[SCM] Samba Shared Repository - branch master updated

David Disseldorp ddiss at samba.org
Thu Feb 7 20:34:02 UTC 2019


The branch, master has been updated
       via  eaf63f0b845 docs-xml: "cluster addresses" dns registration
       via  3e25d4d55f8 docs-xml: Update documentation for 'restrict anonymous' option
       via  f132c3767ef s3/lib/popt_common: use stack buffer in set_logfile()
       via  901ca24e43a s3/lib/popt_common: don't assume stackframe presence
       via  c824240cd48 lib/debug: retain full string in state.prog_name global
      from  61670169d52 Clean up reference used with PyDict_Setxxx

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit eaf63f0b845fb766ff243b1a7d0587c9507ab31e
Author: David Disseldorp <ddiss at samba.org>
Date:   Tue Jan 29 12:49:28 2019 +0100

    docs-xml: "cluster addresses" dns registration
    
    Bug 7871 added functionality to register smb.conf "cluster addresses"
    when net ads dns register is called with clustering=yes, but the man
    page was not updated. Add documentation for this behaviour.
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): David Disseldorp <ddiss at samba.org>
    Autobuild-Date(master): Thu Feb  7 21:33:15 CET 2019 on sn-devel-144

commit 3e25d4d55f85be3323861b9a2f59626246b57182
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Feb 5 16:08:46 2019 +0100

    docs-xml: Update documentation for 'restrict anonymous' option
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Rowland Penny <rpenny at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>

commit f132c3767efd4197ae32a7114a7b91b55759adb4
Author: David Disseldorp <ddiss at samba.org>
Date:   Wed Feb 6 12:01:12 2019 +0100

    s3/lib/popt_common: use stack buffer in set_logfile()
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 901ca24e43a1b2b441f070e5dc40a6c7ddcba883
Author: David Disseldorp <ddiss at samba.org>
Date:   Wed Feb 6 00:58:17 2019 +0100

    s3/lib/popt_common: don't assume stackframe presence
    
    popt_common_callback() should be leak-safe if a talloc stackframe isn't
    available, as it's invoked early on.
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c824240cd48aea9e0655287c98c8de7c3ffd5f94
Author: David Disseldorp <ddiss at samba.org>
Date:   Wed Feb 6 12:39:03 2019 +0100

    lib/debug: retain full string in state.prog_name global
    
    setup_logging() retains a global pointer to the provided const string in
    state.prog_name, which is later used in the debug_backend->reload()
    callback.
    Some setup_logging() callers, such as popt_common_callback(),
    incorrectly assume that a dynamic buffer is safe to provide as a
    prog_name parameter. Fix this by copying the entire string in
    setup_logging().
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/smbdotconf/misc/clusteraddresses.xml      | 12 +++---
 docs-xml/smbdotconf/security/restrictanonymous.xml | 45 +++++++++++-----------
 lib/util/debug.c                                   | 12 ++++--
 source3/lib/popt_common.c                          | 42 ++++++++++++++------
 4 files changed, 67 insertions(+), 44 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/misc/clusteraddresses.xml b/docs-xml/smbdotconf/misc/clusteraddresses.xml
index d01a4f9004b..66878cdb642 100644
--- a/docs-xml/smbdotconf/misc/clusteraddresses.xml
+++ b/docs-xml/smbdotconf/misc/clusteraddresses.xml
@@ -3,12 +3,12 @@
                  type="cmdlist"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-	<para>With this parameter you can add additional addresses
-	nmbd will register with a WINS server. These addresses are not
-	necessarily present on all nodes simultaneously, but they will
-	be registered with the WINS server so that clients can contact
-	any of the nodes.
-	</para>
+	<para>With this parameter you can add additional addresses that
+	nmbd will register with a WINS server. Similarly, these
+	addresses will be registered by default when
+	<emphasis>net ads dns register</emphasis> is called with
+	<smbconfoption name="clustering">yes</smbconfoption>
+	configured.</para>
 </description>
 
