samba - Jul 2017 - [PATCH] samba-tool: Easily edit a users object in AD V2 with test

On Tue, 4 Jul 2017 14:11:23 +0300
Alexander Bokovoy <ab at samba.org> wrote:
> On ti, 04 heinä 2017, Rowland Penny via samba-technical wrote:
> > On Tue, 4 Jul 2017 12:39:00 +0300
> > Alexander Bokovoy <ab at samba.org> wrote:
> > 
> > > On ti, 04 heinä 2017, Rowland Penny via samba-technical wrote:
> > > > On Mon, 3 Jul 2017 18:07:49 +0300
> > > > Alexander Bokovoy <ab at samba.org> wrote:
> > > > 
> > > > > Looks like it works! Great!
> > > > 
> > > > OK, one step forward, three steps back ;-)
> > > > 
> > > > How do you create a new file ?
> > > > 
> > > > I have created the edit.sh file in my local git, but when I
run:
> > > > 
> > > > git commit -s -a
> > > > 
> > > > I get:
> > > > 
> > > > On branch master
> > > > Your branch is ahead of 'origin/master' by 1 commit.
> > > >   (use "git push" to publish your local commits)
> > > > Untracked files:
> > > > 	python/samba/tests/samba_tool/edit.sh
> > > > 
> > > > nothing added to commit but untracked files present
> > > > 
> > > > I don't think I should run 'git push' as, from
reading the
> > > > manpage, it looks like this will try to create
'edit.sh' in the
> > > > Samba git.
> > > git add <file>
> > > https://www.atlassian.com/git/tutorials/saving-changes
> > 
> > I did wonder about that, but 'man git commit' said this:
> > 
> >        The command git commit -a first looks at your working tree,
> > notices that you have modified hello.c and removed goodbye.c, and
> > performs necessary git add and git rm for you.
> > 
> > Looks like the manpage lies, because I was using '-a' and it
didn't
> > add the file ;-)
> > 
> > I followed the suggestion and it worked, so I have attached my new
> > patches for editing users and the test for this.
> Ok, I have only one comment I'd like to be addressed before we accept
> this changeset:
> 
> +# create editor.sh
> +echo "#!/usr/bin/env bash" > /tmp/editor.sh
> +echo "user_ldif=\"\$1\"" >> /tmp/editor.sh
> +echo "SED=\$(which sed)" >> /tmp/editor.sh
> +echo "\$SED -i -e 's/userAccountControl: 512/userAccountControl:
> 514/' \$user_ldif" >> /tmp/editor.sh +
> +chmod +x /tmp/editor.sh
> +
> 
> Please don't use a static path here. It would prevent multiple
> parallel 'make test' runs on the same machine by different users.
And
> also would allow an attacker (whoever that be) to rewrite your
> editor.sh and inject an execution into your 'make test' run.
> 
> Instead, create a temporary file:
> 
> tmpeditor=$(mktemp --suffix .sh samba-tool-editor-XXXXXXXX)
> 
> And put the content into it:
> 
> cat >$tmpeditor <<-'EOF'
> 	#!/usr/bin/env bash
> 	user_ldif="$1"
> 	SED=$(which sed)
> 	$SED -i -e 's/userAccountControl: 512/userAccountControl:
> 514/' $user_ldif EOF
> 
> chmod +x $tmpeditor
> 
> <<-'EOF' means to start here document which ends with EOF,
strip
> leading tabs, do not perform interpolation within the document. This
> allows you to keep the content of the script clean from shell
> expansion protection.
> 
> 
OK, I will try this.

Rowland