Jeff Layton [Tue, 26 Jan 2010 13:45:58 +0000 (08:45 -0500)]
mount.cifs: don't allow it to be run as setuid root program
mount.cifs has been the subject of several "security" fire drills due to
distributions installing it as a setuid root program. This program has
not been properly audited for security and the Samba team highly
recommends that it not be installed as a setuid root program at this
time.
To make that abundantly clear, this patch forcibly disables the ability
for mount.cifs to run as a setuid root program. People are welcome to
trivially patch this out, but they do so at their own peril.
A security audit and redesign of this program is in progress and we hope
that we'll be able to remove this in the near future.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
The last 5 patches address bug #6853 (mount.cifs race that allows user to
replace mountpoint with a symlink).
Jeff Layton [Tue, 26 Jan 2010 13:45:58 +0000 (08:45 -0500)]
mount.cifs: check for invalid characters in device name and mountpoint
It's apparently possible to corrupt the mtab if you pass embedded
newlines to addmntent. Apparently tabs are also a problem with certain
earlier glibc versions. Backslashes are also a minor issue apparently,
but we can't reasonably filter those.
Make sure that neither the devname or mountpoint contain any problematic
characters before allowing the mount to proceed.
Jeff Layton [Tue, 26 Jan 2010 13:45:58 +0000 (08:45 -0500)]
mount.cifs: take extra care that mountpoint isn't changed during mount
It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.
To guard against this, chdir to the mountpoint very early, and only deal
with it as "." from then on out.
Jeff Layton [Tue, 26 Jan 2010 13:45:57 +0000 (08:45 -0500)]
mount.cifs: properly check for mount being in fstab when running setuid root (try#3)
This is the third attempt to clean up the checks when a setuid
mount.cifs is run by an unprivileged user. The main difference in this
patch from the last one is that it fixes a bug where the mount might
have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.
When mount.cifs is installed setuid root and run as an unprivileged
user, it does some checks to limit how the mount is used. It checks that
the mountpoint is owned by the user doing the mount.
These checks however do not match those that /bin/mount does when it is
called by an unprivileged user. When /bin/mount is called by an
unprivileged user to do a mount, it checks that the mount in question is
in /etc/fstab, that it has the "user" option set, etc.
This means that it's currently not possible to set up user mounts the
standard way (by the admin, in /etc/fstab) and simultaneously protect
from an unprivileged user calling mount.cifs directly to mount a share
on any directory that that user owns.
Fix this by making the checks in mount.cifs match those of /bin/mount
itself. This is a necessary step to make mount.cifs safe to be installed
as a setuid binary, but not sufficient. For that, we'd need to give
mount.cifs a proper security audit.
Since some users may be depending on the legacy behavior, this patch
also adds the ability to build mount.cifs with the older behavior.
Jeff Layton [Tue, 26 Jan 2010 13:45:53 +0000 (08:45 -0500)]
mount.cifs: directly include sys/stat.h in mtab.c
This file is mysteriously getting included when built via the makefile,
but when you try to build mtab.o by hand it fails to build. Directly
include it to remove any ambiguity.
Jeremy Allison [Thu, 18 Feb 2010 20:21:10 +0000 (12:21 -0800)]
Fix bug #7155 - valgrind Conditional jump or move depends on uninitialised value(s) error when "mangling method = hash"
The charset array allocated in init_chartest() is allocated
by MALLOC, but only some elements of it being set after allocation. Fix is to
memset to zero after allocation.
Jeremy Allison [Wed, 17 Feb 2010 18:46:42 +0000 (10:46 -0800)]
Fix bug #6557 - Do not work VFS full_audit
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeff Layton [Tue, 16 Feb 2010 14:16:42 +0000 (09:16 -0500)]
cifs.upcall: allocate a talloc context for smb_krb5_unparse_name
cifs.upcall calls smb_krb5_unparse_name with a NULL talloc context.
Older versions of this function though will conditionally use
SMB_REALLOC instead of TALLOC_REALLOC when a NULL context is passed
in. To make it more consistent, just spawn a talloc context that
we can pass into this function.
Jeremy Allison [Fri, 12 Feb 2010 00:03:02 +0000 (16:03 -0800)]
Fixes issue with preexec scripts creating a share directory, and problems if a smb.conf reload turns wide links back on after a connection is establised.
Günther Deschner [Wed, 10 Feb 2010 23:44:06 +0000 (00:44 +0100)]
s3-spoolss: implement spoolss_EnumJobs level 3.
Level 3 has been added with NT 4.0 and Windows 7 (at least 64bit version) makes
use of it in order to display queued jobs. Windows 7 will *not* fall back to
level 2 if we just return WERR_UNKNOWN_LEVEL, instead there will be no printjobs
displayed at all.
s3: shortcut gid_to_sid when "ldapsam:trusted = yes"
The normal gid_to_sid behaviour is to call sys_getgrgid()
to get the name for the given gid and then call the
getsamgrnam passdb method for the resulting name.
