[SCM] Samba Shared Repository - branch v4-9-test updated
Stefan Metzmacher
metze at samba.org
Tue Aug 14 18:50:02 UTC 2018
The branch, v4-9-test has been updated
via bf3bb82 libsmb: Fix CID 1438243 Unchecked return value
via 601eb6b libsmb: Fix CID 1438244 Unsigned compared against 0
via 33c7d3c smbd: Fix CID 1438245 Dereference before null check
via 0eaef7e smbd: Fix CID 1438246 Unchecked return value
via e30cf1a smbd: Align integer types
via 2d5c574 ctdb: add expiry test for ctdb_mutex_ceph_rados_helper
via 37b4e0b ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals
via 2849d57 ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev
via 5f3548b ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup
via eae828b ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler
via 609109d ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common
via b09fdd0 s3: tests: smbclient. Regression test to ensure we get NT_STATUS_DIRECTORY_NOT_EMPTY on rmdir.
via 921a5bb s4/torture: Add new test for DELETE_ON_CLOSE on non-empty directories
via 81b0d5c s3/libsmb: Explicitly set delete_on_close token for rmdir
via 7ed470b cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
via 4a2880b libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
via 61e34a2 libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
via 4897bf3 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
via 52b5ed8 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
via a5cd47d CVE-2018-10919 acl_read: Flip the logic in the dirsync check
via 4c201d0 CVE-2018-10919 acl_read: Small refactor to aclread_callback()
via 0395055 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
via 605a7f3 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
via 9c9f50b CVE-2018-10919 tests: test ldap searches for non-existent attributes.
via e2574d0 CVE-2018-10919 tests: Add test case for object visibility with limited rights
via 10a2c8d CVE-2018-10919 tests: Add tests for guessing confidential attributes
via 17b7206 CVE-2018-10919 security: Add more comments to the object-specific access checks
via 5bcbf5a CVE-2018-10919 security: Move object-specific access checks into separate function
via 164766b CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
via e2d6ad5 Release LDB 1.4.2 for CVE-2018-1140
via bf988ac CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
via dc2898f CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
via 8fed2cc CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
via 504cff7 CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
via 31a001f CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
via 3e89172 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
via e2b2c00 CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
via 48f5dbd CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
via d171f8d CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
via 3579ac4 CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
from 7751937 s3/smbd: Ensure quota code is only called when quota support detected
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit bf3bb82d8a7e31950f01a3508787a8e6951ea9a4
Author: Volker Lendecke <vl at samba.org>
Date: Wed Aug 8 10:14:26 2018 +0200
libsmb: Fix CID 1438243 Unchecked return value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Aug 8 23:10:22 CEST 2018 on sn-devel-144
Autobuild-User(v4-9-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-9-test): Tue Aug 14 20:49:09 CEST 2018 on sn-devel-144
commit 601eb6bc3fa5b44841bdbc31f31c42f21feb0982
Author: Volker Lendecke <vl at samba.org>
Date: Wed Aug 8 10:08:38 2018 +0200
libsmb: Fix CID 1438244 Unsigned compared against 0
ndr_size_dom_sid returns a size_t, so that can't be <0. Also, the only
case that ndr_size_dom_sid returns 0 is a NULL sid
pointer. ndr_size_dom_sid can reasonably be assumed to not overflow, the
number of sub-auths is a uint8. That times 4 plus 8 always fits into a
size_t.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 33c7d3ceff929a55a27b28d0ce5a31e7ef8b89e7
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 7 22:50:52 2018 +0200
smbd: Fix CID 1438245 Dereference before null check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0eaef7eeb0f7eef67ce80955deafc9da23bf153e
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 7 22:49:16 2018 +0200
smbd: Fix CID 1438246 Unchecked return value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e30cf1a253ddde90d3d305799f544312872ae03f
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 7 22:48:58 2018 +0200
smbd: Align integer types
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2d5c574f459769ea11d1f26b2b2c5f45ce5f6bd7
Author: David Disseldorp <ddiss at samba.org>
Date: Fri Jul 20 17:20:08 2018 +0200
ctdb: add expiry test for ctdb_mutex_ceph_rados_helper
Kill the ctdb_mutex_ceph_rados_helper with SIGKILL and then confirm
that the lock is automatically released following expiry.
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Thu Aug 9 16:26:36 CEST 2018 on sn-devel-144
(cherry picked from commit 4abf348ec4cbb78d3216d5e8c5f3020d4499f10a)
commit 37b4e0bcebfa9741b2862f09d20e363eaad611db
Author: David Disseldorp <ddiss at samba.org>
Date: Thu Jul 19 11:55:23 2018 +0200
ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals
RADOS locks without expiry persist indefinitely. This results in CTDB
deadlock during failover if the recovery master dies unexpectedly, as
subsequently elected recovery master nodes can't obtain the recovery
lock.
