Attachment 10034 Details for Bug 44054 – qa-feedback.diff

[patch] qa-feedback.diff

qa-feedback.diff (text/plain), 7.28 KB, created by Arvid Requate on 2019-05-20 12:43:45 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Arvid Requate

Created: 2019-05-20 12:43:45 CEST

Size: 7.28 KB

patch

obsolete

>diff --git a/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables b/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables
>index 55bbbf791b..6b0857cc02 100644
>--- a/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables
>+++ b/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables
>@@ -12,8 +12,8 @@ Type=str
> Categories=service-misc
> 
> [listener/shares/whitelist/.*]
>-Description[de]=StandardmÃ¤Ãig, wird die Erstellung von Freigaben in den meisten Verzeichnissen verhindert. Diese Variablen definieren eine Doppelpunkt-separierte Liste von erlaubten Verzeichnissen (z.B. /var:/usr).
>-Description[en]=By default is is restricted to create shares in most directories for security reasons. These variables should contain a colon separated list of allowed directories (e.g. /var:/usr).
>+Description[de]=StandardmÃ¤Ãig wird die Erstellung von Freigaben fÃ¼r einige Systemverzeichnisse verhindert. Diese Variablen ermÃ¶glichen das Freigeben von Verzeichnissen, die sonst auf der Standard-Blackist stehen. Die Werte der Variablen kÃ¶nnen eine durch Doppelpunkte separierte Liste von erlaubten Verzeichnissen enthalten (z.B. /var:/usr). Die Variable listener/shares/whitelist/default liefert eine empfohlene Standardliste fÃ¼r UCS.
>+Description[en]=For security reasons creating shares for some system directories is denied by default. This family of variables allows overriding the default blacklist. The values may contain a colon separated list of allowed directories (e.g. /var:/usr). The variable listener/shares/whitelist/default specifies the UCS recommended default whitelist.
> Type=str
> Categories=service-misc
> 
>diff --git a/base/univention-lib/python/listenerSharePath.py b/base/univention-lib/python/listenerSharePath.py
>index 5c28386c74..61f6845b45 100644
>--- a/base/univention-lib/python/listenerSharePath.py
>+++ b/base/univention-lib/python/listenerSharePath.py
>@@ -37,24 +37,24 @@ import shutil
> 
> DEFAULT_FS = "ext2/ext3:ext2:ext3:ext4:xfs:btrfs"
> DIR_BLACKLIST = []
>+DIR_BLACKLIST.append("/bin")
> DIR_BLACKLIST.append("/boot")
>-DIR_BLACKLIST.append("/sys")
>-DIR_BLACKLIST.append("/proc")
>-DIR_BLACKLIST.append("/etc")
> DIR_BLACKLIST.append("/dev")
>-DIR_BLACKLIST.append("/tmp")
>+DIR_BLACKLIST.append("/etc")
>+DIR_BLACKLIST.append("/lib")
>+DIR_BLACKLIST.append("/lib64")
>+DIR_BLACKLIST.append("/proc")
> DIR_BLACKLIST.append("/root")
>-DIR_BLACKLIST.append("/usr")
>-DIR_BLACKLIST.append("/bin")
> DIR_BLACKLIST.append("/sbin")
>+DIR_BLACKLIST.append("/sys")
>+DIR_BLACKLIST.append("/tmp")
>+DIR_BLACKLIST.append("/usr")
> DIR_BLACKLIST.append("/var")
>-DIR_BLACKLIST.append("/lib")
>-DIR_BLACKLIST.append("/lib64")
>-# later on whitelisted:
>+# whitelisted via UCR by default
> DIR_BLACKLIST.append("/home")
>-DIR_BLACKLIST.append("/opt")
> DIR_BLACKLIST.append("/media")
> DIR_BLACKLIST.append("/mnt")
>+DIR_BLACKLIST.append("/opt")
> DIR_BLACKLIST.append("/run")
> DIR_BLACKLIST.append("/srv")
> 
>diff --git a/services/univention-samba/samba-shares.py b/services/univention-samba/samba-shares.py
>index 1f5f172ca7..33fed405d2 100644
>--- a/services/univention-samba/samba-shares.py
>+++ b/services/univention-samba/samba-shares.py
>@@ -55,7 +55,7 @@ tmpFile = '/var/cache/univention-directory-listener/samba-shares.oldObject'
> 
> 
> def _validate_smb_share_name(name):
>-	if len(name) > 80:
>+	if not name or len(name) > 80:
> 		return False
> 	illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
