CVE-2020-25717: loadparm: Add new parameter "min domain uid"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Backported from master/4.15 due to
 conflicts with other new parameters]

diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644 (file)
index 0000000..46ae795
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+                 type="integer"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    The integer parameter specifies the minimum uid allowed when mapping a
+    local account to a domain account.
+  </para>
+
+  <para>
+    Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+  </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29db1fca1f7cff9f44c8c62d8ba235a..f70f11df75714c9add86bb9679cc1bb0e3e74fe5 100644 (file)
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
                authoritative for a unix ID to SID mapping, so it must be set
                for each individually configured domain and for the default
                configuration. The configured ranges must be mutually disjoint.
+               </para>
+               <para>
+               Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
                </para></listitem>
                </varlistentry>
 
@@ -115,4 +118,5 @@
        </programlisting>
        
 </description>
+<related>min domain uid</related>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 006caabc092afc634683fd8c5daf06248119dd7e..d2f6e6241adaaa6f2ca375c73237d01584caf50d 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3079,6 +3079,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(
                lp_ctx, "ldap max search request size", "256000");
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "min domain uid",
+                                 "1000");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a3abaa2ec6732ca2cdcacf1d48efa1f3049953e4..301e3622ed47402be3c89213fbaa8b49505d7575 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -960,6 +960,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.ldap_max_authenticated_request_size = 16777216;
        Globals.ldap_max_search_request_size = 256000;
 
+       Globals.min_domain_uid = 1000;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }