From 37fe3658a04f200732651ae997ff408efd7a92f6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 6 Jan 2021 14:38:03 +0000 Subject: [PATCH] samba: Add helper script to pipe password It is complicated to set the password in the C helper binary. Therefore it is being set by a helper script. This is still not an optimal solution since the password might be exposed to the shell environment, but has the advantage that shell command injection is no longer possible. Fixes: #12562 Reported-by: Albert Schwarzkopf Signed-off-by: Michael Tremer --- config/rootfiles/packages/aarch64/samba | 1 + config/rootfiles/packages/armv5tel/samba | 1 + config/rootfiles/packages/i586/samba | 1 + config/rootfiles/packages/x86_64/samba | 1 + config/samba/samba-change-password | 37 ++++++++++++++++++++++++ lfs/samba | 3 ++ src/misc-progs/sambactrl.c | 12 ++------ 7 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 config/samba/samba-change-password diff --git a/config/rootfiles/packages/aarch64/samba b/config/rootfiles/packages/aarch64/samba index 9d88cbacf9..c49d544e61 100644 --- a/config/rootfiles/packages/aarch64/samba +++ b/config/rootfiles/packages/aarch64/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/rootfiles/packages/armv5tel/samba b/config/rootfiles/packages/armv5tel/samba index fa039f6045..5f208b03ea 100644 --- a/config/rootfiles/packages/armv5tel/samba +++ b/config/rootfiles/packages/armv5tel/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/rootfiles/packages/i586/samba b/config/rootfiles/packages/i586/samba index 1f406cc71a..56ec3822b5 100644 --- a/config/rootfiles/packages/i586/samba +++ b/config/rootfiles/packages/i586/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba index 2df36e438e..37b1ff1379 100644 --- a/config/rootfiles/packages/x86_64/samba +++ b/config/rootfiles/packages/x86_64/samba @@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so usr/libexec/samba/smbspool_krb5_wrapper usr/sbin/eventlogadm usr/sbin/nmbd +usr/sbin/samba-change-password usr/sbin/samba-gpupdate usr/sbin/smbd usr/sbin/winbindd diff --git a/config/samba/samba-change-password b/config/samba/samba-change-password new file mode 100644 index 0000000000..06f783e529 --- /dev/null +++ b/config/samba/samba-change-password @@ -0,0 +1,37 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2021 IPFire Team # +# # +############################################################################ + +main() { + local username="${1}" + local password="${2}" + + # Change password UNIX account + printf -- "${username}:${password}\n" | chpasswd + + # Change SMB password + printf -- "${password}\n${password}\n" | smbpasswd -as "${username}" + + return 0 +} + +main "$@" || exit "$?" diff --git a/lfs/samba b/lfs/samba index f57a04737e..07e0c601be 100644 --- a/lfs/samba +++ b/lfs/samba @@ -114,6 +114,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mkdir -p /var/spool/samba chmod -v 1777 /var/spool/samba/ + # Install password change helper script + install -m 755 $(DIR_SRC)/config/samba/samba-change-password /usr/sbin/samba-change-password + #install initscripts $(call INSTALL_INITSCRIPT,samba) diff --git a/src/misc-progs/sambactrl.c b/src/misc-progs/sambactrl.c index 92ebef13a9..9753492f6e 100644 --- a/src/misc-progs/sambactrl.c +++ b/src/misc-progs/sambactrl.c @@ -82,11 +82,7 @@ int main(int argc, char *argv[]) { snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -m -g sambauser -s /bin/false %s >/dev/null", argv[2]); safe_system(command); - snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]); - safe_system(command); - - snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]); - safe_system(command); + run("/usr/sbin/samba-change-password", argv + 1); } else if (strcmp(argv[1], "smbchangepw") == 0) { if (!is_valid_argument_alnum(argv[2])) { @@ -94,11 +90,7 @@ int main(int argc, char *argv[]) { exit(2); } - snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]); - safe_system(command); - - snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]); - safe_system(command); + run("/usr/sbin/samba-change-password", argv + 1); } else if (strcmp(argv[1], "readsmbpasswd") == 0) { safe_system("/bin/chown root:nobody /var/ipfire/samba/private >/dev/null"); -- 2.39.5