Avoid deadlock by using a lock expiration time (10s by default), and
renewing it periodically.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13540
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit ce289e89e5c469cf2c5626dc7f2666b945dba3bd)
commit 2849d5778561b70bb01c03f1978c5f4e8ba419d6
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Jul 17 23:36:36 2018 +0200
ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev
In preparation for adding a lock refresh timer.
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 91a89c146453ca203a83dc2ba555bb93276c4d7f)
commit 5f3548bc33f5044b91217b1bcdc674029d2e3ecb
Author: David Disseldorp <ddiss at samba.org>
Date: Thu Jul 19 18:46:27 2018 +0200
ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 8d30fd591600ac17c742cd78c7bc4056bba6b877)
commit eae828b3dd75c8fb699a0da4cc3c15808775afdd
Author: Samuel Cabrero <scabrero at suse.de>
Date: Fri Jun 15 18:15:53 2018 +0200
ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler
Set a handler for SIGINT to release the lock.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 85706bd27535eaa4ec653f99b1910fbd8f2aab88)
commit 609109ddfbea8cccd058f7bfed525ae7ea4cb155
Author: David Disseldorp <ddiss at samba.org>
Date: Mon Jul 9 14:53:00 2018 +0200
ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common
ceph-common linkage is needed with new versions of Ceph.
Also respect the --libcephfs_dir=<path> parameter when provided.
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit bd64af6b8861f892e6ae2840a493f037d1e0a06c)
commit b09fdd039b6608c9c8de877e6ce1300b8cae55f3
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 9 10:02:26 2018 -0700
s3: tests: smbclient. Regression test to ensure we get NT_STATUS_DIRECTORY_NOT_EMPTY on rmdir.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 10 21:08:14 CEST 2018 on sn-devel-144
(cherry picked from commit bca400847f2fcc3dd1398e166c1964cb88822071)
commit 921a5bbd3c70ab16ad47fda94f054e113f49bc7c
Author: Anoop C S <anoopcs at redhat.com>
Date: Thu Aug 9 20:02:05 2018 +0530
s4/torture: Add new test for DELETE_ON_CLOSE on non-empty directories
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204
Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 6a7f11746c9cc3cdc5307e540bdd1f3f10fed05b)
commit 81b0d5cda82eb5ef284bd9083fa4f9e83e188e5a
Author: Anoop C S <anoopcs at redhat.com>
Date: Thu Aug 9 12:28:41 2018 +0530
s3/libsmb: Explicitly set delete_on_close token for rmdir
The current implementation of `rmdir` hopes to get the directory deleted
on closing last open handle when FILE_DELETE_ON_CLOSE is set on it. But
for non-empty directories Windows doesn't error out during an open call.
Following that we internally refuse to set initial delete_on_close while
opening a non-empty directory. This prevents us from trying to delete
the directory when last open handle is closed.
Instead of relying on FILE_DELETE_ON_CLOSE during an open we explicitly
set delete_on_close token on directory handle once it is available. This
ensures that NT_STATUS_DIRECTORY_NOT_EMPTY is returned for `rmdir` on
non-empty directories while closing open directory handle.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204
Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 6b68e3eca631c04d6d57c489daf60f64732fc86d)
commit 7ed470b1ad90174166ab561ab95751ffc6e240d9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 30 14:00:18 2018 +1200
cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
This regression was introduced in Samba 4.7 by bug 12842 and in
master git commit eb2e77970e41c1cb62c041877565e939c78ff52d.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 4a2880b670b261ca9fbc70b4665aa86ee2a2c07a
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 15 15:08:17 2018 -0700
libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 61e34a2002e069527011e254434e044d2e12cda4
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 15 15:07:17 2018 -0700
libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4897bf3de3a9ad467658f2af26a3b6eb489509fc
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Aug 1 13:51:42 2018 +1200
CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.
The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
hangs around for deleted objcts. Because the attributes now persist
across test case runs, I've used a different attribute to normal.
(Technically, the dirsync search expressions are now specific enough
that the regular attribute could be used, but it would make things
quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
now more complicated. Currently dirsync adds an extra-filter to the
'!' searches to exclude deleted objects, i.e. samaccountname matches
the test-objects AND the object is not deleted. We now extend this to
include deleted objects with lastKnownParent equal to the test OU.
The search expression matches either case so that we can use the same
expression throughout the test (regardless of whether the object is
deleted yet or not).
This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 52b5ed820c874eadadb88fd0db2103718cb8ebc0
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 15:42:36 2018 +1200
CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.
Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.
To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.
Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
suppresses the result as long as the replPropertyMetaData attribute is
removed). However, there doesn't appear to be any test that highlights
that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
searches like 'objectClass=*', even though we don't have Read Property
access rights for the objectClass attribute. The logic that Windows
uses does not appear to be clearly documented, so I've made a best
guess that seems to mirror Windows behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit a5cd47d85c77a095ec99412dd6538929b7c39248
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 30 16:00:15 2018 +1200
CVE-2018-10919 acl_read: Flip the logic in the dirsync check
This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 4c201d0a09a082f47ddfdcb021ac4d82a9a3dc77
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jul 26 12:20:49 2018 +1200
CVE-2018-10919 acl_read: Small refactor to aclread_callback()
Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 03950558a4566c4044e374d37f2b8f5a80005bf6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 13:52:24 2018 +1200
CVE-2018-10919 acl_read: Split access_mask logic out into helper function
So we can re-use the same logic laster for checking the search-ops.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 605a7f3b3c03e2f1efb49f5dea400a38a03339f9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 13:01:00 2018 +1200
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.
What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.
Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.
One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9c9f50b362f28869e374378baa8362218de11a48
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Aug 3 15:51:28 2018 +1200
CVE-2018-10919 tests: test ldap searches for non-existent attributes.
It is perfectly legal to search LDAP for an attribute that is not part
of the schema. That part of the query should simply not match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2574d092dc91ee1ba7ee04938c63b3ee811c5af
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jul 25 10:08:34 2018 +1200
CVE-2018-10919 tests: Add test case for object visibility with limited rights
Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.
All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).
This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.
This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 10a2c8da54adc85a9d567e8b805a2cce16893d9e
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 9 15:57:59 2018 +1200
CVE-2018-10919 tests: Add tests for guessing confidential attributes
Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.
The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls
These tests all pass when run against a Windows Dc and all fail against
a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 17b7206a6d1399185a3b1d90aba5f2e26a9e7236
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 13:13:50 2018 +1200
CVE-2018-10919 security: Add more comments to the object-specific access checks
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 5bcbf5a308cb5e516b257bf1769728d22e9b6f36
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jul 19 16:03:36 2018 +1200
CVE-2018-10919 security: Move object-specific access checks into separate function
Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.
This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 164766b8800c59a3f981aeb3ea1b3ab4e2e31a54
Author: Kai Blin <kai at samba.org>
Date: Fri Jun 8 18:20:16 2018 +0200
CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466
Signed-off-by: Kai Blin <kai at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e2d6ad5147e0bf5869e94eb60c49c385e91eba5d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 14 13:59:45 2018 +1200
Release LDB 1.4.2 for CVE-2018-1140
* Security fix for CVE-2018-1140 (NULL pointer de-reference, bug 13374)
* Fix memory leaks and missing error checks (bug 13459, 13471, 13475)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit bf988acd2e7e79fd6c53954bbcb9472db422c9cb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 15:25:58 2018 +1200
CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit dc2898f114dbd7bdff7f29c758819500a6238136
