git.samba.org - bbaumbach/samba-autobuild/.git/commit

author	Tim Beale <timbeale@catalyst.net.nz>
	Mon, 2 Oct 2017 01:33:47 +0000 (14:33 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Sat, 14 Oct 2017 05:28:18 +0000 (07:28 +0200)
commit	4c9b380527ac091fa496675e8b887d2437a47d2c
tree	96aa01c52fa73536c88f34d4f9d6081928094d90	tree
parent	7abf0acef48cb585fa8e5666fd4c27692b9c8ae3	commit \| diff

selftest: Add sanity-check RODC can't use cache to reveal secrets

Bug 12977 highlighted that Samba only checks exop GetNcChanges requests
once, when they're first received. This makes sense because valid exop
requests should only ever involve a single request. For regular
(non-exop) GetNcChanges requests, the server stores a cache of the
object GUIDs to return.

What we don't want to happen is for a malicious/compromised RODC to use
this cache to circumvent privilege checks, and receive secrets that it's
normally not permitted to access (e.g. the administrator's password).

The specific scenario we're concerned about is:
- The RODC sends a regular GetNcChanges request for all objects (without
secrets). (This causes the server to build its GUID array cache).
- The RODC then sends a follow-on request for the next chunk, but sets
the REPL_SECRET exop this time.

The only thing inadvertently preventing Samba from leaking secrets in
this case is updating msDS-RevealedUsers for auditing. It's possible
that a future code change may alter the codepath and open up a
security-hole without realizing. This patch adds a test case so if that
ever did happen, the selftests would detect the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12977

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>