[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Wed Mar 20 05:18:27 MDT 2013
The branch, v4-0-test has been updated
via 50c476e VERSION: Bump version number up to 4.0.5.
via 730b822 Merge tag 'samba-4.0.4' into v4-0-test
via b341371 VERSION: Bump version number up to 4.0.4.
via 51ed8a8 WHATSNEW: Prepare release notes for Samba 4.0.4
via ee3ac64 Revert "Ensure the masks don't conflict with the ACL checks."
via fc19aaf smbd:posix_acls Remove incorrectly added lp_create_mask() and lp_dir_mask() calls
via 053dfa2 param: Remove incorrectly added defaults in AD DC allowing WORLD WRITABLE files
from e5288a2 Correct the name of the nss_winbind module for FreeBSD by creating a symlink from the FreeBSD required name to the built module.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 50c476e4de9ce041b8fb8a9ce4e41f89893fcd0e
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Mar 20 12:23:14 2013 +0100
VERSION: Bump version number up to 4.0.5.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 730b822549fd5ec96322e1b62af24476eeb92b76
Merge: e5288a2d228a68483fd1bc0dc679b44b327dc0fe b3413711e12c1357cb63cdbdaa250786f9119032
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Mar 20 12:19:35 2013 +0100
Merge tag 'samba-4.0.4' into v4-0-test
samba: tag release samba-4.0.4
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 52 +++++++++++++++++++++-
selftest/target/Samba3.pm | 3 +-
selftest/target/Samba4.pm | 3 +-
source3/param/loadparm.c | 2 -
source3/smbd/posix_acls.c | 17 -------
source4/scripting/python/samba/tests/posixacl.py | 2 +-
7 files changed, 54 insertions(+), 27 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 2bf84a1..a999766 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5464717..d623330 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,51 @@
=============================
+ Release Notes for Samba 4.0.4
+ March 19, 2013
+ =============================
+
+
+This is a security release in order to address CVE-2013-1863
+(World-writeable files may be created in additional shares on a
+Samba 4.0 AD DC).
+
+o CVE-2013-1863:
+ Administrators of the Samba 4.0 Active Directory Domain
+ Controller might unexpectedly find files created world-writeable
+ if additional CIFS file shares are created on the AD DC.
+ Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
+ defect.
+
+
+Changes since 4.0.3:
+--------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.0.3
February 05, 2013
=============================
@@ -172,8 +219,9 @@ database (https://bugzilla.samba.org/).
== The Samba Team
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.0.2
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 6c63413..70304fe 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -897,8 +897,7 @@ sub provision($$$$$$)
map system = no
map readonly = no
store dos attributes = yes
- create mask = 0777
- directory mask = 0777
+ create mask = 755
dos filemode = yes
vfs objects = $vfs_modulesdir_abs/acl_xattr.so $vfs_modulesdir_abs/fake_acls.so $vfs_modulesdir_abs/xattr_tdb.so $vfs_modulesdir_abs/streams_depot.so
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 5f1c907..d17a37c 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1387,8 +1387,7 @@ sub provision_plugin_s4_dc($$)
smbd:sharedelay = 100000
smbd:writetimeupdatedelay = 500000
- create mask = 0777
- directory mask = 0777
+ create mask = 755
dos filemode = yes
dcerpc endpoint servers = -winreg -srvsvc
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index cbcab78..e09c2bf 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -3502,8 +3502,6 @@ static void init_locals(void)
lp_do_parameter(-1, "map readonly", "no");
lp_do_parameter(-1, "map archive", "no");
lp_do_parameter(-1, "store dos attributes", "yes");
- lp_do_parameter(-1, "create mask", "0777");
- lp_do_parameter(-1, "directory mask", "0777");
}
}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index bbc1eed..3ff34fc 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3083,14 +3083,11 @@ SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
{
- int snum = SNUM(fsp->conn);
size_t ace_count = count_canon_ace_list(file_ace_list);
canon_ace *ace_p;
canon_ace *owner_ace = NULL;
canon_ace *group_ace = NULL;
canon_ace *other_ace = NULL;
- mode_t and_bits;
- mode_t or_bits;
if (ace_count != 3) {
DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
@@ -3130,20 +3127,6 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file
if (fsp->is_directory)
*posix_perms |= (S_IWUSR|S_IXUSR);
- /* If requested apply the masks. */
-
- /* Get the initial bits to apply. */
-
- if (fsp->is_directory) {
- and_bits = lp_dir_mask(snum);
- or_bits = lp_force_dir_mode(snum);
- } else {
- and_bits = lp_create_mask(snum);
- or_bits = lp_force_create_mode(snum);
- }
-
- *posix_perms = (((*posix_perms) & and_bits)|or_bits);
-
DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
"to perm=0%o for file %s.\n", (int)owner_ace->perms,
(int)group_ace->perms, (int)other_ace->perms,
diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py
index 652721f..6a234e4 100644
--- a/source4/scripting/python/samba/tests/posixacl.py
+++ b/source4/scripting/python/samba/tests/posixacl.py
@@ -210,7 +210,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
smbd.chown(self.tempdir, BA_id, SO_id)
smbd.set_simple_acl(self.tempdir, 0750)
facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
- acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
+ acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)"
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(acl, facl.as_sddl(anysid))
--
Samba Shared Repository
More information about the samba-cvs
mailing list