> 	if set(str(name)) & illegal_chars:
>@@ -128,7 +128,8 @@ def handler(dn, new, old, command):
> 		listener.unsetuid()
> 
> 	if old:
>-		share_name_mapped = urllib.quote(old.get('univentionShareSambaName', [''])[0], safe='')
>+		share_name = old.get('univentionShareSambaName', [''])[0]
>+		share_name_mapped = urllib.quote(share_name, safe='')
> 		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
> 		listener.setuid(0)
> 		try:
>@@ -146,16 +147,16 @@ def handler(dn, new, old, command):
> 		return (_quote(arg) for arg in args)
> 
> 	if new:
>-		share_name = new['univentionShareSambaName'][0]
>-		share_name_mapped = urllib.quote(share_name, safe='')
>-		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
>+		share_name = new.get('univentionShareSambaName', [''])[0]
> 		if not _validate_smb_share_name(share_name):
> 			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
> 			return
>+		share_name_mapped = urllib.quote(share_name, safe='')
>+		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
> 
> 		# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
> 		# try to create directory to share
>-		if new['univentionShareSambaName'][0] != 'homes':
>+		if share_name != 'homes':
> 			# object was renamed
> 			if not old and oldObject and command == "a":
> 				old = oldObject
>@@ -173,7 +174,7 @@ def handler(dn, new, old, command):
> 			fp = open(filename, 'w')
> 
> 			print >>fp, '[%s]' % (share_name,)
>-			if new['univentionShareSambaName'][0] != 'homes':
>+			if share_name != 'homes':
> 				print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
> 			mapping = [
> 				('description', 'comment'),
>diff --git a/services/univention-samba4/samba-shares.py b/services/univention-samba4/samba-shares.py
>index 622dfbdfb5..7a50f09551 100644
>--- a/services/univention-samba4/samba-shares.py
>+++ b/services/univention-samba4/samba-shares.py
>@@ -55,7 +55,7 @@ tmpFile = '/var/cache/univention-directory-listener/samba-shares.oldObject'
> 
> 
> def _validate_smb_share_name(name):
>-	if len(name) > 80:
>+	if not name or len(name) > 80:
> 		return False
> 	illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
> 	if set(str(name)) & illegal_chars:
>@@ -128,7 +128,8 @@ def handler(dn, new, old, command):
> 		listener.unsetuid()
> 
> 	if old:
>-		share_name_mapped = urllib.quote(old.get('univentionShareSambaName', [''])[0], safe='')
>+		share_name = old.get('univentionShareSambaName', [''])[0]
>+		share_name_mapped = urllib.quote(share_name, safe='')
> 		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
> 		listener.setuid(0)
> 		try:
>@@ -147,15 +148,15 @@ def handler(dn, new, old, command):
> 
> 	if new:
> 		share_name = new['univentionShareSambaName'][0]
>-		share_name_mapped = urllib.quote(share_name, safe='')
>-		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
> 		if not _validate_smb_share_name(share_name):
> 			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
> 			return
>+		share_name_mapped = urllib.quote(share_name, safe='')
>+		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
> 
> 		# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
> 		# try to create directory to share
>-		if new['univentionShareSambaName'][0] != 'homes':
>+		if share_name != 'homes':
> 			# object was renamed
> 			if not old and oldObject and command == "a":
> 				old = oldObject
>@@ -173,7 +174,7 @@ def handler(dn, new, old, command):
> 			fp = open(filename, 'w')
> 
> 			print >>fp, '[%s]' % (share_name,)
>-			if new['univentionShareSambaName'][0] != 'homes':
>+			if share_name != 'homes':
> 				print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
> 			mapping = [
> 				('description', 'comment'),

Actions: View | Diff

Attachments on bug 44054: 10034 | 10040