Univention Bugzilla – Attachment 9933 Details for
Bug 46643
sysvolcheck inconsistencies after modifying / creating GPOs in UCS@school 4.3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-Bug-46643-A-brute-force-hack.patch
0001-Bug-46643-A-brute-force-hack.patch (text/plain), 7.69 KB, created by
Arvid Requate
on 2019-03-18 20:59:28 CET
(
hide
)
Description:
0001-Bug-46643-A-brute-force-hack.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2019-03-18 20:59:28 CET
Size:
7.69 KB
patch
obsolete
>From 3abfefd1d7f09aeaa3f7c846577977de6407652d Mon Sep 17 00:00:00 2001 >From: Arvid Requate <requate@univention.de> >Date: Mon, 18 Mar 2019 20:49:40 +0100 >Subject: [PATCH] Bug #46643: A brute force hack > >--- > __init__.py | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- > 1 file changed, 112 insertions(+), 7 deletions(-) > >diff --git a/__init__.py b/__init__.py >index af83d1e..a54f725 100644 >--- a/__init__.py >+++ b/__init__.py >@@ -1691,11 +1691,79 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access): > ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) > if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): > fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) >+ >+ LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)) >+ DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) >+ CO = security.dom_sid(security.SID_CREATOR_OWNER) >+ >+ PAI_filter = False >+ PAI = (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED) >+ >+ if fsacl.type & PAI == PAI: >+ PAI_filter = True >+ >+ sd = security.descriptor.from_sddl(acl, domainsid) >+ sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED >+ acl = sd.as_sddl(domainsid) >+ >+ sd3 = security.descriptor() >+ sd3.owner_sid = sd.owner_sid >+ sd3.group_sid = sd.group_sid >+ sd3.type = sd.type >+ sd3.type &= ~ security.SEC_DESC_DACL_PROTECTED >+ sd3.revision = sd.revision >+ >+ sd2 = security.descriptor() >+ sd2.owner_sid = sd.owner_sid >+ sd2.group_sid = sd.group_sid >+ sd2.type = sd.type >+ sd2.type &= ~ security.SEC_DESC_DACL_PROTECTED >+ sd2.revision = sd.revision >+ skip_other_da_aces = False >+ for i in range(0, len(sd.dacl.aces)): >+ if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): >+ continue >+ if sd.dacl.aces[i].trustee == DA: >+ skip_other_da_aces = True >+ if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: >+ continue >+ #sd.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE >+ sd3.dacl_add(sd.dacl.aces[i]) >+ sd.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE >+ sd.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT) >+ sd2.dacl_add(sd.dacl.aces[i]) >+ acl2 = sd2.as_sddl(domainsid) >+ acl3 = sd3.as_sddl(domainsid) >+ #print "ACL1: %s" % acl >+ #print "ACL2: %s" % acl2 >+ #print "ACL3: %s" % acl3 >+ else: >+ sd = security.descriptor.from_sddl(acl, domainsid) >+ >+ sd3 = security.descriptor() >+ sd3.owner_sid = sd.owner_sid >+ sd3.group_sid = sd.group_sid >+ sd3.type = sd.type >+ sd3.revision = sd.revision >+ >+ skip_other_da_aces = False >+ for i in range(0, len(sd.dacl.aces)): >+ if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA): >+ continue >+ if sd.dacl.aces[i].trustee == DA: >+ skip_other_da_aces = True >+ if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER: >+ continue >+ sd3.dacl_add(sd.dacl.aces[i]) >+ acl3 = sd3.as_sddl(domainsid) >+ acl2 = acl3 >+ #print "ACL1: %s" % acl >+ #print "ACL3: %s" % acl3 > fsacl_sddl_mapped = fsacl.as_sddl(domainsid) > > > if fsacl_sddl_mapped != acl: >- raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl)) >+ raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl)) > > for root, dirs, files in os.walk(path, topdown=False): > for name in files: >@@ -1708,10 +1776,28 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access): > ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) > if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): > fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) >- fsacl_sddl_mapped = fsacl.as_sddl(domainsid) > >- if fsacl_sddl_mapped != acl: >- raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) >+ fsacl2 = security.descriptor() >+ fsacl2.owner_sid = fsacl.owner_sid >+ fsacl2.group_sid = fsacl.group_sid >+ fsacl2.type = fsacl.type >+ fsacl2.revision = fsacl.revision >+ skip_other_da_aces = False >+ for i in range(0, len(fsacl.dacl.aces)): >+ if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): >+ continue >+ if fsacl.dacl.aces[i].trustee == DA: >+ skip_other_da_aces = True >+ fsacl2.dacl_add(fsacl.dacl.aces[i]) >+ try: >+ fsacl2.dacl_del(CO) >+ except: >+ pass >+ >+ fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) >+ >+ if fsacl_sddl_mapped != acl2: >+ raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl2)) > > for name in dirs: > fsacl = getntacl(lp, os.path.join(root, name), >@@ -1723,10 +1809,29 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access): > ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did) > if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)): > fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS)) >- fsacl_sddl_mapped = fsacl.as_sddl(domainsid) > >- if fsacl_sddl_mapped != acl: >- raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) >+ fsacl2 = security.descriptor() >+ fsacl2.owner_sid = fsacl.owner_sid >+ fsacl2.group_sid = fsacl.group_sid >+ fsacl2.type = fsacl.type >+ fsacl2.revision = fsacl.revision >+ skip_other_da_aces = False >+ for i in range(0, len(fsacl.dacl.aces)): >+ if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA): >+ continue >+ fsacl.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE >+ if fsacl.dacl.aces[i].trustee == DA: >+ skip_other_da_aces = True >+ fsacl2.dacl_add(fsacl.dacl.aces[i]) >+ try: >+ fsacl2.dacl_del(CO) >+ except: >+ pass >+ >+ fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) >+ >+ if fsacl_sddl_mapped != acl3: >+ raise ProvisioningError('%s XNTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl3)) > > def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > direct_db_access): >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9933">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 46643
:
9818
|
9819
|
9820
|
9933
|
9935
|
9936