]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c703f7a)
CVE-2020-25717: s3:auth: Check minimum domain uid
authorSamuel Cabrero <scabrero@samba.org>
Tue, 28 Sep 2021 08:45:11 +0000 (10:45 +0200)
committerJule Anger <janger@samba.org>
Mon, 8 Nov 2021 09:52:10 +0000 (10:52 +0100)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Removed knownfail on advice from metze]

selftest/knownfail.d/min_domain_uid [deleted file] patch | blob | blame | history
source3/auth/auth_util.c patch | blob | blame | history

diff --git a/selftest/knownfail.d/min_domain_uid b/selftest/knownfail.d/min_domain_uid
deleted file mode 100644 (file)
index 00bf75c..0000000
--- a/selftest/knownfail.d/min_domain_uid
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.krb5.test_min_domain_uid.samba.*.SmbMinDomainUid.test_min_domain_uid_.*\(ad_member_no_nss_wb:local\)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 4686b29111e8a38ffc08c6dcf8059b1eb2c38830..4de4bc74374bbb0441e648b9826c42c5b3dc59a6 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2103,6 +2103,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                        }
                }
                goto out;
+       } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
+                  !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) {
+               /*
+                * !is_myname(domain) because when smbd starts tries to setup
+                * the guest user info, calling this function with nobody
+                * username. Nobody is usually uid 65535 but it can be changed
+                * to a regular user with 'guest account' parameter
+                */
+               nt_status = NT_STATUS_INVALID_TOKEN;
+               DBG_NOTICE("Username '%s%s%s' is invalid on this system, "
+                          "it does not meet 'min domain uid' "
+                          "restriction (%u < %u): %s\n",
+                          nt_domain, lp_winbind_separator(), nt_username,
+                          pwd->pw_uid, lp_min_domain_uid(),
+                          nt_errstr(nt_status));
+               goto out;
        }
 
        result = make_server_info(tmp_ctx);
Mirror of https://github.com/samba-team/samba.git