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 15:23:53 2018 +1200
CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which
would otherwise fail.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit 8fed2cc0a96a2ccde675a8f72bb5db31174189e2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 15:20:26 2018 +1200
CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
call to ldb_dn_get_casefold() can fail if the input is not valid.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit 504cff7aa875df67385fb4fcd4f7f1f461d377b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 14:50:50 2018 +1200
CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit 31a001f2e2f8eadd3e652984e30b7c0cccfe4f1c
Author: Andrej Gessel <Andrej.Gessel at janztec.com>
Date: Fri Apr 6 18:18:33 2018 +0200
CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit 3e89172fc75d5b2f5d5ec2b7b7efdf3be5c174eb
Author: Günther Deschner <gd at samba.org>
Date: Tue Mar 13 16:56:20 2018 +0100
CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas at redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit e2b2c00626ff677c430d49c0454bc70be5f40d28
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 16 17:25:12 2018 +0100
CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 48f5dbd7dbc397c16056e1466998b31ed75b5bad
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 14 15:35:01 2018 +0100
CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit d171f8d1938393982b6645afc095a06a30ef8420
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 14 15:36:05 2018 +0100
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3579ac445ab25c319dc520f01b516b103b140c07
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 27 08:44:24 2018 +1200
CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 200 +++-
ctdb/utils/ceph/test_ceph_rados_reclock.sh | 57 +-
ctdb/wscript | 14 +-
lib/ldb/ABI/{ldb-1.4.1.sigs => ldb-1.4.2.sigs} | 0
...b-util.py3-1.4.1.sigs => pyldb-util-1.4.2.sigs} | 0
...il.py3-1.4.1.sigs => pyldb-util.py3-1.4.2.sigs} | 0
lib/ldb/ldb_sqlite3/ldb_sqlite3.c | 3 +
lib/ldb/ldb_tdb/ldb_index.c | 18 +
lib/ldb/ldb_tdb/ldb_search.c | 16 +
lib/ldb/ldb_tdb/ldb_tdb.c | 27 +-
lib/ldb/tests/python/api.py | 156 +++
lib/ldb/wscript | 2 +-
libcli/auth/ntlm_check.c | 10 +-
libcli/auth/tests/ntlm_check.c | 413 ++++++++
libcli/auth/wscript_build | 13 +
libcli/security/access_check.c | 110 ++-
python/samba/tests/dns_invalid.py | 87 ++
selftest/knownfail | 3 +-
selftest/tests.py | 2 +
source3/libsmb/cli_smb2_fnum.c | 13 +-
source3/libsmb/cliquota.c | 9 +-
source3/libsmb/libsmb_dir.c | 57 +-
source3/libsmb/libsmb_path.c | 9 +-
source3/script/tests/test_smbclient_s3.sh | 42 +
source3/selftest/tests.py | 2 +-
source3/smbd/nttrans.c | 15 +-
source3/utils/ntlm_auth.c | 6 +-
source4/dsdb/samdb/cracknames.c | 8 +-
source4/dsdb/samdb/ldb_modules/acl_read.c | 331 ++++++-
source4/dsdb/tests/python/acl.py | 68 ++
source4/dsdb/tests/python/confidential_attr.py | 1016 ++++++++++++++++++++
source4/dsdb/tests/python/ldap.py | 9 +
source4/selftest/tests.py | 6 +
source4/torture/basic/delete.c | 87 ++
source4/torture/drs/python/cracknames.py | 38 +
35 files changed, 2703 insertions(+), 144 deletions(-)
copy lib/ldb/ABI/{ldb-1.4.1.sigs => ldb-1.4.2.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.4.1.sigs => pyldb-util-1.4.2.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.4.1.sigs => pyldb-util.py3-1.4.2.sigs} (100%)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 python/samba/tests/dns_invalid.py
create mode 100755 source4/dsdb/tests/python/confidential_attr.py
Changeset truncated at 500 lines:
diff --git a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
index 326a0b0..7ef76c2 100644
--- a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
+++ b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
@@ -1,7 +1,7 @@
/*
CTDB mutex helper using Ceph librados locks
- Copyright (C) David Disseldorp 2016
+ Copyright (C) David Disseldorp 2016-2018
Based on ctdb_mutex_fcntl_helper.c, which is:
Copyright (C) Martin Schwenke 2015
@@ -29,6 +29,11 @@
#define CTDB_MUTEX_CEPH_LOCK_NAME "ctdb_reclock_mutex"
#define CTDB_MUTEX_CEPH_LOCK_COOKIE CTDB_MUTEX_CEPH_LOCK_NAME
#define CTDB_MUTEX_CEPH_LOCK_DESC "CTDB recovery lock"
+/*
+ * During failover it may take up to <lock duration> seconds before the
