代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/samba 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From bfe8e10bf3b5dafecd0b19ef8ea163327f73a531 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 12:30:00 +0200
Subject: [PATCH 04/28] CVE-2023-4091: smbtorture: test overwrite dispositions
on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.18.8-security-2023-10-10.patch
[PATCH 04/28] CVE-2023-4091: smbtorture: test overwrite dispositions
on read-only file
---
selftest/knownfail.d/samba3.smb2.acls | 1 +
source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++
2 files changed, 144 insertions(+)
create mode 100644 selftest/knownfail.d/samba3.smb2.acls
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
new file mode 100644
index 00000000000..18df260c0e5
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.acls
@@ -0,0 +1 @@
+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
index a27d4e079e6..5a892d004ea 100644
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@@ -2989,6 +2989,148 @@ done:
return ret;
}
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
+ struct smb2_tree *tree)
+{
+ NTSTATUS status;
+ struct smb2_create c;
+ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
+ struct smb2_handle handle = {{0}};
+ union smb_fileinfo q;
+ union smb_setfileinfo set;
+ struct security_descriptor *sd = NULL, *sd_orig = NULL;
+ const char *owner_sid = NULL;
+ int i;
+ bool ret = true;
+
+ struct tcase {
+ int disposition;
+ const char *disposition_string;
+ NTSTATUS expected_status;
+ } tcases[] = {
+#define TCASE(d, s) { \
+ .disposition = d, \
+ .disposition_string = #d, \
+ .expected_status = s, \
+ }
+ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
+ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
+ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
+ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
+ };
+#undef TCASE
+
+ ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
+
+ c = (struct smb2_create) {
+ .in.desired_access = SEC_STD_READ_CONTROL |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+ NTCREATEX_SHARE_ACCESS_WRITE,
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed\n");
+ handle = c.out.file.handle;
+
+ torture_comment(tctx, "get the original sd\n");
+
+ ZERO_STRUCT(q);
+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+ q.query_secdesc.in.file.handle = handle;
+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+
+ status = smb2_getinfo_file(tree, tctx, &q);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_getinfo_file failed\n");
+ sd_orig = q.query_secdesc.out.sd;
+
+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+ sd = security_descriptor_dacl_create(tctx,
+ 0, NULL, NULL,
+ owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_FILE_READ_DATA,
+ 0,
+ NULL);
+
+ ZERO_STRUCT(set);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = handle;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_setinfo_file failed\n");
+
+ smb2_util_close(tree, handle);
+ ZERO_STRUCT(handle);
+
+ for (i = 0; i < ARRAY_SIZE(tcases); i++) {
+ torture_comment(tctx, "Verify open with %s dispostion\n",
+ tcases[i].disposition_string);
+
+ c = (struct smb2_create) {
+ .in.create_disposition = tcases[i].disposition,
+ .in.desired_access = SEC_FILE_READ_DATA,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ smb2_util_close(tree, c.out.file.handle);
+ torture_assert_ntstatus_equal_goto(
+ tctx, status, tcases[i].expected_status, ret, done,
+ "smb2_create failed\n");
+ };
+
+ torture_comment(tctx, "put back original sd\n");
+
+ c = (struct smb2_create) {
+ .in.desired_access = SEC_STD_WRITE_DAC,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed\n");
+ handle = c.out.file.handle;
+
+ ZERO_STRUCT(set);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = handle;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd_orig;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_setinfo_file failed\n");
+
+ smb2_util_close(tree, handle);
+ ZERO_STRUCT(handle);
+
+done:
+ smb2_util_close(tree, handle);
+ smb2_util_unlink(tree, fname);
+ smb2_deltree(tree, BASEDIR);
+ return ret;
+}
+
/*
basic testing of SMB2 ACLs
*/
@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
test_deny1);
torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
test_mxac_not_granted);
+ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
--
2.34.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。