Attachment #10034 for bug #44054

Lines 12-19 Type=str Link Here

(-)a/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables (-2 / +2 lines)
12	Categories=service-misc	12	Categories=service-misc
13		13
14	[listener/shares/whitelist/.*]	14	[listener/shares/whitelist/.*]
15	Description[de]=Standardmäßig, wird die Erstellung von Freigaben in den meisten Verzeichnissen verhindert. Diese Variablen definieren eine Doppelpunkt-separierte Liste von erlaubten Verzeichnissen (z.B. /var:/usr).	15	Description[de]=Standardmäßig wird die Erstellung von Freigaben für einige Systemverzeichnisse verhindert. Diese Variablen ermöglichen das Freigeben von Verzeichnissen, die sonst auf der Standard-Blackist stehen. Die Werte der Variablen können eine durch Doppelpunkte separierte Liste von erlaubten Verzeichnissen enthalten (z.B. /var:/usr). Die Variable listener/shares/whitelist/default liefert eine empfohlene Standardliste für UCS.
16	Description[en]=By default is is restricted to create shares in most directories for security reasons. These variables should contain a colon separated list of allowed directories (e.g. /var:/usr).	16	Description[en]=For security reasons creating shares for some system directories is denied by default. This family of variables allows overriding the default blacklist. The values may contain a colon separated list of allowed directories (e.g. /var:/usr). The variable listener/shares/whitelist/default specifies the UCS recommended default whitelist.
17	Type=str	17	Type=str
18	Categories=service-misc	18	Categories=service-misc
19		19





DEFAULT_FS = "ext2/ext3:ext2:ext3:ext4:xfs:btrfs"
DIR_BLACKLIST = []
DIR_BLACKLIST.append("/bin")
DIR_BLACKLIST.append("/boot")
DIR_BLACKLIST.append("/sys")
DIR_BLACKLIST.append("/proc")
DIR_BLACKLIST.append("/etc")
DIR_BLACKLIST.append("/dev")
DIR_BLACKLIST.append("/etc")
DIR_BLACKLIST.append("/lib")
DIR_BLACKLIST.append("/lib64")
DIR_BLACKLIST.append("/proc")
DIR_BLACKLIST.append("/root")
DIR_BLACKLIST.append("/usr")
DIR_BLACKLIST.append("/bin")
DIR_BLACKLIST.append("/sbin")
DIR_BLACKLIST.append("/sys")
DIR_BLACKLIST.append("/tmp")
DIR_BLACKLIST.append("/usr")
DIR_BLACKLIST.append("/var")
# whitelisted via UCR by default
DIR_BLACKLIST.append("/lib64")
# later on whitelisted:
DIR_BLACKLIST.append("/home")
DIR_BLACKLIST.append("/opt")
DIR_BLACKLIST.append("/media")
DIR_BLACKLIST.append("/mnt")
DIR_BLACKLIST.append("/opt")
DIR_BLACKLIST.append("/run")
DIR_BLACKLIST.append("/srv")







def _validate_smb_share_name(name):
	if not name or len(name) > 80:
		return False
	illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
	if set(str(name)) & illegal_chars:

		listener.unsetuid()

	if old:
		share_name = old.get('univentionShareSambaName', [''])[0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		listener.setuid(0)
		try:

		return (_quote(arg) for arg in args)

	if new:
		share_name = new.get('univentionShareSambaName', [''])[0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		if not _validate_smb_share_name(share_name):
			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
			return
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)

		# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
		# try to create directory to share
		if share_name != 'homes':
			# object was renamed
			if not old and oldObject and command == "a":
				old = oldObject

			fp = open(filename, 'w')

			print >>fp, '[%s]' % (share_name,)
			if share_name != 'homes':
				print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
			mapping = [
				('description', 'comment'),






def _validate_smb_share_name(name):
	if not name or len(name) > 80:
		return False
	illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
	if set(str(name)) & illegal_chars:

		listener.unsetuid()

	if old:
		share_name = old.get('univentionShareSambaName', [''])[0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		listener.setuid(0)
		try:


	if new:
		share_name = new['univentionShareSambaName'][0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		if not _validate_smb_share_name(share_name):
			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
			return
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)

		# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
		# try to create directory to share
		if share_name != 'homes':
			# object was renamed
			if not old and oldObject and command == "a":
				old = oldObject

			fp = open(filename, 'w')

			print >>fp, '[%s]' % (share_name,)
			if share_name != 'homes':
				print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
			mapping = [
				('description', 'comment'),

Return to bug 44054

Lines 55-61 tmpFile = '/var/cache/univention-directory-listener/samba-shares.oldObject' Link Here

(-)a/services/univention-samba/samba-shares.py (-7 / +8 lines)
55		55
56		56
57	def _validate_smb_share_name(name):	57	def _validate_smb_share_name(name):
58	if len(name) > 80:	58	if not name or len(name) > 80:
59	return False	59	return False
60	illegal_chars = set('\\/[]:\|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))	60	illegal_chars = set('\\/[]:\|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
61	if set(str(name)) & illegal_chars:	61	if set(str(name)) & illegal_chars:
Lines 128-134 def handler(dn, new, old, command): Link Here
128	listener.unsetuid()	128	listener.unsetuid()
129		129
130	if old:	130	if old:
131	share_name_mapped = urllib.quote(old.get('univentionShareSambaName', [''])[0], safe='')	131	share_name = old.get('univentionShareSambaName', [''])[0]
		132	share_name_mapped = urllib.quote(share_name, safe='')
132	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)	133	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
133	listener.setuid(0)	134	listener.setuid(0)
134	try:	135	try:
Lines 146-161 def handler(dn, new, old, command): Link Here
146	return (_quote(arg) for arg in args)	147	return (_quote(arg) for arg in args)
147		148
148	if new:	149	if new:
149	share_name = new['univentionShareSambaName'][0]	150	share_name = new.get('univentionShareSambaName', [''])[0]
150	share_name_mapped = urllib.quote(share_name, safe='')
151	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
152	if not _validate_smb_share_name(share_name):	151	if not _validate_smb_share_name(share_name):
153	univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))	152	univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
154	return	153	return
		154	share_name_mapped = urllib.quote(share_name, safe='')
		155	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
155		156
156	# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.	157	# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
157	# try to create directory to share	158	# try to create directory to share
158	if new['univentionShareSambaName'][0] != 'homes':	159	if share_name != 'homes':
159	# object was renamed	160	# object was renamed
160	if not old and oldObject and command == "a":	161	if not old and oldObject and command == "a":
161	old = oldObject	162	old = oldObject
Lines 173-179 def handler(dn, new, old, command): Link Here
173	fp = open(filename, 'w')	174	fp = open(filename, 'w')
174		175
175	print >>fp, '[%s]' % (share_name,)	176	print >>fp, '[%s]' % (share_name,)
176	if new['univentionShareSambaName'][0] != 'homes':	177	if share_name != 'homes':
177	print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])	178	print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
178	mapping = [	179	mapping = [
179	('description', 'comment'),	180	('description', 'comment'),

Lines 55-61 tmpFile = '/var/cache/univention-directory-listener/samba-shares.oldObject' Link Here

