2023 on atb-devel-224 commit 38247d39e1e98cab50d9911b0aa0ee4eb309114b Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 16:31:36 2023 +1200 libcli/security: conditional ace sddl: do not read nested composites Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 96dbc71e137ea65df11d1a8cec089fde2d070ba6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 16:30:41 2023 +1200 libcli/security: conditional ace sddl: do not write nested composites Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3be69fc3dcedee77d8eacf7cf82d0f33df2d42fe Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 15:19:32 2023 +1200 fuzzing: fuzz_sddl_parse forgives bad utf-8 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e4da279b1c06711c27e2aa1a4e36f35b674eaca4 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jul 6 15:31:52 2023 +1200 util/str: helper to check for utf-8 validity Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 65674cde60ca21d2f451f5e68f6b7cb7d1e339a4 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 14:16:35 2023 +1200 libcli/security: conditional ACE sddl doesn't have string escapes Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 310c25404b92bf155f375070b1bb637b0f0d6bcf Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 12:02:56 2023 +1200 libcl/security: conditional ACE sddl >= ops take literal parens only You can't do things like '(a == b) == (c < d)'. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5650b511c1fb98106942ca2829bd4fcfdae4eca1 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 22 12:53:42 2023 +1200 libcli/security/sddl_conditional_ace: ban empty expressions in SDDL The trouble is with expressions like "(!(()))", which boil down to a single NOT operation with no argument, which is invalid and can't be run or expressed as SDDL. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b3f92b475c31bd2a4423c7531c62cc621bb102e6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Sep 21 15:03:23 2023 +1200 lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings There is a borderline case where a conditional ACE unicode string becomes longer than the SDDL parser wants to handle when control characters are given canonical escaping. This can make the round trip fail, but it isn't really a problem. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a2e6df03112b31d671288a8db303dff37ecaa054 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 16:08:52 2023 +1200 add comment that ace_condition_composite is not representative of the wire format Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 0ac979b2cc67d178327f2171bfac40186c40c70c Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 12:26:15 2023 +1200 conditional_aces: Avoid manual parsing for ace_condition_unicode A consequence of this is that we remove the confusing "length" from the IDL, as it was the internal UTF8 length, not a wire value. We use null terminated strings internally now. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 5f4197bfab5e30c576b9e5c75720a9f8606686ba Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 14:55:10 2023 +1200 libndr: Add support for pulling strings with LIBNDR_FLAG_STR_SIZE4|LIBNDR_FLAG_STR_NOTERM|LIBNDR_FLAG_STR_BYTESIZE Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit b9e90bae6993ab9d13853e9295f34eee7b469dc6 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 12:03:27 2023 +1200 conditional_aces: Avoid manual parsing for ace_condition_int Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit ab531abc52f9fff5d27f18861603d1ebfc963bd1 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 11:56:58 2023 +1200 libcli/security: Check for sddl_from_conditional_ace() failure in test_sddl_conditional_ace Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 03d63fb09b8d4062f4a7f16e46941fbf2741b6a2 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 11:56:25 2023 +1200 libcli/security: Make failure parsing where consumed == -1 clear This was caught by the next condition, but this is clearer. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit fe835fc348284f388446514ee5acc479bd36900d Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 20 09:36:43 2023 +1200 Make blob->data pointer in ace_sid_to_claim_v1_sid() a child of the DATA_BLOB Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 793b86f4cbfa763002246b6ff1cd1197622704ca Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 21 12:55:53 2023 +1200 conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 94d1cfbd85b60fc2f8495bd3c46377aa8564d074 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 20 09:31:31 2023 +1200 conditional_aces: Avoid manual parsing for ace_condition_sid Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 1e45a4d10a5c7b79ae73f6cf4173f9112cbade12 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Mon Sep 25 14:36:59 2023 +1300 libcli/security: access_check handles CALLBACK_OBJECT types These are like an object type if the callback (i.e. condtional ACE conditions) succeeds, otherwise they are ignored. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c5345f18d710edff0a67144e2b539e18f1808ede Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 20 17:35:18 2023 +1200 libcli/security: se_access_check uses new callback checks With the last caller of check_callback_ace_access() gone, so is that function. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5d6f0927f5416c0bae057a2b5d0032bf4607e323 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 13 17:24:57 2023 +1200 libcli/security: sec_access_check_ds uses new callback ACE checks Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 117d4c55006da88c6117f9d4dfec8347bc589ea6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 13 17:25:52 2023 +1200 libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks To help clarify the logic, we make new functions that separate the deny and allow cases, which helps keep track of what 'yes' and 'no' mean and which incorporate the logic of token->evaluate_claims handling, which determines when we want to run a conditional ACE, when we want to ignore it, and when we want to take offence. In the case when we decide to run it, we then need to decide whether to apply it or ignore it based on the result. This last bit differs between allow and deny aces, hence the two functions. These functions will replace check_callback_ace_access() over the next few commits. In the case where token->evaluate_claims is CLAIMS_EVALUATION_INVALID_STATE and the DACL contains a conditional ACE, the maximum allowed is 0, as if it was a "deny everything" ACE. This is an unexpected case. Most likely the evaluate_claims state will be NEVER or ALWAYS. In the NEVER case the conditional ACE is skipped, as would have happened in all cases before 4.20, while in the ALWAYS case the conditional ACE is run and applied if successful. