[SCM] Samba Shared Repository - branch v3-3-stable updated -
release-3-3-0pre2-67-g271d77c
Karolin Seeger
kseeger at samba.org
Mon Oct 20 20:19:47 GMT 2008
The branch, v3-3-stable has been updated
via 271d77cc9d3543276ab88da140392b1bcbdc855d (commit)
via bbc0986c55d93a9de2373e089c88582c5e647dde (commit)
via 38ce3cf984c1b9c9049a85f76fa7475a8fa80564 (commit)
via c861ff737ecd99a7a31313a2d32015e4a6018a91 (commit)
via 76c3fd0e4e371f3535ca96163ec2c27798e3e6e7 (commit)
via 2eef66be888241b7d28363a18505c2a83e0649e0 (commit)
via 7cf64e7fd648fe88da807a82a9419a9b19c3c40f (commit)
via a788dd5e99c559fbbdae8c15de006b39c6ef2404 (commit)
via 73640ebc8eeaf29f7cdd903c38079528ba3a5472 (commit)
from 70027b247431194fe4a777aa0861bce65eead73c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -----------------------------------------------------------------
commit 271d77cc9d3543276ab88da140392b1bcbdc855d
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Oct 20 21:56:57 2008 +0200
WHATSNEW: Update changes since 3.3.0pre2.
Karolin
(cherry picked from commit 2d9353eff15397b8971c9813312a9b6fe8dff930)
commit bbc0986c55d93a9de2373e089c88582c5e647dde
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 20 20:16:03 2008 +0200
s3-samr-server: be consistent when reporting we do password complexity.
Guenther
(cherry picked from commit 52d22121fa2ea646535806103d86afe8d52001c9)
commit 38ce3cf984c1b9c9049a85f76fa7475a8fa80564
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 20 11:05:45 2008 -0700
"fn_new"->"fn" in smb_messages[], we got beyond that :-)
(cherry picked from commit f1c0d56e8230bb4a8c085ad885cf05cbcc8297ec)
commit c861ff737ecd99a7a31313a2d32015e4a6018a91
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 20 11:05:31 2008 -0700
Use a direct compare instead of calling strncmp in valid_smb_header
(cherry picked from commit b6ce6dd1d82314ce3194dc450e67dec948e1a6b2)
commit 76c3fd0e4e371f3535ca96163ec2c27798e3e6e7
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 20 11:05:13 2008 -0700
Move the global hosts_allow() check out of the processing loop:
(cherry picked from commit 3c609efe12ee941dc0474e39b5e90ad39a075ff2)
commit 2eef66be888241b7d28363a18505c2a83e0649e0
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 20 18:25:13 2008 +0200
Fix a valgrind error in idmap_ad_sids_to_unixids()
We need to initialize all mappings in case we don't find anything.
Simo, please check!
Volker
(cherry picked from commit e3550c235e6a59749c1e57b469289069f7e541d4)
commit 7cf64e7fd648fe88da807a82a9419a9b19c3c40f
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 17 15:24:51 2008 -0700
Unify access checks for lsa server functions.
Jeremy.
(cherry picked from commit 4833f678ba194665e9c0554f9da37ddca269714e)
commit a788dd5e99c559fbbdae8c15de006b39c6ef2404
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 16 21:03:19 2008 -0700
Cope with bad trans2mkdir requests from System i QNTC IBM SMB client.
If total_data == 4 Windows doesn't care what values
are placed in that field, it just ignores them.
The System i QNTC IBM SMB client puts bad values here,
so ignore them.
Jeremy.
(cherry picked from commit 218879cb9069046df2b7e49627aa48cb487098c8)
commit 73640ebc8eeaf29f7cdd903c38079528ba3a5472
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 16 15:39:17 2008 -0700
Fix bug 5826 - Directory/Filenames get truncated when 3.2.0 client acesses old server.
There was some code in pull_ucs2_base_talloc() to cope with this case which
hadn't been added to pull_ascii_base_talloc(). The older Samba returns non
unicode names which is why you are seeing this codepath being executed.
Unify the logic in pull_ascii_base_talloc() and pull_ucs2_base_talloc().
Jeremy.
(cherry picked from commit ca430d4730c1454cf003dab376bde8baf904d77d)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 7 +++++
source/include/rpc_lsa.h | 1 +
source/lib/charcnv.c | 58 ++++++++++++++++++++++++++++++---------
source/rpc_server/srv_lsa_nt.c | 21 +++++++++++---
source/rpc_server/srv_samr_nt.c | 4 +++
source/smbd/process.c | 53 ++++++++++++++++++++---------------
source/smbd/trans2.c | 7 +++--
source/winbindd/idmap_ad.c | 2 +
8 files changed, 110 insertions(+), 43 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 52e0e5b..cd64f6d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -176,8 +176,10 @@ o Jeremy Allison <jra at samba.org>
* BUG 5080: Fix access to cups-printers with cups 1.3.4.
* BUG 5814: Fix Winbind crash bug while doing "rescan_trusted_domain".
* BUG 5818: Sort ACEs in smbcacl output properly and honor inheritance.