(-)a/services/univention-samba4/samba-shares.py (-6 / +7 lines)
55		55
56		56
57	def _validate_smb_share_name(name):	57	def _validate_smb_share_name(name):
58	if len(name) > 80:	58	if not name or len(name) > 80:
59	return False	59	return False
60	illegal_chars = set('\\/[]:\|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))	60	illegal_chars = set('\\/[]:\|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
61	if set(str(name)) & illegal_chars:	61	if set(str(name)) & illegal_chars:
Lines 128-134 def handler(dn, new, old, command): Link Here
128	listener.unsetuid()	128	listener.unsetuid()
129		129
130	if old:	130	if old:
131	share_name_mapped = urllib.quote(old.get('univentionShareSambaName', [''])[0], safe='')	131	share_name = old.get('univentionShareSambaName', [''])[0]
		132	share_name_mapped = urllib.quote(share_name, safe='')
132	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)	133	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
133	listener.setuid(0)	134	listener.setuid(0)
134	try:	135	try:
Lines 147-161 def handler(dn, new, old, command): Link Here
147		148
148	if new:	149	if new:
149	share_name = new['univentionShareSambaName'][0]	150	share_name = new['univentionShareSambaName'][0]
150	share_name_mapped = urllib.quote(share_name, safe='')
151	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
152	if not _validate_smb_share_name(share_name):	151	if not _validate_smb_share_name(share_name):
153	univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))	152	univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
154	return	153	return
		154	share_name_mapped = urllib.quote(share_name, safe='')
		155	filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
155		156
156	# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.	157	# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
157	# try to create directory to share	158	# try to create directory to share
158	if new['univentionShareSambaName'][0] != 'homes':	159	if share_name != 'homes':
159	# object was renamed	160	# object was renamed
160	if not old and oldObject and command == "a":	161	if not old and oldObject and command == "a":
161	old = oldObject	162	old = oldObject
Lines 173-179 def handler(dn, new, old, command): Link Here
173	fp = open(filename, 'w')	174	fp = open(filename, 'w')
174		175
175	print >>fp, '[%s]' % (share_name,)	176	print >>fp, '[%s]' % (share_name,)
176	if new['univentionShareSambaName'][0] != 'homes':	177	if share_name != 'homes':
177	print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])	178	print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
178	mapping = [	179	mapping = [
179	('description', 'comment'),	180	('description', 'comment'),

Lines 37-60 import shutil Link Here

(-)a/base/univention-lib/python/listenerSharePath.py (-10 / +10 lines)
37		37
38	DEFAULT_FS = "ext2/ext3:ext2:ext3:ext4:xfs:btrfs"	38	DEFAULT_FS = "ext2/ext3:ext2:ext3:ext4:xfs:btrfs"
39	DIR_BLACKLIST = []	39	DIR_BLACKLIST = []
		40	DIR_BLACKLIST.append("/bin")
40	DIR_BLACKLIST.append("/boot")	41	DIR_BLACKLIST.append("/boot")
41	DIR_BLACKLIST.append("/sys")
42	DIR_BLACKLIST.append("/proc")
43	DIR_BLACKLIST.append("/etc")
44	DIR_BLACKLIST.append("/dev")	42	DIR_BLACKLIST.append("/dev")
45	DIR_BLACKLIST.append("/tmp")	43	DIR_BLACKLIST.append("/etc")
		44	DIR_BLACKLIST.append("/lib")
		45	DIR_BLACKLIST.append("/lib64")
		46	DIR_BLACKLIST.append("/proc")
46	DIR_BLACKLIST.append("/root")	47	DIR_BLACKLIST.append("/root")
47	DIR_BLACKLIST.append("/usr")
48	DIR_BLACKLIST.append("/bin")
49	DIR_BLACKLIST.append("/sbin")	48	DIR_BLACKLIST.append("/sbin")
		49	DIR_BLACKLIST.append("/sys")
		50	DIR_BLACKLIST.append("/tmp")
		51	DIR_BLACKLIST.append("/usr")
50	DIR_BLACKLIST.append("/var")	52	DIR_BLACKLIST.append("/var")
51	DIR_BLACKLIST.append("/lib")	53	# whitelisted via UCR by default
52	DIR_BLACKLIST.append("/lib64")
53	# later on whitelisted:
54	DIR_BLACKLIST.append("/home")	54	DIR_BLACKLIST.append("/home")
55	DIR_BLACKLIST.append("/opt")
56	DIR_BLACKLIST.append("/media")	55	DIR_BLACKLIST.append("/media")
57	DIR_BLACKLIST.append("/mnt")	56	DIR_BLACKLIST.append("/mnt")
		57	DIR_BLACKLIST.append("/opt")
58	DIR_BLACKLIST.append("/run")	58	DIR_BLACKLIST.append("/run")
59	DIR_BLACKLIST.append("/srv")	59	DIR_BLACKLIST.append("/srv")
60		60