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 588a339df7c178741ffdc0e5ecffc0e21c8118ba Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 20 10:30:23 2023 +1200 libcli/security: adjust tests for evaluate_claims flag Most tests were prepared in advance, but we left these ones to test the change. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e3f28c2ecf6a8cd335d21e1dbf8d247520de2177 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 12:36:56 2023 +1200 libcli/security: Hook in ability to disable conditional ACE evaluation Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit c8c86b81036f5f1b38264b3120e04d4f80e8f3a0 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 12:08:20 2023 +1200 s3-lib: Modify merge_nt_token() into a GPO-specifc merge with SYSTEM By making this specific to the only use case, merging with the SYSTEM token for GPOs, we avoid having to merge the claims, as there are none for SYSTEM. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit d9e268db0cf3c605aad25cd3b3c065afc6b993b5 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 12:07:25 2023 +1200 python: Change the generic merge_nt_token() to being specific to the system_token This allows us to punt on the question of merging the claims, as there are none on the system token. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit d027200a02e07c6a80e5bf3854af836d10b01b7d Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 10:52:51 2023 +1200 libgpo: Reimplmeent registry_create_system_token() using get_system_token() This helps ensure we have a smaller number of places that a struct security_token starts from. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit dc7dc6f549b8e3df31d3b5c92d6cca4a0152d8f1 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 10:08:01 2023 +1200 libcli/security: Rename dup_nt_token() -> security_token_duplicate() Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 13d3c6156f9f17d433f96dca9124d10187aac874 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 17:31:44 2023 +1200 libcli/security: Move dup_nt_token() to libcli/security Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 4e8e35de7fe18495604744cbfcb922121c42a257 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 27 09:42:55 2023 +1300 s3-winbind: Use token as parent for token->sids in check_info3_in_group() Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 934b033550038ee84befff005946c3fa11b6b5cf Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 27 09:35:19 2023 +1300 s3-net_rpc: Make the struct user_token array the parent talloc context Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit a8210ab1ae4639723b666c494c17a59bc8fe601f Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 27 08:39:04 2023 +1300 s3-net_rpc: Use security_token_initialise() to create struct security_token This ensures that the full structure is initialised now and in the future. Because this is now a talloc based structure, we can now use add_sid_to_array_unique() rather than a reimplementation in this file. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit e2cc29d132b9f99417e8a522c97571438ca51e5a Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 14 22:09:50 2023 +1200 libcli/security: Pass in claims evaluation state when building any security token Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit f1fcbc0f101993c6e461d56446f4bca6b672905f Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 15 10:28:34 2023 +1200 s4-auth: pass lp_ctx to auth_generate_session_info() where possible For non-testing callers of auth_generate_session_info(), passing lp_ctx will allow us to correctly set a flag indicating if claims should be evaluated. For testing applications, the default will allow safe operation inspecting the SID list. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 1223b89d81892ead52267a31afea40f14c4f2a09 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 14 21:20:39 2023 +1200 docs-xml: Add new parameter "acl claims evaluation" Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 5696f66d1dd2a5c46e336ff7029aac687b88cdf7 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 14 21:04:34 2023 +1200 librpc: Add context as to if this token should be used for claims evaluation Claims evaluation is added to the core se_access_check() library, but not all callers provide claims in the security_token and we want to be able to disable this new and complex code if needed. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit c9cf90aee864d8131dc386d61f3e35602c2ed63c Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 14 18:24:36 2023 +1200 s3-lib/util_nttoken: Reimplement dup_nt_token() with NDR pull/push The struct security_token can now contain complex claims as well as SIDs so we can no longer just duplicate it by hand. Instead let PIDL and libndr do the hard work for us. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit f8215ed3434cee9107fb8e58d67bd7e36bbf2a73 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 13 11:31:55 2023 +1200 librpc/ndr_claims: avoid 'bin/default' in #include Obviously it works fine, but we don't do it anywhere else. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 978a9e46bb624aa8e6d13ca589d3c99b438328be Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Sep 15 15:24:20 2023 +1200 pytest: conditional_ace assembler assembles full descriptor Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 144929454293aac034e80ff8204ac76205f0ead1 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 13 15:12:52 2023 +1200 libcli/security: beginning of tests for conditional ACE bytes Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 15fe49a2f9ba006f298616ff7376a7bb4cb4178e Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Mon Sep 4 10:11:51 2023 +1200 pytest: assembler for conditional ACEs This is a helper module to construct conditional ACEs that can't be created from SDDL. There is a semi-infinite number of valid conditional ACEs that don't have SDDL representations, and an even larger number of invalid (or borderline invalid) ACEs. This allows us to create those ACEs without having to deal with too many array of numbers. The next commit provides an example of its use. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cc17c3e21dfc88f5344696b53686b233f4419c28 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jul 21 10:51:29 2023 +1200 lib/fuzzing: adjust access-check seed patch Now that access_check.c includes headers for conditional ACEs, the patch should take that into account. Also, we check for a talloc failure. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ea4caa45ab3c76c47b965df913e1286367a0d07f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jun 29 15:15:08 2023 +1200 lib/fuzzing: fuzz_conditional_ace_blob This parses the blob as a conditional ACE, and if possible tries decompiling it into SDDL. There are not many round-trip assertions we can honestly make, but we keep the trip going as long as possible, in case it reveals anything. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c6a62d69ca9dfef2062e0ce1df0c003cafc4e4ce Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 12 13:03:53 2023 +1200 lib/fuzzing: adapt fuzz_sddl_access_check for claims The token has more stuff in it. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b7bd1f438bef450dec891d6cab672d689e8c555f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 13 17:25:34 2023 +1200 libcli/security: conditional ace access checks for file server Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 327861dc1fce1c1cd1b7046ef2aab86d30fc9f5d Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jun 29 15:15:43 2023 +1200 libcli/security: conditional ace access checks for AD Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b65ac10096be77db572526110f378a4edc38cb35 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 15:23:29 2023 +1200 pytest:conditional_ace_claims: ease export of failing tests to C When a test fails, this prints a little stanza like static void test_something(void **state) { INIT(); USER_SIDS("WD", "AA"); DEVICE_SIDS("BA", "BG"); SD("D:(XA;;0x1f;;;AA;(! Member_of{SID(AA)}))"); DENY_CHECK(0x10); } which is exactly right for copying into libcli/security/tests/test_run_conditional_ace.c which is much easier to iterate over with compiling and debugging. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 30e6249d228dd2c499038e512c8065edb99c53f5 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 24 13:44:17 2023 +1200 pytest: tests for conditional ACEs with security tokens Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 044370a0e193d95722d975555ab216ea42c8e639 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 12 17:22:24 2023 +1200 pytest: tools for creating security tokens Sometimes we need security tokens for tests, and the raw constructor is not very ergonomic. This wraps it so you can do this: from samba.tests.token_factory import token as Token t = Token(['WD', 'AA'], privileges=['SEC_PRIV_DEBUG'], rights=0x840, device_claims={'wheels': 2, 'smelly': 'no'}, device_sids=['BG']) and get a security.token object with the expected qualities. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b7ae4304b14648112bc199e571abdacb19e84cea Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 12 17:21:22 2023 +1200 libcli/security: cmocka test for running conditional ACEs Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e2a4f20d40909efea2421c7ab3b714f005639b7d Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 13 10:21:49 2023 +1200 libcli/security/conditional ACEs: compare composites as sets ... or at least settishly. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 924d59fd82abf3694da67b0b6714a130c81f8459 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Sep 12 13:51:37 2023 +1200 security.idl: drop claim v1 reserved field It isn't used and ended up filled with junk. The alignment works out. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fabc2f351ebde9986c75316dcf0a7376b9eefe6a Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 24 13:44:41 2023 +1200 pytest: sddl tests with conditional ACEs Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c13684e672f356b02aba85fca2e5625f0650afc4 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Sep 7 15:38:07 2023 +1200 libcli/security/tests: add some test strings These will soon be used by python/samba/tests/sddl_conditional_ace.py, and are a format understood by the Windows programs in libcli/security/tests/windows. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2a4fc3fedf46faa78063de3de6841936cc24720e Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Sep 7 15:27:21 2023 +1200 pytest: sddl strings dir can be defined in class Before we had to do this in an environment variable. In that case we are probably wanting to monitor changes, so we like it to print more messages than we want to see in an autobuild run that will hopefully never do anything interesting. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2f30103f922e755901132600cc8ea6924df0e75c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Sep 7 11:19:21 2023 +1200 pytest: sddl tests can be only externally defined Currently a test suite needs a strings list in order to import new strings. This lets us avoid that and have the actual tests defined only in external lists, making it easier to see we're testing the same thing on Windows and reducing duplication. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d7c0948d1a6d14a65da638c5f58e7627aaa204e9 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Sep 12 11:55:55 2023 +1200 libcli/security: windows-sddl-test: fix read of text examples Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ee386021706fe7410864c2afd8c7f690393fc90f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Sep 7 14:38:49 2023 +1200 libcli/security: windows-sddl-test: fix typo in --help found by Rob van der Linde. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 28d23377741562468f283ff752fdb7efe54848b7 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 6 11:51:15 2023 +1200 pytest:security_descriptors: test collected conditional ACEs These tests were named in the superclass, but were not actually run, nor was the file in git. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a392b40328e7e5aae339c89da898ee78dc166e4c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Sep 5 11:27:33 2023 +1200 pytest:security descriptors: hack to capture results as json This makes it easy to separate a large number of examples into successes and knownfails. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 901f77c54369125734371e02d6ab837406995723 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Sep 5 11:27:00 2023 +1200 pytest: security descriptors: test some conditional and RA ACEs We have two sets of tests: one that will succeed, and one that is going to remain a knownfail. The latter involves Resource Attribute ACEs that have the TX type, meaning "byte string". In MS-DTYP, a bytestring is defined like "#6869210a", with a hash, followed by an even number of hex digits. In other places on the web, it is mentioned that zeroes in the string can be replaced by hashes, like so "#686921#a". We discover via indirect fuzzing that a TX RA ACE can also take bare integers, like "6869210a" or "2023". As it would be tricky to support this, and there is no evidence of this occurring in the wild, we will probably leave this as a knownfail. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7b9462faf05e1235d0a09dbf061ea65cf22e5c12 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 9 14:15:27 2023 +1200 pytest: security_descriptors: tests without revision number hack ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2 ACL can be called revision 4 without any problem. But not vice versa: a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The extra ACE types relate to objects. Samba currently simplifies things by calling all its ACLs revision 4, even if (as is commonly the case) the ACLs contain only revision 2 ACEs. On the other hand, Windows will use revision 2 whenever it can. In other tests we skip past this by forcing Windows ACLs to v4 before comparison. This test is to remind us of the incompatibility. It would not be hard to fix. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit afec8524bcd39ca3a2a8465fd9d95522c902243c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 11:25:41 2023 +1200 libcli/security: use sec_object_ace() in size_security_ace Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b6a665cc8e8bcc771df513ce005a04fe5f03a441 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 11:24:46 2023 +1200 librpc/ndr:ndr_sec_helper: fix a typo Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 63be840120157e4587465f5435aa7829762e34bf Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Sep 5 10:56:43 2023 +1200 pytest: security_descriptors test for repetitive ACLs If there are multiple identical ACEs in an SDDL ACL, Windows will decode them all and put extra trailing zeroes at the end of the ACL. In contrast, Samba will decode the ACEs and not put extra zeroes at the end. The problem comes when Samba tries to read a binary ACL from Windows that has the extra zeroes, because Samba's ACL size calculation is based on the size of its constituent ACEs, not the ACL size field. There is no good reason for an ACL to have repeated ACEs, but they could be added accidentally. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5569c17741f1e06d267d40a345709566bcef62f2 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 9 14:15:27 2023 +1200 pytest: security_descriptors comparison is quieter This matters when we have a millions failures. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 829d77b4a029b622ed0fef317150df98d112e05e Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jun 29 15:13:58 2023 +1200 s4/librpc: build conditional ace Python bindings Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 295c609f5a25f20f01abe9321c5c6a75df6ed21b Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jun 29 15:15:23 2023 +1200 lib/fuzzing: fuzz SDDL conditional ACEs Here we're not compiling the whole SD, just the single conditional ACE. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e4865a3ba156124c111956b94abbc05d6da41f4c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 12 17:24:33 2023 +1200 libcli/security: test SDDL compilation in cmocka Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b08093ed9d25c2ad6f0b253c19be970214ec78c1 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 20 11:12:42 2023 +1200 lbcli/security: callback object ACES fall back with no GUID As with other object ACEs, if there is not a GUID to refer to the ACE becomes the corresponding non-object ACE. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2923898e88d5baa7cd056f75e7c7333b70197d2f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jul 21 14:36:20 2023 +1200 libcli/security/create_descriptor: calc_inherited handles new types *_CALLBACK_OBJECT types inherit like other _OBJECT types. *_CALLBACK types do nothing, like other non-OBJECT types. We also explicitly throw unused alarm callback types and SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL and SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID into the fire. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1cc8888b549b55568e54a43715c178fab571e43c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jul 21 17:00:50 2023 +1200 libcli/security: SDDL: add callback and resource ace type flags With this, Conditional ACEs and Resource Attribute ACEs in SDDL will be parsed. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3959fba37a7f068be26aa626825bdc7db9f49c6f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jul 21 16:53:45 2023 +1200 libcli/security: sddl_encode_ace encodes resource attribute ACEs Will work when the ace_flags table is updated. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ed52c9ed36b076102f0e59b21a365d9908e51694 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jul 21 16:53:08 2023 +1200 libcli/security: sddl_encode_ace encodes conditional ACEs Will work when the ace_flags table is updated. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6683d611e14b358f2cbb2c5f4576cd780e07993f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 24 16:10:35 2023 +1200 libcli/security: sdd_decode_ace handles resource attribute types The decoding will not happen until "RA" is added to the ace_types table. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 84fa39722fe653759cb7402af482b4ae099b2d3e Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 24 15:12:01 2023 +1200 libcli/security: sdd_decode_ace handles callback types Conditional ACEs will not actually be decoded until the CALLBACK types are added to the ace_types flag table. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e88ea32c21e251e6460b1774b6382226504be6db Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 17 16:39:46 2023 +1200 libcli/security: add conditional ace files to samba-security Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d6bd491efcb4ebb90259d9770eca67e8ec6f91ce Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 6 15:10:37 2023 +1200 libcli:security: add code to interpret conditional ACES This doesn't actually *do* anything yet, for two reasons: 1. conditional ACEs are not checked in the libcli/security/access_check.c functions (or anywhere else), and will be treated just as they are now, as unknown types. 2. this file isn't mentioned in the wscript, so aren't compiled. We'll get to point 2 first. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4b8e9e3f0ca1295ea177523fd8f0b97679c8a729 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 6 15:51:23 2023 +1200 libcli:security: add functions to decode and decode RA ACEs Resource Attribute ACEs have similar syntactical components to conditional ACEs -- enough so that it is worth reusing the same functions, but not quite enough so that it is exactly simple. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 969cb79daef7ba40240a5bdf51351bcacf3584a4 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Sep 6 15:50:43 2023 +1200 libcli/security: add conditional ACE SDDL functions Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6f588a1fc50cd947ff18aeefade17527850b2275 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jun 29 15:16:20 2023 +1200 libcli:security: helpers for converting claim types There are three different forms for claims, and we need to convert between them. For now, we are only going to be converting between conditional ACE type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by resource ACEs and in the security token, and later we will add the PAC claim types. It doesn't help that these all have incompatible definitions, but we do our best. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 94f0a1083a411d3733919d899386fbb5feed1a63 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 12 17:21:06 2023 +1200 libcli:security: outline for sddl_conditional_ace.c This is to show where we're going to end up. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 140f7466a457607dce2156e0de695cf31d7a3236 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 12 17:20:44 2023 +1200 libcli/security: add stub of conditional ACE code. This is just the outline of what will come, but first we'll add conditional ACE SDDL decoding in sddl_conditional_ace.c Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 672fc0a1abbf65eca63337e75296a828c79aaabf Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 24 15:08:13 2023 +1200 libcli/security: find SDDL coda for RA and conditional ACEs Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cdd9424e4f3ad161ec138f334a6e86761820a077 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jul 21 16:51:53 2023 +1200 libcli/security: whitespace repair in sddl.c tabs not spaces. It appears that my emacs got its configuration mixed up and was using spaces. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a8e3f5d33f6e0b9d4d98d7a2753217f924d1cb2b Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 30 12:14:14 2023 +1200 ndr_sec_helper: ace length should be multiple of 4 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5e1ed7b71f0643210e04fe5f15debc1a551a5576 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 17 10:46:23 2023 +1200 ndr_sec_helper: ndr_size_security_ace: do less work Almost always the ACE has an `ignored` DATA_BLOB as the coda, and the length of the coda is the length field of the blob, which is usually zero. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit df8eec384fe3fa36249ac28f99787e3387eb9063 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 12:09:11 2023 +1200 librpc:security.idl: add conditional ace coda Conditional ACEs go into a DATA_BLOB just like the default ignored coda, but we add a union field with a different name to preserve sanity. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e8192dddf3bb72d0e12dd391650e1b62608371f5 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jan 4 15:56:05 2023 +1300 libcli/sec: reformat long line in wscript_build Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 40d9b08db4ba4ede58f034abab2c35280e549d22 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 12:08:41 2023 +1200 librpc:security.idl: ace->coda can be resource attribute And now we see why security_ace_coda was a union. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 498c41101732bd0dd8c15952327798bcc6e236a5 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sun Jun 4 11:43:57 2023 +1200 libcli/security: callback object aces are object aces Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 762646b5aaaa0e4b916cd5df6bd133d69772a8f5 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sun Jun 4 11:43:13 2023 +1200 libcli/security: use tabs in sec_ace_object() Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e81e98c485479f4558c53cc0b7c9f2e31d6b1c67 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 12:47:53 2023 +1200 libcli/security: helper to find ACEs with meaningful codas Only Resource Attribute ACEs and Conditional ACEs are expected to have trailing data. Others sometimes might, but we don't care what it is. