Jeremy Allison [Mon, 28 Sep 2009 11:52:57 +0000 (13:52 +0200)]
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
Jeff Layton [Fri, 25 Sep 2009 11:03:44 +0000 (07:03 -0400)]
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
Jeff Layton [Fri, 25 Sep 2009 11:03:44 +0000 (07:03 -0400)]
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
Simo Sorce [Sun, 13 Jul 2008 02:44:15 +0000 (22:44 -0400)]
Fix bug #6628 - "smbpassdb -a" using rid algorithm with tdbsam passdb
samu_set_unix() does not use the rid allocator, but forces to use the
algoritmic allocator unconditionally, this is wrong and inconsistent.
Use samu_alloc_rid_unix() instead.
(If we create a new user we should do it in a way consistent with all
other commands like pdbedit -a and net rpc user add.)
(cherry picked from commit e1d4db8f55b25c7e9c408cb334fb89ccfd4c6565)
Michael Adam [Fri, 22 May 2009 09:58:00 +0000 (11:58 +0200)]
s3:winbind:idmap_ldap: fix a crash bug in idmap_ldap_unixids_to_sids (#6387)
This fixes a crash bug hit when multiple mappings were found by
the ldap search. This crash was caused by an ldap asssertion
in ldap_next_entry because was set to NULL in each iteration.
There is a logic part, too:
The problem currently only occurs when multiple mappings are found
for one given unixid. Now winbindd does not crash any more but
it does not correctly handle this situation. It just returns the
last mapping from the ldap search results.
This needs fixing.
Jeremy Allison [Sat, 30 May 2009 20:28:03 +0000 (13:28 -0700)]
Fix bug #6421 - POSIX read-only open fails on read-only shares. The change to smbd/trans2.c opens up SETFILEINFO calls to POSIX_OPEN only. The change to first smbd/open.c closes 2 holes that would have been exposed by allowing POSIX_OPENS on readonly shares, and their ability to set arbitrary flags permutations. The O_CREAT -> O_CREAT|O_EXCL change removes an illegal combination (O_EXCL without O_CREAT) that previously was being passed down to the open syscall. Jeremy.
(cherry picked from commit 79f26472b4ae561ec00c30f31dd63ccab6dfc0c4)
(cherry picked from commit fedc34b47664439b0d066c087d9bfa5a34c81fff)
Jeremy Allison [Thu, 2 Jul 2009 06:37:59 +0000 (08:37 +0200)]
Fix bug #6520 time stamps.
E.g. last mod time is not preserved when "unix extensions=yes" are set - and u
Cancel out any pending "sticky" writes or "last write" changes when
doing a UNIX info level set.
Jim McDonough [Mon, 29 Jun 2009 14:06:14 +0000 (10:06 -0400)]
Don't require "Modify property" perms to unjoin (bug #6481) "net ads leave" stopped working when "modify properties" permissions were not granted (meaning you had to be allowed to disable the account that you were about to delete).
Libnetapi should not delete machine accounts, as this does not
happen on win32. The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag
really means "disable" (both in practice and docs).
However, to keep the functionality in "net ads leave", we
will still try to do the delete. If this fails, we try
to do the disable.
Additionally, it is possible in windows to not disable or
delete the account, but just tell the local machine that it
is no longer in the account. libnet can now do this as well.
Jeremy Allison [Fri, 12 Jun 2009 08:27:07 +0000 (10:27 +0200)]
Revert the extra SAMR and LSA checks.
These were added between 3.2.4 and 3.2.5 that have caused users problems.
This fixes among others bug #6089 and #6112.
(cherry picked from commit f2a29585123e6072a75eb9abdd202f99f5a01e1e)
Karolin Seeger [Sat, 6 Jun 2009 13:56:47 +0000 (15:56 +0200)]
s3/docs: Fix example.
The 'ldap suffix' is not added automatically to the 'ldap admin dn'.
This fixes bug #5584.
Thanks to Stefan Bauer <stefan.bauer [at] plzk.de> for reporting!
Volker Lendecke [Sun, 24 May 2009 16:57:13 +0000 (18:57 +0200)]
Fix a race condition in winbind leading to a panic
In winbind, we do multiple events in one select round. This needs fixing, but
as long as we're still using it, for efficiency reasons we need to do that.
What can happen is the following: We have outgoing data pending for a client,
thus
state->fd_event.flags == EVENT_FD_WRITE
Now a new client comes in, we go through the list of clients to find an idle
one. The detection for idle clients in remove_idle_client does not take the
pending data into account. We close the socket that has pending outgoing data,
the accept(2) one syscall later gives us the same socket.
In new_connection(), we do a setup_async_read, setting up a read fde. The
select from before however had found the socket (that we had already closed!!)
to be writable. In rw_callback we only want to see a readable flag, and we
panic in the SMB_ASSERT(flags == EVENT_FD_READ).
Simo Sorce [Fri, 22 May 2009 01:32:17 +0000 (21:32 -0400)]
Insure we always return NULL on error.
It is not technically an ldb bug, but apparently some callers try to access
res before checking the ldb_search() return code.
So make their attempt very evident (a NULL dereference will make it cristal
clear where the bug is).
(cherry picked from commit c60539f31f63bd65e5b0e3ee16365f036bef3d5b)
Jeremy Allison [Mon, 11 May 2009 18:17:56 +0000 (11:17 -0700)]
After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy.
(cherry picked from commit 59ee131464636d3363bc7ee398ba6390a6333558)
Jeremy, with 9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate flags (which are a pointer to the out negotiate flags assigned in the generated netlogon server code). So, while you wanted to just set the *out* negflags, you did in fact reset the *in* negflags, effectively eliminating the NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then caused creds_server_init() to generate 64bit creds instead of 128bit, causing the whole chain to break. *Please* check.
s3:smbd: fix posix acls when setting an ACL without explicit ACE for the owner (bug#2346)
The problem of bug #2346 remains for users exported by
winbindd, because create_token_from_username() just fakes
the token when the user is not in the local sam domain. This causes
user_in_group_sid() to give totally wrong results.
In uid_entry_in_group() we need to check if we already
have the full unix token in the current_user struct.
If so we should use the current_user unix token,
instead of doing a very complex user_in_group_sid()
which doesn't give reliable results anyway.
Simo Sorce [Wed, 22 Apr 2009 13:12:58 +0000 (09:12 -0400)]
Fix profile acls in some corner cases
Always add back the real original owner of the directory in the ACE List after
we steal its ACE for the Administrators group.
(cherry picked from commit 8e438431a1447fd482c107fbe0aee3af49afe068)
Simo Sorce [Wed, 22 Apr 2009 10:15:21 +0000 (06:15 -0400)]
Avoid duplicate aces
When adding arbitrary aces to an nt_ace_list we need to make sure we
are not actually adding a duplicate.
add_or_replace_ace() takes care of doing the right thing.
(cherry picked from commit 958207e321f330426536bf7e936b30fa2efffddc)
Jeremy Allison [Wed, 22 Apr 2009 09:24:27 +0000 (02:24 -0700)]
Fix bug #6279 - winbindd crash. Cope with LDAP libraries returning LDAP_SUCCESS but not returning a result.
Jeremy
(cherry picked from commit e7687dd9ca244a53fdf2312a78cdb028dd8971d5)
projects / thirdparty / samba.git / log
