[people/pmueller/ipfire-2.x.git] / src / patches / samba / samba-3.6.99-fix_security_server_share_access.patch

From 56bfca66b8597afe731f4624bb9f862bb45f81ba Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com>
Date: Mon, 12 Oct 2015 14:46:18 +0200
Subject: [PATCH] PATCHSET33: s3-auch: Fix secuirty = server share access

Resolve user groups in non-winbind path of passwd_to_SamInfo3(), fixing
group memberships with server security.

Signed-off-by: Matt Rogers <mrogers@redhat.com>
---
 source3/auth/server_info.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 1fd9317..91724cc 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -571,7 +571,9 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 	enum lsa_SidType type;
 	uint32_t num_sids = 0;
 	struct dom_sid *user_sids = NULL;
+	gid_t *gids = NULL;
 	bool ok;
+	int i;
 
 	tmp_ctx = talloc_stackframe();
 
@@ -629,6 +631,29 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 				    get_global_sam_sid(),
 				    DOMAIN_RID_USERS);
 		}
+
+		if (!getgroups_unix_user(tmp_ctx,
+					 unix_username,
+					 pwd->pw_gid,
+					 &gids,
+					 &num_sids)) {
+			DEBUG(1, ("Failed to get unix user groups.\n"));
+			goto done;
+		}
+
+		if (num_sids == 0) {
+			smb_panic("primary group missing");
+		}
+
+		user_sids = TALLOC_ARRAY(tmp_ctx, struct dom_sid, num_sids);
+
+		if (user_sids == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		for (i = 0; i < num_sids; i++) {
+			gid_to_sid(&user_sids[i], gids[i]);
+		}
 	}
 
 	/* Make sure we have a valid group sid */
@@ -696,6 +721,9 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 
 	status = NT_STATUS_OK;
 done:
+	if (gids != NULL) {
+		talloc_free(gids);
+	}
 	talloc_free(tmp_ctx);
 
 	return status;
-- 
2.5.0
Commit	Line	Data
1d13e637 AF	1	From 56bfca66b8597afe731f4624bb9f862bb45f81ba Mon Sep 17 00:00:00 2001
	2	From: Matt Rogers <mrogers@redhat.com>
	3	Date: Mon, 12 Oct 2015 14:46:18 +0200
	4	Subject: [PATCH] PATCHSET33: s3-auch: Fix secuirty = server share access
	5
	6	Resolve user groups in non-winbind path of passwd_to_SamInfo3(), fixing
	7	group memberships with server security.
	8
	9	Signed-off-by: Matt Rogers <mrogers@redhat.com>
	10	---
	11	source3/auth/server_info.c \| 28 ++++++++++++++++++++++++++++
	12	1 file changed, 28 insertions(+)
	13
	14	diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
	15	index 1fd9317..91724cc 100644
	16	--- a/source3/auth/server_info.c
	17	+++ b/source3/auth/server_info.c
	18	@@ -571,7 +571,9 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
	19	enum lsa_SidType type;
	20	uint32_t num_sids = 0;
	21	struct dom_sid *user_sids = NULL;
	22	+ gid_t *gids = NULL;
	23	bool ok;
	24	+ int i;
	25
	26	tmp_ctx = talloc_stackframe();
	27
	28	@@ -629,6 +631,29 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
	29	get_global_sam_sid(),
	30	DOMAIN_RID_USERS);
	31	}
	32	+
	33	+ if (!getgroups_unix_user(tmp_ctx,
	34	+ unix_username,
	35	+ pwd->pw_gid,
	36	+ &gids,
	37	+ &num_sids)) {
	38	+ DEBUG(1, ("Failed to get unix user groups.\n"));
	39	+ goto done;
	40	+ }
	41	+
	42	+ if (num_sids == 0) {
	43	+ smb_panic("primary group missing");
	44	+ }
	45	+
	46	+ user_sids = TALLOC_ARRAY(tmp_ctx, struct dom_sid, num_sids);
	47	+
	48	+ if (user_sids == NULL) {
	49	+ return NT_STATUS_NO_MEMORY;
	50	+ }
	51	+
	52	+ for (i = 0; i < num_sids; i++) {
	53	+ gid_to_sid(&user_sids[i], gids[i]);
	54	+ }
	55	}
	56
	57	/* Make sure we have a valid group sid */
	58	@@ -696,6 +721,9 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
	59
	60	status = NT_STATUS_OK;
	61	done:
	62	+ if (gids != NULL) {
	63	+ talloc_free(gids);
	64	+ }
65	talloc_free(tmp_ctx);
66
67	return status;
68	--
69	2.5.0
70