[SCM] Samba Shared Repository - branch v4-0-stable updated
Karolin Seeger
kseeger at samba.org
Tue Jan 15 01:23:25 MST 2013
The branch, v4-0-stable has been updated
via d2e9007 VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)
via 0c02492 WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172)
via 8bafe08 dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
via d776fd8 dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
via a758054 libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
from df33344 VERSION: Bump version number up to 4.0.0.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-stable
- Log -----------------------------------------------------------------
commit d2e900757d8e8e2a82cb14e79814ed3cbc8d93c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 10 12:55:51 2013 +0100
VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0c02492c204eacecf2107ee0dd2060cfb53f4c37
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 10 12:55:14 2013 +0100
WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 8bafe0871526cd5d5e7fdbe123ab661379f64cb1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 10 09:30:38 2013 +1100
dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d776fd807e0c9a62f428ce666ff812655f98bc47
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 9 16:59:18 2013 +1100
dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
This seems inefficient, but is needed for correctness. The
alternative might be to have the sec_access_check_ds code confirm that
*all* of the nodes in the object tree have been cleared to
node->remaining_bits == 0.
Otherwise, I fear that write access to one attribute will become write
access to all attributes.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a75805490d96a85786287f5d0522dd7671d6816e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 3 20:39:23 2013 +1100
libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
It is critically important that we initialise this element as otherwise
all access is permitted.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 56 ++++++++++++++++++++++++++++++++++
libcli/security/object_tree.c | 1 +
source4/dsdb/samdb/ldb_modules/acl.c | 55 ++++++++++++++++-----------------
source4/dsdb/tests/python/acl.py | 15 +++++++++
5 files changed, 100 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8aa0bfb..d7d5459 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 520075f..5c69ca9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,60 @@
=============================
+ Release Notes for Samba 4.0.1
+ January 15, 2013
+ =============================
+
+
+This is a security release in order to address CVE-2013-0172.
+
+o CVE-2013-0172:
+ Samba 4.0.0 as an AD DC may provide authenticated users with write access
+ to LDAP directory objects.
+
+ In AD, Access Control Entries can be assigned based on the objectClass
+ of the object. If a user or a group the user is a member of has any
+ access based on the objectClass, then that user has write access to that
+ object.
+
+ Additionally, if a user has write access to any attribute on the object,
+ they may have access to write to all attributes.
+
+ An important mitigation is that anonymous access is totally disabled by
+ default. The second important mitigation is that normal users are
+ typically only given the problematic per-objectClass right via the
+ "pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
+ does not make "authenticated users" part of this group.
+
+Changes since 4.0.0:
+====================
+
+o Andrew Bartlett <abartlet at samba.org>
+ * Bug 9554 - CVE-2013-0172 - Samba 4.0 as an AD DC may provide authenticated
+ users with write access to LDAP directory objects.
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.0.0
December 11, 2012
=============================
diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c
index 6809c8e..dcbd310 100644
--- a/libcli/security/object_tree.c
+++ b/libcli/security/object_tree.c
@@ -53,6 +53,7 @@ bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
return false;
}
(*root)->guid = *guid;
+ (*root)->remaining_access = init_access;
*new_node = *root;
return true;
}
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9bf2612..3f09760 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -977,8 +977,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
unsigned int i;
const struct GUID *guid;
uint32_t access_granted;
- struct object_tree *root = NULL;
- struct object_tree *new_node = NULL;
NTSTATUS status;
struct ldb_result *acl_res;
struct security_descriptor *sd;
@@ -1043,12 +1041,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
"acl_modify: Error retrieving object class GUID.");
}
sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
- if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
- &root, &new_node)) {
- talloc_free(tmp_ctx);
- return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
- "acl_modify: Error adding new node in object tree.");
- }
for (i=0; i < req->op.mod.message->num_elements; i++){
const struct dsdb_attribute *attr;
attr = dsdb_attribute_by_lDAPDisplayName(schema,
@@ -1129,6 +1121,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
goto fail;
}
} else {
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
/* This basic attribute existence check with the right errorcode
* is needed since this module is the first one which requests
@@ -1143,6 +1137,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
goto fail;
}
+
+ if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
+ &root, &new_node)) {
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error adding new node in object tree.");
+ }
+
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
@@ -1159,27 +1161,24 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
- }
- }
-
- if (root->num_of_children > 0) {
- status = sec_access_check_ds(sd, acl_user_token(module),
- SEC_ADS_WRITE_PROP,
- &access_granted,
- root,
- sid);
- if (!NT_STATUS_IS_OK(status)) {
- ldb_asprintf_errstring(ldb_module_get_ctx(module),
- "Object %s has no write property access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn));
- dsdb_acl_debug(sd,
- acl_user_token(module),
- req->op.mod.message->dn,
- true,
- 10);
- ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
- goto fail;
+ status = sec_access_check_ds(sd, acl_user_token(module),
+ SEC_ADS_WRITE_PROP,
+ &access_granted,
+ root,
+ sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write property access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
+ dsdb_acl_debug(sd,
+ acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ goto fail;
+ }
}
}
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 94bc504..ecda3c5 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -389,6 +389,21 @@ url: www.samba.org"""
else:
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self.fail()
+ # Modify on attribute you do not have rights for granted while also modifying something you do have rights for
+ ldif = """
+dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
+changetype: modify
+replace: url
+url: www.samba.org
+replace: displayName
+displayName: test_changed"""
+ try:
+ self.ldb_user.modify_ldif(ldif)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+ self.fail()
# Second test object -- Organizational Unit
print "Testing modify on OU object"
self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn)
--
Samba Shared Repository
More information about the samba-cvs
mailing list