def rsop(self, gpo):
output = {}
xml = 'MACHINE/VGP/VTLA/Unix/Scripts/Startup/manifest.xml'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, xml)
xml_conf = self.parse(path)
if not xml_conf:
return output
policy = xml_conf.find('policysetting')
data = policy.find('data')
for listelement in data.findall('listelement'):
local_path = self.lp.cache_path('gpo_cache')
script = listelement.find('script').text
script_file = os.path.join(
local_path,
os.path.dirname(check_safe_path(path)).upper(),
script.upper())
parameters = listelement.find('parameters').text
run_as = listelement.find('run_as')
if run_as is not None:
run_as = run_as.text
else:
run_as = 'root'
run_once = listelement.find('run_once') is not None
if run_once:
entry = 'Run once as: %s `%s %s`' % (run_as, script_file,
parameters)
else:
entry = '@reboot %s %s %s' % (run_as, script_file,
parameters)
if str(self) not in output.keys():
output[str(self)] = []
output[str(self)].append(entry)
return output
def test_check_refresh_gpo_list_malicious_paths(self):
# the path cannot contain ..
path = '/usr/local/samba/var/locks/sysvol/../../../../../../root/'
self.assertRaises(OSError, check_safe_path, path)
self.assertEqual(check_safe_path('/etc/passwd'), 'etc/passwd')
self.assertEqual(check_safe_path('\\\\etc/\\passwd'), 'etc/passwd')
# there should be no backslashes used to delineate paths
before = 'sysvol/addom.samba.example.com\\Policies/' \
'{31B2F340-016D-11D2-945F-00C04FB984F9}\\GPT.INI'
after = 'addom.samba.example.com/Policies/' \
'{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI'
result = check_safe_path(before)
self.assertEquals(result, after, 'check_safe_path() didn\'t'
' correctly convert \\ to /')
def _get_gpts(self, username, sid):
gpts = list()
log('D45')
# util.windows.smbcreds
gpos = self.sambacreds.update_gpos(username)
log('D46')
for gpo in gpos:
if self._check_sysvol_present(gpo):
path = check_safe_path(gpo.file_sys_path).upper()
slogdata = dict({
'sysvol_path': gpo.file_sys_path,
'gpo_name': gpo.display_name,
'gpo_path': path
})
log('D30', slogdata)
gpt_abspath = os.path.join(self.cache_dir, 'gpo_cache', path)
obj = gpt(gpt_abspath, sid)
obj.set_name(gpo.display_name)
gpts.append(obj)
else:
if 'Local Policy' == gpo.name:
gpts.append(get_local_gpt(sid))
return gpts
def process_group_policy(self,
deleted_gpo_list,
changed_gpo_list,
cdir='/etc/cron.d'):
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
if str(self) in settings:
for attribute, script in settings[str(self)].items():
if script and os.path.exists(script):
os.unlink(script)
self.gp_db.delete(str(self), attribute)
self.gp_db.commit()
for gpo in changed_gpo_list:
if gpo.file_sys_path:
self.gp_db.set_guid(gpo.name)
xml = 'MACHINE/VGP/VTLA/Unix/Scripts/Startup/manifest.xml'
path = os.path.join(gpo.file_sys_path, xml)
xml_conf = self.parse(path)
if not xml_conf:
continue
policy = xml_conf.find('policysetting')
data = policy.find('data')
for listelement in data.findall('listelement'):
local_path = self.lp.cache_path('gpo_cache')
script = listelement.find('script').text
script_file = os.path.join(
local_path,
os.path.dirname(check_safe_path(path)).upper(),
script.upper())
parameters = listelement.find('parameters').text
hash = listelement.find('hash').text
attribute = '%s:%s:%s' % (script, hash, parameters)
old_val = self.gp_db.retrieve(str(self), attribute)
if old_val is not None:
continue
run_as = listelement.find('run_as')
if run_as is not None:
run_as = run_as.text
else:
run_as = 'root'
run_once = listelement.find('run_once') is not None
if run_once:
Popen(['/bin/sh %s %s' % (script_file, parameters)],
shell=True).wait()
self.gp_db.store(str(self), attribute, '')
else:
entry = '@reboot %s %s %s' % (run_as, script_file,
parameters)
with NamedTemporaryFile(prefix='gp_',
dir=cdir,
delete=False) as f:
f.write(intro)
f.write(get_bytes(entry))
os.chmod(f.name, 0o700)
self.gp_db.store(str(self), attribute, f.name)
self.gp_db.commit()
def process_group_policy(self, deleted_gpo_list, changed_gpo_list):
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
if str(self) in settings:
for attribute, _ in settings[str(self)].items():
if os.path.exists(attribute):
os.unlink(attribute)
self.gp_db.delete(str(self), attribute)
self.gp_db.commit()
for gpo in changed_gpo_list:
if gpo.file_sys_path:
self.gp_db.set_guid(gpo.name)
xml = 'MACHINE/VGP/VTLA/Unix/Files/manifest.xml'
path = os.path.join(gpo.file_sys_path, xml)
xml_conf = self.parse(path)
if not xml_conf:
continue
policy = xml_conf.find('policysetting')
data = policy.find('data')
for entry in data.findall('file_properties'):
local_path = self.lp.cache_path('gpo_cache')
source = entry.find('source').text
source_file = os.path.join(
local_path,
os.path.dirname(check_safe_path(path)).upper(),
source.upper())
if not os.path.exists(source_file):
self.logger.warn('Source file "%s" does not exist' %
source_file)
continue
source_hash = \
blake2b(open(source_file, 'rb').read()).hexdigest()
target = entry.find('target').text
user = entry.find('user').text
group = entry.find('group').text
mode = calc_mode(entry)
value = '%s:%s:%s:%d' % (source_hash, user, group, mode)
old_val = self.gp_db.retrieve(str(self), target)
if old_val == value:
continue
if os.path.exists(target):
self.logger.warn('Target file "%s" already exists' %
target)
continue
with NamedTemporaryFile(dir=os.path.dirname(target),
delete=False) as f:
copyfile(source_file, f.name)
os.chown(f.name,
pwd.getpwnam(user).pw_uid,
grp.getgrnam(group).gr_gid)
os.chmod(f.name, mode)
move(f.name, target)
self.gp_db.store(str(self), target, value)
self.gp_db.commit()
def _get_gpts(self, username, sid):
gpts = list()
gpos = self.sambacreds.update_gpos(username)
for gpo in gpos:
if self._check_sysvol_present(gpo):
logging.debug(
slogm('Found SYSVOL entry "{}" for GPO "{}"'.format(
gpo.file_sys_path, gpo.display_name)))
path = check_safe_path(gpo.file_sys_path).upper()
logging.debug(slogm('Path: {}'.format(path)))
gpt_abspath = os.path.join(self.cache_dir, 'gpo_cache', path)
obj = gpt(gpt_abspath, sid)
obj.set_name(gpo.display_name)
gpts.append(obj)
else:
if 'Local Policy' == gpo.name:
gpts.append(get_local_gpt(sid))
return gpts
