diff --git a/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables b/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables index 55bbbf791b..6b0857cc02 100644 --- a/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables +++ b/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables @@ -12,8 +12,8 @@ Type=str Categories=service-misc [listener/shares/whitelist/.*] -Description[de]=Standardmäßig, wird die Erstellung von Freigaben in den meisten Verzeichnissen verhindert. Diese Variablen definieren eine Doppelpunkt-separierte Liste von erlaubten Verzeichnissen (z.B. /var:/usr). -Description[en]=By default is is restricted to create shares in most directories for security reasons. These variables should contain a colon separated list of allowed directories (e.g. /var:/usr). +Description[de]=Standardmäßig wird die Erstellung von Freigaben für einige Systemverzeichnisse verhindert. Diese Variablen ermöglichen das Freigeben von Verzeichnissen, die sonst auf der Standard-Blackist stehen. Die Werte der Variablen können eine durch Doppelpunkte separierte Liste von erlaubten Verzeichnissen enthalten (z.B. /var:/usr). Die Variable listener/shares/whitelist/default liefert eine empfohlene Standardliste für UCS. +Description[en]=For security reasons creating shares for some system directories is denied by default. This family of variables allows overriding the default blacklist. The values may contain a colon separated list of allowed directories (e.g. /var:/usr). The variable listener/shares/whitelist/default specifies the UCS recommended default whitelist. Type=str Categories=service-misc diff --git a/base/univention-lib/python/listenerSharePath.py b/base/univention-lib/python/listenerSharePath.py index 5c28386c74..61f6845b45 100644 --- a/base/univention-lib/python/listenerSharePath.py +++ b/base/univention-lib/python/listenerSharePath.py @@ -37,24 +37,24 @@ import shutil DEFAULT_FS = "ext2/ext3:ext2:ext3:ext4:xfs:btrfs" DIR_BLACKLIST = [] +DIR_BLACKLIST.append("/bin") DIR_BLACKLIST.append("/boot") -DIR_BLACKLIST.append("/sys") -DIR_BLACKLIST.append("/proc") -DIR_BLACKLIST.append("/etc") DIR_BLACKLIST.append("/dev") -DIR_BLACKLIST.append("/tmp") +DIR_BLACKLIST.append("/etc") +DIR_BLACKLIST.append("/lib") +DIR_BLACKLIST.append("/lib64") +DIR_BLACKLIST.append("/proc") DIR_BLACKLIST.append("/root") -DIR_BLACKLIST.append("/usr") -DIR_BLACKLIST.append("/bin") DIR_BLACKLIST.append("/sbin") +DIR_BLACKLIST.append("/sys") +DIR_BLACKLIST.append("/tmp") +DIR_BLACKLIST.append("/usr") DIR_BLACKLIST.append("/var") -DIR_BLACKLIST.append("/lib") -DIR_BLACKLIST.append("/lib64") -# later on whitelisted: +# whitelisted via UCR by default DIR_BLACKLIST.append("/home") -DIR_BLACKLIST.append("/opt") DIR_BLACKLIST.append("/media") DIR_BLACKLIST.append("/mnt") +DIR_BLACKLIST.append("/opt") DIR_BLACKLIST.append("/run") DIR_BLACKLIST.append("/srv") diff --git a/services/univention-samba/samba-shares.py b/services/univention-samba/samba-shares.py index 1f5f172ca7..33fed405d2 100644 --- a/services/univention-samba/samba-shares.py +++ b/services/univention-samba/samba-shares.py @@ -55,7 +55,7 @@ tmpFile = '/var/cache/univention-directory-listener/samba-shares.oldObject' def _validate_smb_share_name(name): - if len(name) > 80: + if not name or len(name) > 80: return False illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1)))) if set(str(name)) & illegal_chars: @@ -128,7 +128,8 @@ def handler(dn, new, old, command): listener.unsetuid() if old: - share_name_mapped = urllib.quote(old.get('univentionShareSambaName', [''])[0], safe='') + share_name = old.get('univentionShareSambaName', [''])[0] + share_name_mapped = urllib.quote(share_name, safe='') filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,) listener.setuid(0) try: @@ -146,16 +147,16 @@ def handler(dn, new, old, command): return (_quote(arg) for arg in args) if new: - share_name = new['univentionShareSambaName'][0] - share_name_mapped = urllib.quote(share_name, safe='') - filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,) + share_name = new.get('univentionShareSambaName', [''])[0] if not _validate_smb_share_name(share_name): univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,)) return + share_name_mapped = urllib.quote(share_name, safe='') + filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,) # important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files. # try to create directory to share - if new['univentionShareSambaName'][0] != 'homes': + if share_name != 'homes': # object was renamed if not old and oldObject and command == "a": old = oldObject @@ -173,7 +174,7 @@ def handler(dn, new, old, command): fp = open(filename, 'w') print >>fp, '[%s]' % (share_name,) - if new['univentionShareSambaName'][0] != 'homes': + if share_name != 'homes': print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0]) mapping = [ ('description', 'comment'), diff --git a/services/univention-samba4/samba-shares.py b/services/univention-samba4/samba-shares.py index 622dfbdfb5..7a50f09551 100644 --- a/services/univention-samba4/samba-shares.py +++ b/services/univention-samba4/samba-shares.py @@ -55,7 +55,7 @@ tmpFile = '/var/cache/univention-directory-listener/samba-shares.oldObject' def _validate_smb_share_name(name): - if len(name) > 80: + if not name or len(name) > 80: return False illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1)))) if set(str(name)) & illegal_chars: @@ -128,7 +128,8 @@ def handler(dn, new, old, command): listener.unsetuid() if old: - share_name_mapped = urllib.quote(old.get('univentionShareSambaName', [''])[0], safe='') + share_name = old.get('univentionShareSambaName', [''])[0] + share_name_mapped = urllib.quote(share_name, safe='') filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,) listener.setuid(0) try: @@ -147,15 +148,15 @@ def handler(dn, new, old, command): if new: share_name = new['univentionShareSambaName'][0] - share_name_mapped = urllib.quote(share_name, safe='') - filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,) if not _validate_smb_share_name(share_name): univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,)) return + share_name_mapped = urllib.quote(share_name, safe='') + filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,) # important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files. # try to create directory to share - if new['univentionShareSambaName'][0] != 'homes': + if share_name != 'homes': # object was renamed if not old and oldObject and command == "a": old = oldObject @@ -173,7 +174,7 @@ def handler(dn, new, old, command): fp = open(filename, 'w') print >>fp, '[%s]' % (share_name,) - if new['univentionShareSambaName'][0] != 'homes': + if share_name != 'homes': print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0]) mapping = [ ('description', 'comment'),