From: Stefan Metzmacher Date: Wed, 30 Nov 2022 15:16:05 +0000 (+0100) Subject: CVE-2022-38023 s3:net: add and use net_warn_member_options() helper X-Git-Tag: talloc-2.4.0~342 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a;p=thirdparty%2Fsamba.git CVE-2022-38023 s3:net: add and use net_warn_member_options() helper This makes sure domain member related 'net' commands print warnings about unsecure smb.conf options. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme --- diff --git a/source3/utils/net.c b/source3/utils/net.c index 2e8a00f47c7..679f04db22b 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -85,6 +85,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param) static int net_changetrustpw(struct net_context *c, int argc, const char **argv) { + net_warn_member_options(); + if (net_ads_check_our_domain(c) == 0) return net_ads_changetrustpw(c, argc, argv); @@ -112,6 +114,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc, return 1; } + net_warn_member_options(); + if (c->opt_stdin) { set_line_buffering(stdin); set_line_buffering(stdout); @@ -193,6 +197,8 @@ static int net_changesecretpw(struct net_context *c, int argc, return 1; } + net_warn_member_options(); + if(c->opt_force) { struct secrets_domain_info1 *info = NULL; struct secrets_domain_info1_change *prev = NULL; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 693ece17d8f..19995f17562 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -1414,6 +1414,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv) return -1; } + net_warn_member_options(); + status = ads_startup(c, true, tmp_ctx, &ads); if (!ADS_ERR_OK(status)) { goto out; @@ -1556,6 +1558,8 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c) return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED); } + net_warn_member_options(); + net_use_krb_machine_account(c); get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); @@ -1588,6 +1592,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv) return -1; } + net_warn_member_options(); + /* Display success or failure */ status = net_ads_join_ok(c); if (!ADS_ERR_OK(status)) { @@ -1685,6 +1691,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) return net_ads_join_usage(c, argc, argv); } + net_warn_member_options(); + if (!modify_config) { werr = check_ads_config(); if (!W_ERROR_IS_OK(werr)) { @@ -2659,6 +2667,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) goto out; } + net_warn_member_options(); + net_use_krb_machine_account(c); use_in_memory_ccache(); @@ -2961,6 +2971,8 @@ static int net_ads_keytab_add(struct net_context *c, return -1; } + net_warn_member_options(); + d_printf(_("Processing principals to add...\n")); if (!c->opt_user_specified && c->opt_password == NULL) { @@ -3053,6 +3065,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a return -1; } + net_warn_member_options(); + if (!c->opt_user_specified && c->opt_password == NULL) { net_use_krb_machine_account(c); } diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c index 13e65a93314..4b48e1566bc 100644 --- a/source3/utils/net_dom.c +++ b/source3/utils/net_dom.c @@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv) return net_dom_usage(c, argc, argv); } + net_warn_member_options(); + if (c->opt_host) { server_name = c->opt_host; } diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c index 1493dff74d7..f67f08f79a8 100644 --- a/source3/utils/net_join.c +++ b/source3/utils/net_join.c @@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv) return 0; } + net_warn_member_options(); + if (net_ads_check_our_domain(c) == 0) { if (net_ads_join(c, argc, argv) == 0) return 0; diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c index 03e5df0eace..0cfd5fdfe23 100644 --- a/source3/utils/net_offlinejoin.c +++ b/source3/utils/net_offlinejoin.c @@ -49,6 +49,8 @@ int net_offlinejoin(struct net_context *c, int argc, const char **argv) return -1; } + net_warn_member_options(); + status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h index 1cc8fdf35af..fe6b5dd9b84 100644 --- a/source3/utils/net_proto.h +++ b/source3/utils/net_proto.h @@ -448,6 +448,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv, const char *whoami, struct functable *table); void net_display_usage_from_functable(struct functable *table); +void net_warn_member_options(void); + const char *net_share_type_str(int num_type); NTSTATUS net_scan_dc(struct net_context *c, diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index e1a0c491dd4..1405f773838 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -371,6 +371,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) return 0; } + net_warn_member_options(); + mem_ctx = talloc_init("net_rpc_oldjoin"); if (!mem_ctx) { return -1; @@ -490,6 +492,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) return 0; } + net_warn_member_options(); + mem_ctx = talloc_init("net_rpc_testjoin"); if (!mem_ctx) { return -1; @@ -564,6 +568,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a return 0; } + net_warn_member_options(); + mem_ctx = talloc_init("net_rpc_join_newstyle"); if (!mem_ctx) { return -1; @@ -685,6 +691,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv) return -1; } + net_warn_member_options(); + if (strlen(lp_netbios_name()) > 15) { d_printf(_("Our netbios name can be at most 15 chars long, " "\"%s\" is %u chars long\n"), @@ -815,6 +823,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv) return 0; } + net_warn_member_options(); + return run_rpc_command(c, NULL, &ndr_table_samr, NET_FLAGS_PDC, rpc_info_internals, argc, argv); diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 298d9a64dc0..f3b7755063b 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -31,6 +31,7 @@ #include "libsmb/libsmb.h" #include "lib/param/param.h" #include "auth/gensec/gensec.h" +#include "libcli/auth/netlogon_creds_cli.h" #include "lib/cmdline/cmdline.h" NTSTATUS net_rpc_lookup_name(struct net_context *c, @@ -478,6 +479,19 @@ void net_display_usage_from_functable(struct functable *table) } } +void net_warn_member_options(void) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct loadparm_context *lp_ctx = NULL; + + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx != NULL) { + netlogon_creds_cli_warn_options(lp_ctx); + } + + TALLOC_FREE(frame); +} + const char *net_share_type_str(int num_type) { switch(num_type) {