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 41e1b6957ae3aee07fa3abc18237d353bafb92e5 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 12:44:26 2023 +1200 libcli/security: helper to find resource attribute ACEs Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 617cfa0e96539d2188b69f14c38246d7ad267c30 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Dec 9 11:42:38 2022 +1300 libcli/security: helper to find callback/conditional aces Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 34aa33a1a4f92546d8dd3cddc743b80ae03dab9c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Aug 23 12:05:45 2023 +1200 security.idl: use sec_ace_object() in object switch At some point sec_ace_object() is going to gain awareness of SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT and the like. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ef7845b5709e25583f6cebcb432bc108cf5c735 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Aug 24 11:58:05 2023 +1200 security.idl: extend security token with device SIDs A device has SIDs too, and a modern security token needs to know them in order to interpret conditional expressions like "Device_member_of". Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: .../smbdotconf/security/aclclaimsevaluation.xml | 42 + lib/fuzzing/fuzz_conditional_ace_blob.c | 144 + lib/fuzzing/fuzz_sddl_access_check.c | 82 +- lib/fuzzing/fuzz_sddl_conditional_ace.c | 119 + lib/fuzzing/fuzz_sddl_parse.c | 45 + lib/fuzzing/patches/collect-access-check-seeds.txt | 27 +- lib/fuzzing/wscript_build | 5 + lib/param/loadparm.c | 4 + lib/param/loadparm.h | 6 + lib/param/param_table.c | 6 + lib/util/charset/charset.h | 5 + lib/util/charset/util_unistr.c | 121 + lib/util/data_blob.c | 1 + libcli/security/access_check.c | 288 +- libcli/security/claims-conversions.c | 667 ++++ .../security/claims-conversions.h | 32 +- libcli/security/conditional_ace.c | 2165 +++++++++++++ libcli/security/conditional_ace.h | 91 + libcli/security/create_descriptor.c | 31 +- libcli/security/sddl.c | 242 +- libcli/security/sddl_conditional_ace.c | 3340 ++++++++++++++++++++ libcli/security/secace.c | 54 +- libcli/security/secace.h | 3 + libcli/security/security_token.c | 63 +- libcli/security/security_token.h | 5 +- libcli/security/tests/data/conditional_aces.txt | 83 + .../security/tests/data/conditional_aces.txt.json | 1 + .../data/conditional_aces_case_insensitive.txt | 1 + .../tests/data/conditional_aces_should_fail.txt | 14 + .../tests/data/conditional_aces_windows_only.txt | 14 + libcli/security/tests/data/oversize-acls.json.gz | Bin 0 -> 2676 bytes ...conditional-and-resource-aces-successes.json.gz | Bin 0 -> 17815 bytes ...rt-conditional-and-resource-aces-tx-int.json.gz | Bin 0 -> 2183 bytes .../tests/data/short-ordinary-acls-v2.json.gz | Bin 0 -> 7223 bytes libcli/security/tests/test_run_conditional_ace.c | 668 ++++ libcli/security/tests/test_sddl_conditional_ace.c | 880 ++++++ .../tests/windows/conditional_aces.txt.json | 1 + .../security/tests/windows/windows-sddl-tests.py | 3 +- libcli/security/wscript_build | 41 +- libgpo/gpo_reg.c | 18 +- libgpo/gpo_util.c | 4 +- librpc/idl/conditional_ace.idl | 24 +- librpc/idl/security.idl | 44 +- librpc/ndr/ndr_claims.c | 2 +- librpc/ndr/ndr_sec_helper.c | 31 +- librpc/ndr/ndr_string.c | 6 + librpc/wscript_build | 5 + python/samba/gp/gpclass.py | 13 +- python/samba/tests/conditional_ace_assembler.py | 227 ++ python/samba/tests/conditional_ace_bytes.py | 98 + python/samba/tests/conditional_ace_claims.py | 397 +++ python/samba/tests/sddl.py | 27 +- python/samba/tests/sddl_conditional_ace.py | 52 + python/samba/tests/security_descriptors.py | 90 +- python/samba/tests/token_factory.py | 239 ++ selftest/knownfail.d/security-descriptors | 3 + selftest/tests.py | 6 + source3/auth/token_util.c | 27 +- source3/include/proto.h | 8 +- source3/lib/util_nttoken.c | 50 +- source3/locking/locking.c | 4 +- source3/param/loadparm.c | 2 + source3/registry/reg_api.c | 2 +- source3/smbd/sec_ctx.c | 6 +- source3/utils/net_rpc.c | 116 +- source3/utils/ntlm_auth.c | 16 +- source3/winbindd/winbindd_pam.c | 10 +- source4/auth/system_session.c | 6 +- source4/dns_server/dlz_bind9.c | 2 +- source4/dsdb/samdb/samdb.c | 27 +- source4/librpc/ndr/py_security.c | 13 +- source4/librpc/wscript_build | 8 + source4/selftest/tests.py | 9 + 73 files changed, 10593 insertions(+), 293 deletions(-) create mode 100644 docs-xml/smbdotconf/security/aclclaimsevaluation.xml create mode 100644 lib/fuzzing/fuzz_conditional_ace_blob.c create mode 100644 lib/fuzzing/fuzz_sddl_conditional_ace.c create mode 100644 libcli/security/claims-conversions.c copy source3/lib/smbconf/smbconf_reg.h => libcli/security/claims-conversions.h (52%) create mode 100644 libcli/security/conditional_ace.c create mode 100644 libcli/security/conditional_ace.h create mode 100644 libcli/security/sddl_conditional_ace.c create mode 100644 libcli/security/tests/data/conditional_aces.txt create mode 100644 libcli/security/tests/data/conditional_aces.txt.json create mode 100644 libcli/security/tests/data/conditional_aces_case_insensitive.txt create mode 100644 libcli/security/tests/data/conditional_aces_should_fail.txt create mode 100644 libcli/security/tests/data/conditional_aces_windows_only.txt create mode 100644 libcli/security/tests/data/oversize-acls.json.gz create mode 100644 libcli/security/tests/data/short-conditional-and-resource-aces-successes.json.gz create mode 100644 libcli/security/tests/data/short-conditional-and-resource-aces-tx-int.json.gz create mode 100644 libcli/security/tests/data/short-ordinary-acls-v2.json.gz create mode 100644 libcli/security/tests/test_run_conditional_ace.c create mode 100644 libcli/security/tests/test_sddl_conditional_ace.c create mode 100644 libcli/security/tests/windows/conditional_aces.txt.json create mode 100644 python/samba/tests/conditional_ace_assembler.py create mode 100644 python/samba/tests/conditional_ace_bytes.py create mode 100644 python/samba/tests/conditional_ace_claims.py create mode 100644 python/samba/tests/sddl_conditional_ace.py create mode 100644 