samba/CVE-2019-3870-2.patch

From b9ccfe0452524d8fdd5751944662856425599af2 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Fri, 15 Mar 2019 13:52:50 +1300
Subject: [PATCH 2/5] CVE-2019-3870 tests: Add test to check file-permissions
 are correct after provision

This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 selftest/knownfail.d/provision_fileperms   |  1 +
 source4/selftest/tests.py                  |  1 +
 source4/setup/tests/provision_fileperms.sh | 71 ++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100644 selftest/knownfail.d/provision_fileperms
 create mode 100755 source4/setup/tests/provision_fileperms.sh

diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms
new file mode 100644
index 00000000000..88b1585fd19
--- /dev/null
+++ b/selftest/knownfail.d/provision_fileperms
@@ -0,0 +1 @@
+samba4.blackbox.provision_fileperms.provision-fileperms\(none\)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 18b2c1162b0..d6fb388dc33 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -904,6 +904,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [
 plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")])
 plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision'])
 plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision'])
+plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision'])
 plantestsuite("samba4.blackbox.supported_features", "none",
               ["PYTHON=%s" % python,
                os.path.join(samba4srcdir,
diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh
new file mode 100755
index 00000000000..0b3ef0321fb
--- /dev/null
+++ b/source4/setup/tests/provision_fileperms.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: $0 PREFIX
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+shift 1
+
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
+
+# selftest sets the umask to zero. Explicitly set it to 022 here,
+# which should mean files should never be writable for anyone else
+ORIG_UMASK=`umask`
+umask 0022
+
+# checks that the files in the 'private' directory created are not
+# world-writable
+check_private_file_perms()
+{
+    target_dir="$1/private"
+    result=0
+
+    for file in `ls $target_dir/`
+    do
+        filepath="$target_dir/$file"
+
+        # skip directories/sockets for now
+        if [ ! -f $filepath ] ; then
+            continue;
+        fi
+
+        # use stat to get the file permissions, i.e. -rw-------
+        file_perm=`stat -c "%A" $filepath`
+
+        # then use cut to drop the first 4 chars containing the file type
+        # and owner permissions. What's left is the group and other users
+        global_perm=`echo $file_perm | cut -c4-`
+
+        # check the remainder doesn't have write permissions set
+        if [ -z "${global_perm##*w*}" ] ; then
+            echo "Error: $file has $file_perm permissions"
+            result=1
+        fi
+    done
+    return $result
+}
+
+TARGET_DIR=$PREFIX/basic-dc
+rm -rf $TARGET_DIR
+
+# create a dummy smb.conf - we need to use fake ACLs for the file system here
+# (but passing --option args with spaces in it proved too difficult in bash)
+SMB_CONF=$TARGET_DIR/tmp/smb.conf
+mkdir -p `dirname $SMB_CONF`
+echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF
+
+# provision a basic DC
+testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF
+
+# check the file permissions in the 'private' directory really are private
+testit "provision-fileperms" check_private_file_perms $TARGET_DIR
+
+rm -rf $TARGET_DIR
+
+umask $ORIG_UMASK
+
+exit $failed
-- 
2.11.0
Package init 2019-09-30 11:16:38 -04:00			`From b9ccfe0452524d8fdd5751944662856425599af2 Mon Sep 17 00:00:00 2001`
			`From: Tim Beale <timbeale@catalyst.net.nz>`
			`Date: Fri, 15 Mar 2019 13:52:50 +1300`
			`Subject: [PATCH 2/5] CVE-2019-3870 tests: Add test to check file-permissions`
			`are correct after provision`

			`This provisions a new DC and checks there are no world-writable`
			`files in the new DC's private directory.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834`

			`Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`Reviewed-by: Jeremy Allison <jra@samba.org>`
			`---`
			`selftest/knownfail.d/provision_fileperms \| 1 +`
			`source4/selftest/tests.py \| 1 +`
			`source4/setup/tests/provision_fileperms.sh \| 71 ++++++++++++++++++++++++++++++`
			`3 files changed, 73 insertions(+)`
			`create mode 100644 selftest/knownfail.d/provision_fileperms`
			`create mode 100755 source4/setup/tests/provision_fileperms.sh`

			`diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms`
			`new file mode 100644`
			`index 00000000000..88b1585fd19`
			`--- /dev/null`
			`+++ b/selftest/knownfail.d/provision_fileperms`
			`@@ -0,0 +1 @@`
			`+samba4.blackbox.provision_fileperms.provision-fileperms\(none\)`
			`diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py`
			`index 18b2c1162b0..d6fb388dc33 100755`
			`--- a/source4/selftest/tests.py`
			`+++ b/source4/selftest/tests.py`
			`@@ -904,6 +904,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [`
			`plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")])`
			`plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision'])`
			`plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision'])`
			`+plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision'])`
			`plantestsuite("samba4.blackbox.supported_features", "none",`
			`["PYTHON=%s" % python,`
			`os.path.join(samba4srcdir,`
			`diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh`
			`new file mode 100755`
			`index 00000000000..0b3ef0321fb`
			`--- /dev/null`
			`+++ b/source4/setup/tests/provision_fileperms.sh`
			`@@ -0,0 +1,71 @@`
			`+#!/bin/sh`
			`+`
			`+if [ $# -lt 1 ]; then`
			`+cat <<EOF`
			`+Usage: $0 PREFIX`
			`+EOF`
			`+exit 1;`
			`+fi`
			`+`
			`+PREFIX="$1"`
			`+shift 1`
			`+`
			+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
			`+`
			`+# selftest sets the umask to zero. Explicitly set it to 022 here,`
			`+# which should mean files should never be writable for anyone else`
			+ORIG_UMASK=`umask`
			`+umask 0022`
			`+`
			`+# checks that the files in the 'private' directory created are not`
			`+# world-writable`
			`+check_private_file_perms()`
			`+{`
			`+ target_dir="$1/private"`
			`+ result=0`
			`+`
			+ for file in `ls $target_dir/`
			`+ do`
			`+ filepath="$target_dir/$file"`
			`+`
			`+ # skip directories/sockets for now`
			`+ if [ ! -f $filepath ] ; then`
			`+ continue;`
			`+ fi`
			`+`
			`+ # use stat to get the file permissions, i.e. -rw-------`
			+ file_perm=`stat -c "%A" $filepath`
			`+`
			`+ # then use cut to drop the first 4 chars containing the file type`
			`+ # and owner permissions. What's left is the group and other users`
			+ global_perm=`echo $file_perm \| cut -c4-`
			`+`
			`+ # check the remainder doesn't have write permissions set`
			`+ if [ -z "${global_perm##w}" ] ; then`
			`+ echo "Error: $file has $file_perm permissions"`
			`+ result=1`
			`+ fi`
			`+ done`
			`+ return $result`
			`+}`
			`+`
			`+TARGET_DIR=$PREFIX/basic-dc`
			`+rm -rf $TARGET_DIR`
			`+`
			`+# create a dummy smb.conf - we need to use fake ACLs for the file system here`
			`+# (but passing --option args with spaces in it proved too difficult in bash)`
			`+SMB_CONF=$TARGET_DIR/tmp/smb.conf`
			+mkdir -p `dirname $SMB_CONF`
			`+echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF`
			`+`
			`+# provision a basic DC`
			`+testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF`
			`+`
			`+# check the file permissions in the 'private' directory really are private`
			`+testit "provision-fileperms" check_private_file_perms $TARGET_DIR`
			`+`
			`+rm -rf $TARGET_DIR`
			`+`
			`+umask $ORIG_UMASK`
			`+`
			`+exit $failed`
			`--`
			`2.11.0`