===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
Jeff Layton [Fri, 25 Sep 2009 11:05:00 +0000 (07:05 -0400)]
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
Jeff Layton [Fri, 25 Sep 2009 11:05:00 +0000 (07:05 -0400)]
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
Jeremy Allison [Wed, 22 Apr 2009 09:55:47 +0000 (02:55 -0700)]
Fix bug #6279 - winbindd crash. Cope with LDAP libraries returning LDAP_SUCCESS but not returning a result.
Jeremy
(cherry picked from commit 448d6cd32c793d04c3c509200bfaa75f466a0ee5)
prevent segmentation fault on joining a very long domain name in samba-3.0.32
For a detailed explanation, see
http://lists.samba.org/archive/samba-technical/2009-March/063626.html
(cherry picked from commit a92280537071b5a9a9bc56fbeead14c6874d5a55)
Jeremy Allison [Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)]
Now we're allowing a lower bound for auth_len, ensure we
also check for an upper one (integer wrap).
Jeremy.
(cherry picked from commit f03bacbf695f877d27186a39755ae726a22a61c8)
Volker Lendecke [Thu, 5 Mar 2009 23:14:27 +0000 (15:14 -0800)]
Complete the fix for bug 6100
According to [MS-RPCE].pdf, section 2.2.2.11:
----
A client or a server that (during composing of a PDU) has allocated more space
for the authentication token than the security provider fills in SHOULD fill in
the rest of the allocated space with zero octets. These zero octets are still
considered to belong to the authentication token part of the PDU.<36>
----
RPC implementations are allowed to send padding bytes at the end of an auth
footer. Windows 7 makes use of this.
Jeremy Allison [Wed, 25 Feb 2009 21:01:04 +0000 (13:01 -0800)]
Fix bug in processing of open modes in POSIX open.
Was missing case of "If file exists open. If file doesn't exist error."
Damn damn damn. CIFSFS client will have to have fallback cases
for this error for a long time.
Make test for open modes more robust against other bits.
Steve French [Tue, 24 Feb 2009 23:11:55 +0000 (17:11 -0600)]
Fix guest mounts
guest session setup, login (user id) as anonymous.
This patch is for samba bugzilla bug 4640.
Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@samba.org>
(cherry picked from commit a8f10f4469b31565e33669560657c2b3df68c13b)
Jeremy Allison [Mon, 16 Feb 2009 02:23:09 +0000 (18:23 -0800)]
Attempt to fix bug #6099. According to Microsoft
Windows 7 looks at the negotiate_flags
returned in this structure *even if the
call fails with access denied ! So in order
to allow Win7 to connect to a Samba NT style
PDC we set the flags before we know if it's
an error or not.
Jeremy.
(cherry picked from commit 194fdee65f91e8ea88196d2cff1c678f868bb3df)
Yasuma Takeda [Wed, 11 Feb 2009 22:10:21 +0000 (14:10 -0800)]
Fix bug #6098 - When the DNS server is invalid, the ads_find_dc() does not work correctly with "security = domain"
1. If DNS server is invalid, the get_sorted_dc_list() is called with
realm(FQDN) and it fails.
2. On the next step, the get_sorted_dc_list() is called with realm(FQDN) again.
I think "again" is wrong place.
On the 2nd step, get_sorted_dc_list() should be called with realm(WORKGROUP).
(cherry picked from commit 58331a118dd6a7fb56e70afe6cf93ef7cfff7e81)
Jeremy Allison [Wed, 11 Feb 2009 19:35:51 +0000 (11:35 -0800)]
Fix bug #5906 - Winbindd crash on 'getent group' (INTERNAL ERROR: Signal 11).
Was missed in the last maintenence release.
Jeremy.
(cherry picked from commit db4a435d235bedf48d668a0f4418dd46f38044ed)
Ted Percival [Tue, 3 Feb 2009 22:10:20 +0000 (14:10 -0800)]
Probably fixes a crash during name resolution when log level >= 10
and libc segfaults if printf is passed NULL for a "%s" arg
(eg. Solaris).
