Attachment 9820 Details for Bug 46643 – mask_PAI_flags.patch

[patch] mask_PAI_flags.patch

mask_PAI_flags.patch (text/plain), 5.36 KB, created by Arvid Requate on 2019-01-24 22:18:52 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Arvid Requate

Created: 2019-01-24 22:18:52 CET

Size: 5.36 KB

patch

obsolete

>--- __init__.py.basic	2019-01-23 16:48:07.324848486 +0100
>+++ __init__.py	2019-01-23 16:53:23.676809834 +0100
>@@ -1662,8 +1662,28 @@
> def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
>     fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>     fsacl_sddl = fsacl.as_sddl(domainsid)
>-    if fsacl_sddl != acl:
>-        raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
>+    
>+    ## Sanitize "domainsid" to be a security.dom_sid
>+    if isinstance(domainsid, str):
>+        domainsid = security.dom_sid(domainsid)
>+    sd = security.descriptor.from_sddl(acl, domainsid)
>+    ## Mask AI and P in DACL flags for comparison
>+    sd.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
>+    acl_sddl_masked = sd.as_sddl(domainsid)
>+    
>+    ## Mask AI and P in DACL flags for comparison
>+    fsacl_inheritance_flags = fsacl.type & (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
>+    ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
>+    if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
>+        fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
>+
>+    ## Mask AI and P in DACL flags for comparison
>+    fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
>+    fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) 
>+
>+
>+    if fsacl_sddl_mapped_and_masked != acl_sddl_masked:
>+        raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
>     for root, dirs, files in os.walk(path, topdown=False):
>         for name in files:
>@@ -1672,18 +1692,38 @@
>             if fsacl is None:
>                 raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
>             fsacl_sddl = fsacl.as_sddl(domainsid)
>-            if fsacl_sddl != acl:
>-                raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
> 
>+            ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
>+            if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
>+                fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
>+
>+            ## Mask AI and P in DACL flags for comparison
>+            fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
>+            fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) 
>+
>+            print "%s" % fsacl_sddl_mapped_and_masked
>+            print "%s" % acl_sddl_masked
>+
>+            if fsacl_sddl_mapped_and_masked != acl_sddl_masked:
>+                raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
>+            
>         for name in dirs:
>             fsacl = getntacl(lp, os.path.join(root, name),
>                              direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
>             if fsacl is None:
>                 raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
>             fsacl_sddl = fsacl.as_sddl(domainsid)
>-            if fsacl_sddl != acl:
>-                raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
> 
>+            ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
>+            if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
>+                fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
>+
>+            ## Mask AI and P in DACL flags for comparison
>+            fsacl.type &= ~ (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
>+            fsacl_sddl_mapped_and_masked = fsacl.as_sddl(domainsid) 
>+
>+            if fsacl_sddl_mapped_and_masked != acl_sddl_masked:
>+                raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
> 
> def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
>         direct_db_access):
>@@ -1715,8 +1755,12 @@
>         acl = ndr_unpack(security.descriptor,
>                          str(policy["nTSecurityDescriptor"])).as_sddl()
>         policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
>-        check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>+        try:
>+            check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>                       domainsid, direct_db_access)
>+        except Exception as e:
>+            print e
>+            continue
> 
> 
> def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,

Actions: View | Diff

Attachments on bug 46643: 9818 | 9819 | 9820 | 9933 | 9935 | 9936