+ * newly elected recovery master can obtain the lock.
+ */
+#define CTDB_MUTEX_CEPH_LOCK_DURATION_SECS_DEFAULT 10
#define CTDB_MUTEX_STATUS_HOLDING "0"
#define CTDB_MUTEX_STATUS_CONTENDED "1"
@@ -88,24 +93,20 @@ static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name,
return 0;
}
-static void ctdb_mutex_rados_ctx_destroy(rados_t ceph_cluster,
- rados_ioctx_t ioctx)
-{
- rados_ioctx_destroy(ioctx);
- rados_shutdown(ceph_cluster);
-}
-
static int ctdb_mutex_rados_lock(rados_ioctx_t *ioctx,
- const char *oid)
+ const char *oid,
+ uint64_t lock_duration_s,
+ uint8_t flags)
{
int ret;
+ struct timeval tv = { lock_duration_s, 0 };
ret = rados_lock_exclusive(ioctx, oid,
- CTDB_MUTEX_CEPH_LOCK_NAME,
+ CTDB_MUTEX_CEPH_LOCK_NAME,
CTDB_MUTEX_CEPH_LOCK_COOKIE,
CTDB_MUTEX_CEPH_LOCK_DESC,
- NULL, /* infinite duration */
- 0);
+ lock_duration_s == 0 ? NULL : &tv,
+ flags);
if ((ret == -EEXIST) || (ret == -EBUSY)) {
/* lock contention */
return ret;
@@ -145,10 +146,13 @@ struct ctdb_mutex_rados_state {
const char *ceph_auth_name;
const char *pool_name;
const char *object;
+ uint64_t lock_duration_s;
int ppid;
struct tevent_context *ev;
- struct tevent_signal *sig_ev;
- struct tevent_timer *timer_ev;
+ struct tevent_signal *sigterm_ev;
+ struct tevent_signal *sigint_ev;
+ struct tevent_timer *ppid_timer_ev;
+ struct tevent_timer *renew_timer_ev;
rados_t ceph_cluster;
rados_ioctx_t ioctx;
};
@@ -161,29 +165,24 @@ static void ctdb_mutex_rados_sigterm_cb(struct tevent_context *ev,
void *private_data)
{
struct ctdb_mutex_rados_state *cmr_state = private_data;
- int ret;
+ int ret = 0;
if (!cmr_state->holding_mutex) {
fprintf(stderr, "Sigterm callback invoked without mutex!\n");
ret = -EINVAL;
- goto err_ctx_cleanup;
}
- ret = ctdb_mutex_rados_unlock(cmr_state->ioctx, cmr_state->object);
-err_ctx_cleanup:
- ctdb_mutex_rados_ctx_destroy(cmr_state->ceph_cluster,
- cmr_state->ioctx);
talloc_free(cmr_state);
exit(ret ? 1 : 0);
}
-static void ctdb_mutex_rados_timer_cb(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval current_time,
- void *private_data)
+static void ctdb_mutex_rados_ppid_timer_cb(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval current_time,
+ void *private_data)
{
struct ctdb_mutex_rados_state *cmr_state = private_data;
- int ret;
+ int ret = 0;
if (!cmr_state->holding_mutex) {
fprintf(stderr, "Timer callback invoked without mutex!\n");
@@ -193,26 +192,81 @@ static void ctdb_mutex_rados_timer_cb(struct tevent_context *ev,
if ((kill(cmr_state->ppid, 0) == 0) || (errno != ESRCH)) {
/* parent still around, keep waiting */
- cmr_state->timer_ev = tevent_add_timer(cmr_state->ev, cmr_state,
+ cmr_state->ppid_timer_ev = tevent_add_timer(cmr_state->ev,
+ cmr_state,
tevent_timeval_current_ofs(5, 0),
- ctdb_mutex_rados_timer_cb,
- cmr_state);
- if (cmr_state->timer_ev == NULL) {
+ ctdb_mutex_rados_ppid_timer_cb,
+ cmr_state);
+ if (cmr_state->ppid_timer_ev == NULL) {
fprintf(stderr, "Failed to create timer event\n");
/* rely on signal cb */
}
return;
}
- /* parent ended, drop lock and exit */
- ret = ctdb_mutex_rados_unlock(cmr_state->ioctx, cmr_state->object);
+ /* parent ended, drop lock (via destructor) and exit */
err_ctx_cleanup:
- ctdb_mutex_rados_ctx_destroy(cmr_state->ceph_cluster,
- cmr_state->ioctx);
talloc_free(cmr_state);
exit(ret ? 1 : 0);
}
+#define USECS_IN_SEC 1000000
+
+static void ctdb_mutex_rados_lock_renew_timer_cb(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval current_time,
+ void *private_data)
+{
+ struct ctdb_mutex_rados_state *cmr_state = private_data;
+ struct timeval tv;
+ int ret;
+
+ ret = ctdb_mutex_rados_lock(cmr_state->ioctx, cmr_state->object,
+ cmr_state->lock_duration_s,
+ LIBRADOS_LOCK_FLAG_RENEW);
+ if (ret == -EBUSY) {
+ /* should never get -EEXIST on renewal */
+ fprintf(stderr, "Lock contention during renew: %d\n", ret);
+ goto err_ctx_cleanup;
+ } else if (ret < 0) {
+ fprintf(stderr, "Lock renew failed\n");
+ goto err_ctx_cleanup;
+ }
+
+ tv = tevent_timeval_current_ofs(0,
+ cmr_state->lock_duration_s * (USECS_IN_SEC / 2));
+ cmr_state->renew_timer_ev = tevent_add_timer(cmr_state->ev,
+ cmr_state,
+ tv,
+ ctdb_mutex_rados_lock_renew_timer_cb,
+ cmr_state);
+ if (cmr_state->renew_timer_ev == NULL) {
+ fprintf(stderr, "Failed to create timer event\n");