python/samba/tests/token_factory.py Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/aclclaimsevaluation.xml b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml new file mode 100644 index 00000000000..ab72617facd --- /dev/null +++ b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml @@ -0,0 +1,42 @@ +<samba:parameter name="acl claims evaluation" + context="G" + type="enum" + enumlist="enum_acl_claims_evaluation" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls the way Samba handles evaluation of + security descriptors in Samba, with regards to Active + Directory Claims. AD Claims, introduced with Windows 2012, + are essentially administrator-defined key-value pairs that can + be set both in Active Directory (communicated via the Kerberos + PAC) and in the security descriptor themselves. + </para> + + <para>Active Directory claims are new with Samba 4.20. + Because the claims are evaluated against a very flexible + expression language within the security descriptor, this option provides a mechanism + to disable this logic if required by the administrator.</para> + + <para>This default behaviour is that claims evaluation is + enabled in the AD DC only. Additionally, claims evaluation on + the AD DC is only enabled if the DC functional level + is 2012 or later. See <smbconfoption name="ad dc functional + level"/>.</para> + + <para>Possible values are :</para> + <itemizedlist> + <listitem> + <para><constant>AD DC only</constant>: Enabled for the Samba AD + DC (for DC functional level 2012 or higher).</para> + </listitem> + <listitem> + <para><constant>never</constant>: Disabled in all cases. + This option disables some but not all of the + Authentication Policies and Authentication Policy Silos features of + the Windows 2012R2 functional level in the AD DC.</para> + </listitem> + </itemizedlist> +</description> + +<value type="default">AD DC only</value> +</samba:parameter> diff --git a/lib/fuzzing/fuzz_conditional_ace_blob.c b/lib/fuzzing/fuzz_conditional_ace_blob.c new file mode 100644 index 00000000000..aed1cd37c73 --- /dev/null +++ b/lib/fuzzing/fuzz_conditional_ace_blob.c @@ -0,0 +1,144 @@ +/* + Fuzz conditional ace decoding and encoding + Copyright (C) Catalyst IT 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "replace.h" +#include "libcli/security/security.h" +#include "lib/util/attr.h" +#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/conditional_ace.h" +#include "librpc/gen_ndr/conditional_ace.h" +#include "fuzzing/fuzzing.h" + + +#define MAX_LENGTH (1024 * 1024 - 1) + + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + return 0; +} + + +int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) +{ + TALLOC_CTX *mem_ctx = NULL; + bool ok; + struct ace_condition_script *s1 = NULL; + struct ace_condition_script *s2 = NULL; + const char *message = NULL; + size_t message_offset; + const char *sddl = NULL; + DATA_BLOB e1, e2; + size_t length; + + if (len > MAX_LENGTH) { + return 0; + } + + /* + * In this one we are treating the input data as an ACE blob, + * and decoding it into the structure and thence SDDL. + * + * This doesn't run the conditional ACE, for which we would + * need a security token. + */ + + e1.data = input; + e1.length = len; + + mem_ctx = talloc_new(NULL); + + s1 = parse_conditional_ace(mem_ctx, e1); + if (s1 == NULL) { + /* no worries, it was nonsense */ + TALLOC_FREE(mem_ctx); + return 0; + } + + /* back to blob form */ + ok = conditional_ace_encode_binary(mem_ctx, s1, &e2); + if (! ok) { + abort(); + } + + if (data_blob_cmp(&e1, &e2) != 0) { + abort(); + } + + sddl = sddl_from_conditional_ace(mem_ctx, s1); + if (sddl == NULL) { + /* + * we can't call this a failure, because the blob + * could easily have nonsensical programs that the + * SDDL decompiler is unwilling to countenance. For + * example, it could have an operator that requires + * arguments as the first token, when of course the + * arguments need to come first. + */ + TALLOC_FREE(mem_ctx); + return 0; + } + + s2 = ace_conditions_compile_sddl(mem_ctx, + sddl, + &message, + &message_offset, + &length); + if (s2 == NULL) { + /* + * We also don't complain when the SDDL decompiler + * produces an uncompilable program, because the + * decompiler is meant to be a display tool, not a + * verifier in itself. + */ + TALLOC_FREE(mem_ctx); + return 0; + } + + ok = conditional_ace_encode_binary(mem_ctx, s2, &e2); + if (! ok) { + abort(); + } + + /* + * It would be nice here to go: + * + * if (data_blob_cmp(&e1, &e2) != 0) { + * abort(); + * } + * + * but that isn't really fair. The docompilation into SDDL + * does not make thorough sanity checks because that is not + * its job -- it is just trying to depict what is there -- and + * there are many ambiguous decompilations. + * + * For example, a blob with a single literal integer token, + * say 42, can only really be shown in the SDDL syntax as + * "(42)", but when the compiler reads that it knows that a + * literal number is invalid except in a RHS argument, so it + * assumes "42" is a local attribute name. + * + * Even if the decompiler was a perfect verifier, a round trip + * through SDDL could not be guaranteed because, for example, + * an 8 bit integer can only be displayed in SDDL in the form + * that compiles to a 64 bit integer. + */ + + TALLOC_FREE(mem_ctx); + return 0; +} diff --git a/lib/fuzzing/fuzz_sddl_access_check.c b/lib/fuzzing/fuzz_sddl_access_check.c index 3d9ebdc6111..a7bf7b306ab 100644 --- a/lib/fuzzing/fuzz_sddl_access_check.c +++ b/lib/fuzzing/fuzz_sddl_access_check.c @@ -18,8 +18,11 @@ #include "replace.h" #include "libcli/security/security.h" +#include "libcli/security/conditional_ace.h" +#include "libcli/security/claims-conversions.h" #include "lib/util/attr.h" #include "librpc/gen_ndr/ndr_security.h" +#include "librpc/gen_ndr/ndr_conditional_ace.h" #include "lib/util/bytearray.h" #include "fuzzing/fuzzing.h" @@ -29,21 +32,55 @@ static struct security_token token = {0}; static struct dom_sid dom_sid = {0}; /* - * For this one we initialise a security token to have a few SIDs. The fuzz - * strings contain SDDL that will be tested against this token in - * se_access_check() or sec_access_check_ds() -- supposing