+ * BUG 5826: Fix truncated filenames when accessing old servers.
* Correctly fix smbclient to terminate on eof from server.
* Fix client timeout when searching for a large number of cups printers.
+ * Unify access checks for lsa server functions.
o Gerald (Jerry) Carter <jerry at samba.org>
@@ -185,6 +187,10 @@ o Gerald (Jerry) Carter <jerry at samba.org>
* Make "lwinet ads dns register" honor the "interfaces" parameter.
+o Günther Deschner <gd at samba.org>
+ * Ensure consistency when reporting password complexity.
+
+
o Jeff Layton <jlayton at redhat.com>
* Have uppercase_string return success on NULL pointer in mount.cifs.
* Make mount.cifs return codes match the return codes for /bin/mount.
@@ -198,6 +204,7 @@ o Volker Lendecke <vl at samba.org>
* Fix some missing error handlings.
* Add workaround for domain joins using a netbios name which is different
from the hostname.
+ * Fix a valgrind error in idmap_ad_sids_to_unixids().
o Derrell Lipman <derrell.lipman at unwireduniverse.com>
diff --git a/source/include/rpc_lsa.h b/source/include/rpc_lsa.h
index b4021af..1dc5ba4 100644
--- a/source/include/rpc_lsa.h
+++ b/source/include/rpc_lsa.h
@@ -39,6 +39,7 @@
#define LSA_POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\
+ LSA_POLICY_VIEW_LOCAL_INFORMATION |\
LSA_POLICY_VIEW_AUDIT_INFORMATION |\
LSA_POLICY_GET_PRIVATE_INFORMATION)
diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index 485212b..3ec3220 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -1166,7 +1166,7 @@ static size_t pull_ascii_base_talloc(TALLOC_CTX *ctx,
int flags)
{
char *dest = NULL;
- size_t converted_size;
+ size_t dest_len;
#ifdef DEVELOPER
/* Ensure we never use the braindead "malloc" varient. */
@@ -1177,6 +1177,10 @@ static size_t pull_ascii_base_talloc(TALLOC_CTX *ctx,
*ppdest = NULL;
+ if (!src_len) {
+ return 0;
+ }
+
if (flags & STR_TERMINATE) {
if (src_len == (size_t)-1) {
src_len = strlen((const char *)src) + 1;
@@ -1194,18 +1198,41 @@ static size_t pull_ascii_base_talloc(TALLOC_CTX *ctx,
(unsigned int)src_len);
smb_panic(msg);
}
+ } else {
+ /* Can't have an unlimited length
+ * non STR_TERMINATE'd.
+ */
+ if (src_len == (size_t)-1) {
+ errno = EINVAL;
+ return 0;
+ }
}
+ /* src_len != -1 here. */
+
if (!convert_string_allocate(ctx, CH_DOS, CH_UNIX, src, src_len, &dest,
- &converted_size, True))
- {
- converted_size = 0;
+ &dest_len, True)) {
+ dest_len = 0;
}
- if (converted_size && dest) {
+ if (dest_len && dest) {
/* Did we already process the terminating zero ? */
- if (dest[converted_size - 1] != 0) {
- dest[converted_size - 1] = 0;
+ if (dest[dest_len-1] != 0) {
+ size_t size = talloc_get_size(dest);
+ /* Have we got space to append the '\0' ? */
+ if (size <= dest_len) {
+ /* No, realloc. */
+ dest = TALLOC_REALLOC_ARRAY(ctx, dest, char,
+ dest_len+1);
+ if (!dest) {
+ /* talloc fail. */
+ dest_len = (size_t)-1;
+ return 0;
+ }
+ }
+ /* Yay - space ! */
+ dest[dest_len] = '\0';
+ dest_len++;
}
} else if (dest) {
dest[0] = 0;
@@ -1562,21 +1589,26 @@ size_t pull_ucs2_base_talloc(TALLOC_CTX *ctx,
if (src_len >= 1024*1024) {
smb_panic("Bad src length in pull_ucs2_base_talloc\n");
}
+ } else {
+ /* Can't have an unlimited length
+ * non STR_TERMINATE'd.
