Attachment #10034 for bug #44054

(-)a/base/univention-lib/debian/python-univention-lib.univention-config-registry-variables (-2 / +2 lines)

Lines 12-19 Type=str	Link Here

Categories=service-misc

Categories=service-misc

[listener/shares/whitelist/.*]

[listener/shares/whitelist/.*]

Description[de]=Standardmäßig, wird die Erstellung von Freigaben in den meisten Verzeichnissen verhindert. Diese Variablen definieren eine Doppelpunkt-separierte Liste von erlaubten Verzeichnissen (z.B. /var:/usr).

Description[de]=Standardmäßig wird die Erstellung von Freigaben für einige Systemverzeichnisse verhindert. Diese Variablen ermöglichen das Freigeben von Verzeichnissen, die sonst auf der Standard-Blackist stehen. Die Werte der Variablen können eine durch Doppelpunkte separierte Liste von erlaubten Verzeichnissen enthalten (z.B. /var:/usr). Die Variable listener/shares/whitelist/default liefert eine empfohlene Standardliste für UCS.

Description[en]=By default is is restricted to create shares in most directories for security reasons. These variables should contain a colon separated list of allowed directories (e.g. /var:/usr).

Description[en]=For security reasons creating shares for some system directories is denied by default. This family of variables allows overriding the default blacklist. The values may contain a colon separated list of allowed directories (e.g. /var:/usr). The variable listener/shares/whitelist/default specifies the UCS recommended default whitelist.

Type=str

Type=str

Categories=service-misc

Categories=service-misc





DEFAULT_FS = "ext2/ext3:ext2:ext3:ext4:xfs:btrfs"
DIR_BLACKLIST = []
DIR_BLACKLIST.append("/bin")
DIR_BLACKLIST.append("/boot")
DIR_BLACKLIST.append("/sys")
DIR_BLACKLIST.append("/proc")
DIR_BLACKLIST.append("/etc")
DIR_BLACKLIST.append("/dev")
DIR_BLACKLIST.append("/etc")
DIR_BLACKLIST.append("/lib")
DIR_BLACKLIST.append("/lib64")
DIR_BLACKLIST.append("/proc")
DIR_BLACKLIST.append("/root")
DIR_BLACKLIST.append("/usr")
DIR_BLACKLIST.append("/bin")
DIR_BLACKLIST.append("/sbin")
DIR_BLACKLIST.append("/sys")
DIR_BLACKLIST.append("/tmp")
DIR_BLACKLIST.append("/usr")
DIR_BLACKLIST.append("/var")
# whitelisted via UCR by default
DIR_BLACKLIST.append("/lib64")
# later on whitelisted:
DIR_BLACKLIST.append("/home")
DIR_BLACKLIST.append("/opt")
DIR_BLACKLIST.append("/media")
DIR_BLACKLIST.append("/mnt")
DIR_BLACKLIST.append("/opt")
DIR_BLACKLIST.append("/run")
DIR_BLACKLIST.append("/srv")







def _validate_smb_share_name(name):
	if not name or len(name) > 80:
		return False
	illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
	if set(str(name)) & illegal_chars:

		listener.unsetuid()

	if old:
		share_name = old.get('univentionShareSambaName', [''])[0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		listener.setuid(0)
		try:

		return (_quote(arg) for arg in args)

	if new:
		share_name = new.get('univentionShareSambaName', [''])[0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		if not _validate_smb_share_name(share_name):
			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
			return
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)

		# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
		# try to create directory to share
		if share_name != 'homes':
			# object was renamed
			if not old and oldObject and command == "a":
				old = oldObject

			fp = open(filename, 'w')

			print >>fp, '[%s]' % (share_name,)
			if share_name != 'homes':
				print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
			mapping = [
				('description', 'comment'),






def _validate_smb_share_name(name):
	if not name or len(name) > 80:
		return False
	illegal_chars = set('\\/[]:|<>+=;,*?"' + ''.join(map(chr, range(0x1F + 1))))
	if set(str(name)) & illegal_chars:

		listener.unsetuid()

	if old:
		share_name = old.get('univentionShareSambaName', [''])[0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		listener.setuid(0)
		try:


	if new:
		share_name = new['univentionShareSambaName'][0]
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)
		if not _validate_smb_share_name(share_name):
			univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "invalid samba share name: %r" % (share_name,))
			return
		share_name_mapped = urllib.quote(share_name, safe='')
		filename = '/etc/samba/shares.conf.d/%s' % (share_name_mapped,)

		# important!: createOrRename() checks if the share path is allowed. this must be done prior to writing any files.
		# try to create directory to share
		if share_name != 'homes':
			# object was renamed
			if not old and oldObject and command == "a":
				old = oldObject

			fp = open(filename, 'w')

			print >>fp, '[%s]' % (share_name,)
			if share_name != 'homes':
				print >>fp, 'path = %s' % _quote(new['univentionSharePath'][0])
			mapping = [
				('description', 'comment'),

Return to bug 44054