+ goto err_ctx_cleanup;
+ }
+
+ return;
+
+err_ctx_cleanup:
+ /* drop lock (via destructor) and exit */
+ talloc_free(cmr_state);
+ exit(1);
+}
+
+static int ctdb_mutex_rados_state_destroy(struct ctdb_mutex_rados_state *cmr_state)
+{
+ if (cmr_state->holding_mutex) {
+ ctdb_mutex_rados_unlock(cmr_state->ioctx, cmr_state->object);
+ }
+ if (cmr_state->ioctx != NULL) {
+ rados_ioctx_destroy(cmr_state->ioctx);
+ }
+ if (cmr_state->ceph_cluster != NULL) {
+ rados_shutdown(cmr_state->ceph_cluster);
+ }
+ return 0;
+}
+
int main(int argc, char *argv[])
{
int ret;
@@ -220,9 +274,10 @@ int main(int argc, char *argv[])
progname = argv[0];
- if (argc != 5) {
+ if ((argc != 5) && (argc != 6)) {
fprintf(stderr, "Usage: %s <Ceph Cluster> <Ceph user> "
- "<RADOS pool> <RADOS object>\n",
+ "<RADOS pool> <RADOS object> "
+ "[lock duration secs]\n",
progname);
ret = -EINVAL;
goto err_out;
@@ -240,10 +295,24 @@ int main(int argc, char *argv[])
goto err_out;
}
+ talloc_set_destructor(cmr_state, ctdb_mutex_rados_state_destroy);
cmr_state->ceph_cluster_name = argv[1];
cmr_state->ceph_auth_name = argv[2];
cmr_state->pool_name = argv[3];
cmr_state->object = argv[4];
+ if (argc == 6) {
+ /* optional lock duration provided */
+ char *endptr = NULL;
+ cmr_state->lock_duration_s = strtoull(argv[5], &endptr, 0);
+ if ((endptr == argv[5]) || (*endptr != '\0')) {
+ fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
+ ret = -EINVAL;
+ goto err_ctx_cleanup;
+ }
+ } else {
+ cmr_state->lock_duration_s
+ = CTDB_MUTEX_CEPH_LOCK_DURATION_SECS_DEFAULT;
+ }
cmr_state->ppid = getppid();
if (cmr_state->ppid == 1) {
@@ -257,7 +326,7 @@ int main(int argc, char *argv[])
*/
fprintf(stderr, "%s: PPID == 1\n", progname);
ret = -EPIPE;
- goto err_state_free;
+ goto err_ctx_cleanup;
}
cmr_state->ev = tevent_context_init(cmr_state);
@@ -265,30 +334,40 @@ int main(int argc, char *argv[])
fprintf(stderr, "tevent_context_init failed\n");
fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
ret = -ENOMEM;
- goto err_state_free;
+ goto err_ctx_cleanup;
}
/* wait for sigterm */
- cmr_state->sig_ev = tevent_add_signal(cmr_state->ev, cmr_state, SIGTERM, 0,
+ cmr_state->sigterm_ev = tevent_add_signal(cmr_state->ev, cmr_state, SIGTERM, 0,
ctdb_mutex_rados_sigterm_cb,
cmr_state);
- if (cmr_state->sig_ev == NULL) {
- fprintf(stderr, "Failed to create signal event\n");
+ if (cmr_state->sigterm_ev == NULL) {
+ fprintf(stderr, "Failed to create term signal event\n");
fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
ret = -ENOMEM;
- goto err_state_free;
+ goto err_ctx_cleanup;
+ }
+
+ cmr_state->sigint_ev = tevent_add_signal(cmr_state->ev, cmr_state, SIGINT, 0,
+ ctdb_mutex_rados_sigterm_cb,
+ cmr_state);
+ if (cmr_state->sigint_ev == NULL) {
+ fprintf(stderr, "Failed to create int signal event\n");
+ fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
+ ret = -ENOMEM;
+ goto err_ctx_cleanup;
}
/* periodically check parent */
- cmr_state->timer_ev = tevent_add_timer(cmr_state->ev, cmr_state,
+ cmr_state->ppid_timer_ev = tevent_add_timer(cmr_state->ev, cmr_state,
tevent_timeval_current_ofs(5, 0),
- ctdb_mutex_rados_timer_cb,
+ ctdb_mutex_rados_ppid_timer_cb,
cmr_state);
- if (cmr_state->timer_ev == NULL) {
+ if (cmr_state->ppid_timer_ev == NULL) {
fprintf(stderr, "Failed to create timer event\n");
fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
ret = -ENOMEM;
- goto err_state_free;
+ goto err_ctx_cleanup;
}
ret = ctdb_mutex_rados_ctx_create(cmr_state->ceph_cluster_name,
@@ -298,10 +377,12 @@ int main(int argc, char *argv[])
&cmr_state->ioctx);
if (ret < 0) {
fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
- goto err_state_free;
+ goto err_ctx_cleanup;
}
- ret = ctdb_mutex_rados_lock(cmr_state->ioctx, cmr_state->object);
+ ret = ctdb_mutex_rados_lock(cmr_state->ioctx, cmr_state->object,
+ cmr_state->lock_duration_s,
+ 0);
if ((ret == -EEXIST) || (ret == -EBUSY)) {
fprintf(stdout, CTDB_MUTEX_STATUS_CONTENDED);
goto err_ctx_cleanup;
@@ -309,8 +390,28 @@ int main(int argc, char *argv[])
fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
goto err_ctx_cleanup;
}
-
cmr_state->holding_mutex = true;
+
+ if (cmr_state->lock_duration_s != 0) {
+ /*
+ * renew (reobtain) the lock, using a period of half the lock
+ * duration. Convert to usecs to avoid rounding.
+ */
+ struct timeval tv = tevent_timeval_current_ofs(0,
+ cmr_state->lock_duration_s * (USECS_IN_SEC / 2));
+ cmr_state->renew_timer_ev = tevent_add_timer(cmr_state->ev,
+ cmr_state,
+ tv,
+ ctdb_mutex_rados_lock_renew_timer_cb,
+ cmr_state);
+ if (cmr_state->renew_timer_ev == NULL) {
+ fprintf(stderr, "Failed to create timer event\n");
+ fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
+ ret = -ENOMEM;
+ goto err_ctx_cleanup;
+ }
+ }
+
fprintf(stdout, CTDB_MUTEX_STATUS_HOLDING);
/* wait for the signal / timer events to do their work */
@@ -319,9 +420,6 @@ int main(int argc, char *argv[])
goto err_ctx_cleanup;
}
err_ctx_cleanup:
- ctdb_mutex_rados_ctx_destroy(cmr_state->ceph_cluster,
- cmr_state->ioctx);
-err_state_free:
talloc_free(cmr_state);
err_out:
return ret ? 1 : 0;
diff --git a/ctdb/utils/ceph/test_ceph_rados_reclock.sh b/ctdb/utils/ceph/test_ceph_rados_reclock.sh
index 1adacf6..68b44ff 100755
--- a/ctdb/utils/ceph/test_ceph_rados_reclock.sh
+++ b/ctdb/utils/ceph/test_ceph_rados_reclock.sh
@@ -46,7 +46,9 @@ which ctdb_mutex_ceph_rados_helper || exit 1
TMP_DIR="$(mktemp --directory)" || exit 1
rados -p "$POOL" rm "$OBJECT"
-(ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" "$POOL" "$OBJECT" \
+# explicitly disable lock expiry (duration=0), to ensure that we don't get
+# intermittent failures (due to renewal) from the lock state diff further down
+(ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" "$POOL" "$OBJECT" 0 \
> ${TMP_DIR}/first) &
locker_pid=$!
@@ -78,6 +80,9 @@ LOCKER_COOKIE="$(jq -r '.lockers[0].cookie' ${TMP_DIR}/lock_state_first)"
LOCKER_DESC="$(jq -r '.lockers[0].description' ${TMP_DIR}/lock_state_first)"
[ "$LOCKER_DESC" == "CTDB recovery lock" ] \
|| _fail "unexpected locker description: $LOCKER_DESC"
+LOCKER_EXP="$(jq -r '.lockers[0].expiration' ${TMP_DIR}/lock_state_first)"
+[ "$LOCKER_EXP" == "0.000000" ] \
+ || _fail "unexpected locker expiration: $LOCKER_EXP"
# second attempt while first is still holding the lock - expect failure
ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" "$POOL" "$OBJECT" \
@@ -145,6 +150,56 @@ third_out=$(cat ${TMP_DIR}/third)
[ "$third_out" == "0" ] \
|| _fail "expected lock acquisition (0), but got $third_out"
+# test renew / expire behaviour using a 1s expiry (update period = 500ms)
+exec >${TMP_DIR}/forth -- ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" \
+ "$POOL" "$OBJECT" 1 &
+locker_pid=$!
+
+sleep 1
+
+rados -p "$POOL" lock info "$OBJECT" ctdb_reclock_mutex \
+ > ${TMP_DIR}/lock_state_fifth_a
+#echo "with lock fifth: `cat ${TMP_DIR}/lock_state_fifth_a`"
+
+LOCK_NAME="$(jq -r '.name' ${TMP_DIR}/lock_state_fifth_a)"
+[ "$LOCK_NAME" == "ctdb_reclock_mutex" ] \
+ || _fail "unexpected lock name: $LOCK_NAME"
+LOCK_TYPE="$(jq -r '.type' ${TMP_DIR}/lock_state_fifth_a)"
+[ "$LOCK_TYPE" == "exclusive" ] \
+ || _fail "unexpected lock type: $LOCK_TYPE"
+LOCK_COUNT="$(jq -r '.lockers | length' ${TMP_DIR}/lock_state_fifth_a)"
+[ $LOCK_COUNT -eq 1 ] || _fail "expected 1 lock in rados state, got $LOCK_COUNT"
+LOCKER_EXP_A="$(jq -r '.lockers[0].expiration' ${TMP_DIR}/lock_state_fifth_a)"
+[ "$LOCKER_EXP_A" != "0.000000" ] \
+ || _fail "unexpected locker expiration: $LOCKER_EXP_A"
+sleep 1 # sleep until renewal
+rados -p "$POOL" lock info "$OBJECT" ctdb_reclock_mutex \
+ > ${TMP_DIR}/lock_state_fifth_b
+LOCKER_EXP_B="$(jq -r '.lockers[0].expiration' ${TMP_DIR}/lock_state_fifth_b)"
+[ "$LOCKER_EXP_B" != "0.000000" ] \
+ || _fail "unexpected locker expiration: $LOCKER_EXP_B"