(cherry picked from commit d3220d9d58477f2a6ef7a78c3cf05cb232b57aff)
Jeremy Allison [Fri, 23 Jan 2009 00:29:46 +0000 (16:29 -0800)]
Apply same logic fix for #4308 Excel save operation corrupts file ACLs
to NFSv4 ACL code as this uses the same flawed logic as posix_acls.c.
Jeremy.
(cherry picked from commit 11fbc11e396a300aed04a37d44411d287d4c17d3)
Jeremy Allison [Fri, 23 Jan 2009 00:04:36 +0000 (16:04 -0800)]
Fix logic error in try_chown - we shouldn't arbitrarily chown
to ourselves unless that was passed in.
Jeremy.
(cherry picked from commit 60289187a91e23787be581b824076651230245b2)
Jeremy Allison [Thu, 22 Jan 2009 22:31:27 +0000 (14:31 -0800)]
Second part of the attemt to fix #4308 - Excel save operation corrupts file ACLs.
If the chown succeeds then the ACL set should also. Ensure this is the case
(refactor some of this code to make it simpler to read also).
Jeremy.
(cherry picked from commit 08836722e63cfd6cfd88059dd3f10d98474f49cb)
Jeremy Allison [Thu, 22 Jan 2009 18:58:38 +0000 (10:58 -0800)]
Another attempt to fix bug #4308 - Excel save operation corrupts file ACLs.
Simo is completely correct. We should be doing the chown *first*, and fail the
ACL set if this fails. The long standing assumption I made when writing the
initial POSIX ACL code was that Windows didn't control who could chown a file
in the same was as POSIX. In POSIX only root can do this whereas I wasn't sure
who could do this in Windows at the time (I didn't understand the privilege
model). So the assumption was that setting the ACL was more important (early
tests showed many failed ACL set's due to inability to chown). But now we have
privileges in smbd, and we must always fail an ACL set when we can't chown
first. The key that Simo noticed is that the CREATOR_OWNER bits in the ACL
incoming are relative to the *new* owner, not the old one. This is why the old
user owner disappears on ACL set - their access was set via the USER_OBJ in the
creator POSIX ACL and when the ownership changes they lose their access.
Patch is simple - just ensure we do the chown first before evaluating the
incoming ACL re-read the owners. We already have code to do this it just wasn't
rigorously being applied.
Jeremy.
(cherry picked from commit 9a95b6cac2dea88cb9e9b428292dfca9d1e3e801)
s3:libsmb: handle the smb signing states the same in the krb5 and ntlmssp cases
SMB signing works the same regardless of the used auth mech.
We need to start with the temp signing ("BSRSPYL ")
and the session setup response with NT_STATUS_OK
is the first signed packet.
Now we set the krb5 session key if we got the NT_STATUS_OK
from the server and then recheck the packet.
All this is needed to make the fallback from krb5 to
ntlmssp possible. This commit also resets the cli->vuid
value to 0, if the krb5 auth didn't succeed. Otherwise
the server handles NTLMSSP packets as krb5 packets.
The restructuring of the SMB signing code is needed to
make sure the krb5 code only starts the signing engine
on success. Otherwise the NTLMSSP fallback could not initialize
the signing engine (again).
Jeremy Allison [Sun, 11 Jan 2009 04:04:27 +0000 (20:04 -0800)]
Fix logic bug introduce in backport of ccache_regain_all_now, sync with
3.3 implementation.
Jeremy.
(cherry picked from commit ab29d6c6d349352db017d3046aeaee59e33745f4)
Jeremy Allison [Thu, 8 Jan 2009 18:56:36 +0000 (10:56 -0800)]
Fix race condition in alarm lock processing noticed by Richard Sharpe <realrichardsharpe@gmail.com>.
"It seems to me that if the lock is already held by another process when we
enter this code, there is a race between the timeout and the granting. If
the lock is subsequently granted, the process releasing the lock will signal
the wait variable (or whatever) and our process will be scheduled. However,
if the timeout occurs before we are scheduled, the timeout will be delivered
first.
Karolin Seeger [Wed, 17 Dec 2008 14:53:51 +0000 (15:53 +0100)]
s3/loadparm.c: Change default value for "ldap ssl".
LDAP_SSL_ON is not defined at all. That's why the actual default value
was "" for a long time. Set a more sensible default value without chnging the
default behaviour.
projects / thirdparty / samba.git / log