In the ldapsam:trusted case we can reduce the gid_to_sid
operation to one simple search for the gidNumber attribute
and only get the sambaSID attribute from the correspoinding
LDAP object. This reduces the number of ldap roundtrips
for this operation.
Michael Adam [Mon, 16 Nov 2009 10:37:18 +0000 (11:37 +0100)]
s3: shortcut uid_to_sid when "ldapsam:trusted = yes"
The normal uid_to_sid behaviour is to call sys_getpwuid()
to get the name for the given uid and then call the
getsampwnam passdb method for the resulting name.
In the ldapsam:trusted case we can reduce the uid_to_sid
operation to one simple search for the uidNumber attribute
and only get the sambaSID attribute from the correspoinding
LDAP object. This reduces the number of ldap roundtrips
for this operation.
Michael Adam [Fri, 13 Nov 2009 14:51:33 +0000 (15:51 +0100)]
s3:smbd: make idmap cache persistent for "ldapsam:trusted".
This stores the mappings found in the idmap cache (which lives
inside gencache). This cache is already read in sid_to_Xid()
and Xid_to_sid() for ldapsam:trusted, this fills the opposite
direction, massively reducing the number of ldap roundtrips
across smbd restarts.
Jeremy Allison [Tue, 9 Feb 2010 23:14:38 +0000 (15:14 -0800)]
Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
Andrew Tridgell [Thu, 10 Dec 2009 03:35:24 +0000 (14:35 +1100)]
util: added binsearch.h for binary array searches
This was moved from the schema_query code. It will now be used in more
than one place, so best to make it a library macro. I think there are
quite a few places that could benefit from this.
(cherry picked from commit 71943e8858943718affb6a3c0ded2127f07057f0)
Jeremy Allison [Tue, 9 Feb 2010 22:48:15 +0000 (14:48 -0800)]
Second part of fix for bug 7063 - Samba 3.4.5 on ubuntu 8.04 64 bit - Core dumps.
Ensure we have no naked memcpy calls. This isn't a crash bug (it's
already checked in the data_blob_talloc_zero() above, but I want to
get into the pattern of having all memcpy's covered by safety checks.
Jeremy Allison [Sat, 6 Feb 2010 00:22:27 +0000 (16:22 -0800)]
Fix bug 7104 - "wide links" and "unix extensions" are incompatible.
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Lars Müller [Fri, 5 Feb 2010 16:38:04 +0000 (17:38 +0100)]
s3: normalize "Changing password for" msg IDs and STRs
An additional space at the end of the "Changing password for" msgid lead
to untranslated pam_winnind messages.
(cherry picked from commit f9f1db18834648da73b7b1f6d9472523941e8277)
The destname malloc size was not taking into account the 1 extra byte
needed if a string without a leading '/' was passed in and that slash
was added.
This would cause the '\0' byte to be written past the end of the
malloced destname string and corrupt whatever heap memory was there.
This problem would be hit if a share name was given in smb.conf without
a leading '/' and if it was the exact size of the allocated STRDUP memory
which in some implementations of malloc is a power of 2.
(cherry picked from commit f42971c520360e69c4cdd64bebb02a5f5ba49b94)
Jeremy Allison [Thu, 28 Jan 2010 00:55:47 +0000 (16:55 -0800)]
Fix bug #7072 - Accounts can't be unlocked from ldap.
Fix suggested by Andy Hanton <andyhanton@gmail.com>. The LOGIN_CACHE
struct contains two time_t entries, but was being written to and
read from via tdb_pack/tdb_unpack functions using explicit 32-bit int specifiers.
This would break on machines with a 64-bit time_t. Use correct int
sizes for tdb_pack/tdb_unpack.
Volker Lendecke [Sat, 16 Jan 2010 12:31:44 +0000 (13:31 +0100)]
s3: Fix a crash in libsmbclient used against the OpenSolaris CIFS server
A user has sent me a sniff where the OpenSolaris CIFS server returns "32" in
totalentries, but the array in ctr only contains 15 entries. Look at the right
delimiter for walking the array.
Fix bug #7046 (libsmbclient crash against OpenSolaris CIFS server).
Jeremy Allison [Sat, 16 Jan 2010 01:49:56 +0000 (17:49 -0800)]
Fix bug 7045 - Bad (non memory copying) interfaces in smbc_setXXXX calls.
In smbc_free_context libsmbclient just called free() on the string options
so it assumes the callers have malloced them before setting them via smbc_set
calls.
Change to correctly malloc/free string options to the library.
Protect against SMB_STRDUP of null.
projects / thirdparty / samba.git / log