+#echo "lock expiration before renewal $LOCKER_EXP_A, after renewal $LOCKER_EXP_B"
+[ "$LOCKER_EXP_B" != "$LOCKER_EXP_A" ] \
+ || _fail "locker expiration matches: $LOCKER_EXP_B"
+
+# no chance to drop the lock, rely on expiry
+kill -KILL $locker_pid || exit 1
+wait $locker_pid &> /dev/null
+sleep 1 # sleep until lock expiry
+
+rados -p "$POOL" lock info "$OBJECT" ctdb_reclock_mutex \
+ > ${TMP_DIR}/lock_state_sixth
+#echo "lock expiry sixth: `cat ${TMP_DIR}/lock_state_sixth`"
+
+LOCK_NAME="$(jq -r '.name' ${TMP_DIR}/lock_state_sixth)"
+[ "$LOCK_NAME" == "ctdb_reclock_mutex" ] \
+ || _fail "unexpected lock name: $LOCK_NAME"
+LOCK_TYPE="$(jq -r '.type' ${TMP_DIR}/lock_state_sixth)"
+[ "$LOCK_TYPE" == "exclusive" ] \
+ || _fail "unexpected lock type: $LOCK_TYPE"
+LOCK_COUNT="$(jq -r '.lockers | length' ${TMP_DIR}/lock_state_sixth)"
+[ $LOCK_COUNT -eq 0 ] || _fail "expected 0 locks in rados state, got $LOCK_COUNT"
+
rm ${TMP_DIR}/*
rmdir $TMP_DIR
diff --git a/ctdb/wscript b/ctdb/wscript
index 05044ce..addf8ec 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -85,6 +85,10 @@ def set_options(opt):
opt.add_option('--enable-etcd-reclock',
help=("Enable etcd recovery lock helper (default=no)"),
action="store_true", dest='ctdb_etcd_reclock', default=False)
+
+ opt.add_option('--with-libcephfs',
+ help=("Directory under which libcephfs is installed"),
+ action="store", dest='libcephfs_dir', default=None)
opt.add_option('--enable-ceph-reclock',
help=("Enable Ceph CTDB recovery lock helper (default=no)"),
action="store_true", dest='ctdb_ceph_reclock', default=False)
@@ -237,8 +241,16 @@ def configure(conf):
conf.env.etcd_reclock = have_etcd_reclock
if Options.options.ctdb_ceph_reclock:
+ # Use custom libcephfs library path if provided. XXX The top level build
+ # explicitly sets LIBPATH_CEPH-COMMON when libcephfs_dir isn't provided.
+ if Options.options.libcephfs_dir:
+ conf.env['CPPPATH_RADOS'] = Options.options.libcephfs_dir + '/include'
+ conf.env['LIBPATH_RADOS'] = Options.options.libcephfs_dir + '/lib'
+ conf.env['LIBPATH_CEPH-COMMON'] = conf.env['LIBPATH_RADOS'] + '/ceph'
+
if (conf.CHECK_HEADERS('rados/librados.h', False, False, 'rados') and
conf.CHECK_LIB('rados', shlib=True)):
+ conf.CHECK_LIB('ceph-common', shlib=True)
Logs.info('Building with Ceph librados recovery lock support')
conf.define('HAVE_LIBRADOS', 1)
else:
@@ -665,7 +677,7 @@ def build(bld):
if bld.env.HAVE_LIBRADOS:
bld.SAMBA_BINARY('ctdb_mutex_ceph_rados_helper',
source='utils/ceph/ctdb_mutex_ceph_rados_helper.c',
- deps='talloc tevent rados',
+ deps='talloc tevent rados ceph-common',
includes='include',
install_path='${CTDB_HELPER_BINDIR}')
diff --git a/lib/ldb/ABI/ldb-1.4.1.sigs b/lib/ldb/ABI/ldb-1.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.4.1.sigs
copy to lib/ldb/ABI/ldb-1.4.2.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs b/lib/ldb/ABI/pyldb-util-1.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs
copy to lib/ldb/ABI/pyldb-util-1.4.2.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs b/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs
diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index f94dc99..0f5abf8 100644
--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module,
const char *cdn = ldb_dn_get_casefold(
ldb_dn_new(mem_ctx, ldb,
(const char *)value.data));
+ if (cdn == NULL) {
+ return NULL;
+ }
return lsqlite3_tprintf(mem_ctx,
"SELECT eid FROM ldb_entry "
--
Samba Shared Repository
More information about the samba-cvs
mailing list