+ */
+ if (src_len == (size_t)-1) {
+ errno = EINVAL;
+ return 0;
+ }
}
+ /* src_len != -1 here. */
+
/* ucs2 is always a multiple of 2 bytes */
- if (src_len != (size_t)-1) {
- src_len &= ~1;
- }
+ src_len &= ~1;
if (!convert_string_talloc(ctx, CH_UTF16LE, CH_UNIX, src, src_len,
(void *)&dest, &dest_len, True)) {
dest_len = 0;
}
- if (src_len == (size_t)-1)
- src_len = dest_len*2;
-
if (dest_len) {
/* Did we already process the terminating zero ? */
if (dest[dest_len-1] != 0) {
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 0e9d121..910b302 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -430,7 +430,7 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
- if (geteuid() != 0) {
+ if (p->pipe_user.ut.uid != sec_initial_uid()) {
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
@@ -1522,7 +1522,8 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->pipe_user.ut.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if ( is_privileged_sid( r->in.sid ) )
@@ -1608,6 +1609,9 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -1668,6 +1672,9 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
return NT_STATUS_ACCESS_DENIED;
@@ -1702,7 +1709,8 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->pipe_user.ut.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if (!pdb_getgrsid(&map, info->sid))
@@ -1812,7 +1820,6 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
-
switch (r->in.sec_info) {
case 1:
/* SD contains only the owner */
@@ -2070,6 +2077,9 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID. */
@@ -2112,6 +2122,9 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
name = r->in.name->string;
DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 6455f02..59728c6 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -2909,6 +2909,10 @@ static NTSTATUS samr_QueryDomainInfo_internal(const char *fn_name,
unix_to_nt_time_abs(&nt_expire, u_expire);
unix_to_nt_time_abs(&nt_min_age, u_min_age);
+ if (lp_check_password_script() && *lp_check_password_script()) {
+ password_properties |= DOMAIN_PASSWORD_COMPLEX;
+ }
+
init_samr_DomInfo1(&dom_info->info1,
(uint16)min_pass_len,
(uint16)pass_hist,
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 0b8ff4f..338f606 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -105,7 +105,11 @@ static bool valid_smb_header(const uint8_t *inbuf)
if (is_encrypted_packet(inbuf)) {
return true;
}
- return (strncmp(smb_base(inbuf),"\377SMB",4) == 0);
+ /*
+ * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
+ * but it just looks weird to call strncmp for this one.
+ */
+ return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
}
/* Socket functions for smbd packet processing. */
@@ -973,7 +977,7 @@ force write permissions on print services.
*/
static const struct smb_message_struct {
const char *name;
- void (*fn_new)(struct smb_request *req);
+ void (*fn)(struct smb_request *req);
int flags;
} smb_messages[256] = {
@@ -1349,7 +1353,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
exit_server_cleanly("Non-SMB packet");
}
- if (smb_messages[type].fn_new == NULL) {
+ if (smb_messages[type].fn == NULL) {
DEBUG(0,("Unknown message type %d!\n",type));
smb_dump("Unknown", 1, (char *)req->inbuf, size);
reply_unknown_new(req, type);
@@ -1471,7 +1475,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
return conn;
}
- smb_messages[type].fn_new(req);
+ smb_messages[type].fn(req);
return req->conn;
}
@@ -1535,25 +1539,6 @@ static void process_smb(char *inbuf, size_t nread, size_t unread_bytes, bool enc
DO_PROFILE_INC(smb_count);
- if (trans_num == 0) {
- char addr[INET6_ADDRSTRLEN];
-
- /* on the first packet, check the global hosts allow/ hosts
- deny parameters before doing any parsing of the packet
- passed to us by the client. This prevents attacks on our
- parsing code from hosts not in the hosts allow list */
-
- if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
- lp_hostsdeny(-1))) {
- /* send a negative session response "not listening on calling name" */
- static unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
- DEBUG( 1, ( "Connection denied from %s\n",
- client_addr(get_client_fd(),addr,sizeof(addr)) ) );
- (void)srv_send_smb(smbd_server_fd(),(char *)buf,false);
- exit_server_cleanly("connection denied");
- }
- }
-
DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
smb_len(inbuf) ) );
DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
@@ -1893,6 +1878,28 @@ void smbd_process(void)
unsigned int num_smbs = 0;
size_t unread_bytes = 0;
+ char addr[INET6_ADDRSTRLEN];
+
+ /*
+ * Before the first packet, check the global hosts allow/ hosts deny
+ * parameters before doing any parsing of packets passed to us by the
+ * client. This prevents attacks on our parsing code from hosts not in
+ * the hosts allow list.
+ */
+
+ if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
+ lp_hostsdeny(-1))) {
+ /*
+ * send a negative session response "not listening on calling
+ * name"
+ */
+ unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
+ DEBUG( 1, ("Connection denied from %s\n",
+ client_addr(get_client_fd(),addr,sizeof(addr)) ) );
+ (void)srv_send_smb(smbd_server_fd(),(char *)buf,false);
+ exit_server_cleanly("connection denied");
+ }
+
max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
while (True) {
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 1e2095a..146746b 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -7065,10 +7065,11 @@ static void call_trans2mkdir(connection_struct *conn, struct smb_request *req,
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
return;
}
- } else if (IVAL(pdata,0) != 4) {
- reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
- return;
}
+ /* If total_data == 4 Windows doesn't care what values
+ * are placed in that field, it just ignores them.
+ * The System i QNTC IBM SMB client puts bad values here,
+ * so ignore them. */
status = create_directory(conn, req, directory);
diff --git a/source/winbindd/idmap_ad.c b/source/winbindd/idmap_ad.c
index 8144d87..60a2d86 100644
--- a/source/winbindd/idmap_ad.c
+++ b/source/winbindd/idmap_ad.c
@@ -517,6 +517,8 @@ again:
bidx = idx;
for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
+ ids[idx]->status = ID_UNKNOWN;
+
sidstr = sid_binstring(ids[idx]->sid);
filter = talloc_asprintf_append_buffer(filter, "(objectSid=%s)", sidstr);
--
Samba Shared Repository
More information about the samba-cvs
mailing list