they compile. - * - * When we introduce conditional ACEs and claims (soon!), we'll also add some - * claims and device SIDs to the token. + * For this one we initialise a security token to have a few claims + * and SIDs. The fuzz strings contain SDDL that will be tested against + * this token in se_access_check() or sec_access_check_ds() -- + * supposing they compile. */ int LLVMFuzzerInitialize(int *argc, char ***argv) { size_t i; - bool ok; TALLOC_CTX *mem_ctx = talloc_new(NULL); struct dom_sid *sid = NULL; + struct claim_def { + const char *type; + const char *name; + const char *claim_sddl; + } claims[] = { + { + "user", + "shoe size", + "44" + }, + { + "user", + "©", + "{\"unknown\", \"\", \" ←ā\"}" + }, + { + "device", + "©", + "{\"unknown\", \" \", \" ←ā\"}" + }, + { + "device", + "least favourite groups", + "{SID(S-1-1-0),SID(S-1-5-3),SID(S-1-57777-333-33-33-2)}" + }, + { + "local", + "birds", + "{\"tern\"}" + }, + }; + + const char * device_sids[] = { + "S-1-1-0", + "S-1-333-66", + "S-1-2-3-4-5-6-7-8-9", + }; const char * user_sids[] = { "S-1-333-66", "S-1-16-8448", @@ -51,7 +88,7 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) }; for (i = 0; i < ARRAY_SIZE(user_sids); i++) { - sid = dom_sid_parse_talloc(mem_ctx, user_sids[i]); + sid = sddl_decode_sid(mem_ctx, &user_sids[i], NULL); if (sid == NULL) { abort(); } @@ -59,6 +96,32 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) &token.sids, &token.num_sids); } + + for (i = 0; i < ARRAY_SIZE(device_sids); i++) { + sid = sddl_decode_sid(mem_ctx, &device_sids[i], NULL); + if (sid == NULL) { + abort(); + } + add_sid_to_array(mem_ctx, sid, + &token.device_sids, + &token.num_device_sids); + } + + for (i = 0; i < ARRAY_SIZE(claims); i++) { + struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *claim = NULL; + struct claim_def c = claims[i]; + + claim = parse_sddl_literal_as_claim(mem_ctx, + c.name, + c.claim_sddl); + if (claim == NULL) { + abort(); + } + add_claim_to_token(mem_ctx, &token, claim, c.type); + } + + /* we also need a global domain SID */ + string_to_sid(&dom_sid, device_sids[2]); return 0; } @@ -67,7 +130,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) { TALLOC_CTX *mem_ctx = NULL; struct security_descriptor *sd = NULL; - NTSTATUS status; uint32_t access_desired; uint32_t access_granted; const char *sddl; @@ -135,7 +197,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) NULL, NULL); #else - status = se_access_check(sd, &token, access_desired, &access_granted); + se_access_check(sd, &token, access_desired, &access_granted); #endif end: diff --git a/lib/fuzzing/fuzz_sddl_conditional_ace.c b/lib/fuzzing/fuzz_sddl_conditional_ace.c new file mode 100644 index 00000000000..e21c2ec9b12 --- /dev/null +++ b/lib/fuzzing/fuzz_sddl_conditional_ace.c @@ -0,0 +1,119 @@ +/* + Fuzz sddl conditional ace decoding and encoding + Copyright (C) Catalyst IT 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "replace.h" +#include "libcli/security/security.h" +#include "lib/util/attr.h" +#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/conditional_ace.h" +#include "librpc/gen_ndr/conditional_ace.h" +#include "fuzzing/fuzzing.h" + + +#define MAX_LENGTH (1024 * 1024 - 1) +static char sddl_string[MAX_LENGTH + 1] = {0}; + + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + return 0; +} + + +int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) +{ + TALLOC_CTX *mem_ctx = NULL; + bool ok; + struct ace_condition_script *s1 = NULL; + struct ace_condition_script *s2 = NULL; + const char *message = NULL; + size_t message_offset; + const char *resddl = NULL; + DATA_BLOB e1, e2, e3; + size_t length; + + if (len > MAX_LENGTH) { + return 0; + } + + memcpy(sddl_string, input, len); + sddl_string[len] = '\0'; + + mem_ctx = talloc_new(NULL); + + s1 = ace_conditions_compile_sddl(mem_ctx, + sddl_string, + &message, + &message_offset, + &length); + if (s1 == NULL) { + /* could assert message is non-empty */ + TALLOC_FREE(mem_ctx); + return 0; + } + + ok = conditional_ace_encode_binary(mem_ctx, s1, &e1); + if (! ok) { + abort(); + } + + s2 = parse_conditional_ace(mem_ctx, e1); + if (s2 == NULL) { + abort(); + } + + ok = conditional_ace_encode_binary(mem_ctx, s2, &e2); + if (! ok) { + abort(); + } + if (data_blob_cmp(&e1, &e2) != 0) { + abort(); + } + + /* + * We know now the SDDL representation compiles to a valid structure + * that survives a round trip through serialisation. + * + * A remaining question is whether it can be re-rendered as SDDL that + * compiles to the same blob. + */ + resddl = sddl_from_conditional_ace(mem_ctx, s2); + if (resddl == NULL) { + abort(); + } + + s2 = ace_conditions_compile_sddl(mem_ctx, + resddl, + &message, + &message_offset, + &length); + if (s2 == NULL) { + abort(); + } + + ok = conditional_ace_encode_binary(mem_ctx, s2, &e3); + if (! ok) { + abort(); + } + if (data_blob_cmp(&e1, &e3) != 0) { + abort(); + } + + TALLOC_FREE(mem_ctx); + return 0; +} diff --git a/lib/fuzzing/fuzz_sddl_parse.c b/lib/fuzzing/fuzz_sddl_parse.c index 1f8c32c595b..05900b02e2f 100644 --- a/lib/fuzzing/fuzz_sddl_parse.c +++ b/lib/fuzzing/fuzz_sddl_parse.c @@ -18,7 +18,9 @@ #include "includes.h" #include "libcli/security/security.h" +#include "librpc/gen_ndr/conditional_ace.h" #include "fuzzing/fuzzing.h" +#include "util/charset/charset.h" #define MAX_LENGTH (100 * 1024 - 1) static char sddl_string[MAX_LENGTH + 1] = {0}; @@ -54,7 +56,50 @@ int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len) goto end; } result = sddl_encode(mem_ctx, sd1, &dom_sid); + if (result == NULL) { + /* + * Because Samba currently doesn't enforce strict + * utf-8 parsing, illegal utf-8 sequences in + * sddl_string could have ferried bad characters + * through into the security descriptor conditions + * that we then find we can't encode. + * + * The proper solution is strict UTF-8 enforcement in + * sddl_decode, but for now we forgive unencodable + * security descriptors made from bad utf-8. + */ + size_t byte_len, char_len, utf16_len; + ok = utf8_check(sddl_string, len, + &byte_len, &char_len, &utf16_len); + if (!ok) { + goto end; + } + /* utf-8 was fine, but we couldn't encode! */ + abort(); + } -- Samba Shared Repository