 <value type="default"></value>
diff --git a/docs-xml/smbdotconf/security/restrictanonymous.xml b/docs-xml/smbdotconf/security/restrictanonymous.xml
index 78cafd21d55..06abe7b2bf7 100644
--- a/docs-xml/smbdotconf/security/restrictanonymous.xml
+++ b/docs-xml/smbdotconf/security/restrictanonymous.xml
@@ -3,34 +3,35 @@
                  context="G"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>The setting of this parameter determines whether user and
-    group list information is returned for an anonymous connection.
-    and mirrors the effects of the
-<programlisting>
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
-           Control\LSA\RestrictAnonymous
-</programlisting>
-	registry key in Windows 2000 and Windows NT.  When set to 0, user
-	and group list information is returned to anyone who asks.  When set
-    to 1, only an authenticated user can retrieve user and
-    group list information.  For the value 2, supported by
-    Windows 2000/XP and Samba, no anonymous connections are allowed at
-    all.  This can break third party and Microsoft
-    applications which expect to be allowed to perform
-	operations anonymously.</para>
+	<para>
+		The setting of this parameter determines whether SAMR and LSA
+		DCERPC services can be accessed anonymously. This corresponds
+		to the following Windows Server registry options:
+	</para>
+
+	<programlisting>
+		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
+	</programlisting>
+
+	<para>
+		The option also affects the browse option which is required by
+		legacy clients which rely on Netbios browsing. While modern
+		Windows version should be fine with restricting the access
+		there could still be applications relying on anonymous access.
+	</para>
 
 	<para>
-    The security advantage of using restrict anonymous = 1 is dubious,
-    as user and group list information can be obtained using other
-	means.
+		Setting <smbconfoption name="restrict anonymous">1</smbconfoption>
+		will disable anonymous SAMR access.
 	</para>
 
-	<note>
 	<para>
-    The security advantage of using restrict anonymous = 2 is removed
-    by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share.
+		Setting <smbconfoption name="restrict anonymous">2</smbconfoption>
+		will, in addition to restricting SAMR access, disallow anonymous
+		connections to the IPC$ share in general.
+		Setting <smbconfoption name="guest ok">yes</smbconfoption> on any share
+		will remove the security advantage.
 	</para>
-	</note>
 </description>
 
 <value type="default">0</value>
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 30e5a28a233..e6a1ba4f96f 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -87,7 +87,7 @@
 static struct {
 	bool initialized;
 	enum debug_logtype logtype; /* The type of logging we are doing: eg stdout, file, stderr */
-	const char *prog_name;
+	char prog_name[255];
 	bool reopening_logs;
 	bool schedule_reopen_logs;
 
@@ -227,11 +227,15 @@ static void debug_syslog_reload(bool enabled, bool previously_enabled,
 				const char *prog_name, char *option)
 {
 	if (enabled && !previously_enabled) {
+		const char *ident = NULL;
+		if ((prog_name != NULL) && (prog_name[0] != '\0')) {
+			ident = prog_name;
+		}
 #ifdef LOG_DAEMON
-		openlog(prog_name, LOG_PID, SYSLOG_FACILITY);
+		openlog(ident, LOG_PID, SYSLOG_FACILITY);
 #else
 		/* for old systems that have no facility codes. */
-		openlog(prog_name, LOG_PID );
+		openlog(ident, LOG_PID);
 #endif
 		return;
 	}
@@ -1001,7 +1005,7 @@ void setup_logging(const char *prog_name, enum debug_logtype new_logtype)
 			prog_name = p + 1;
 		}
 
-		state.prog_name = prog_name;
+		strlcpy(state.prog_name, prog_name, sizeof(state.prog_name));
 	}
 	reopen_logs_internal();
 }
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 6379135a267..fa21668000e 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -42,22 +42,23 @@ extern bool override_logfile;
 static void set_logfile(poptContext con, const char * arg)
 {
 
-	char *lfile = NULL;
+	char lfile[PATH_MAX];
 	const char *pname;
+	int ret;
 
 	/* Find out basename of current program */
-	pname = strrchr_m(poptGetInvocationName(con),'/');
-
-	if (!pname)
+	pname = strrchr_m(poptGetInvocationName(con), '/');
+	if (pname == NULL) {
 		pname = poptGetInvocationName(con);
-	else
+	} else {
 		pname++;
+	}
 
-	if (asprintf(&lfile, "%s/log.%s", arg, pname) < 0) {
+	ret = snprintf(lfile, sizeof(lfile), "%s/log.%s", arg, pname);
+	if (ret >= sizeof(lfile)) {
 		return;
 	}
 	lp_set_logfile(lfile);
-	SAFE_FREE(lfile);
 }
 
 static bool PrintSambaVersionString;
@@ -72,11 +73,16 @@ static void popt_common_callback(poptContext con,
 			   const struct poptOption *opt,
 			   const char *arg, const void *data)
 {
+	TALLOC_CTX *mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		exit(1);
+	}
 
 	if (reason == POPT_CALLBACK_REASON_PRE) {
 		set_logfile(con, get_dyn_LOGFILEBASE());
 		talloc_set_log_fn(popt_s3_talloc_log_fn);
 		talloc_set_abort_fn(smb_panic);
+		talloc_free(mem_ctx);
 		return;
 	}
 
@@ -84,20 +90,27 @@ static void popt_common_callback(poptContext con,
 
 		if (PrintSambaVersionString) {
 			printf( "Version %s\n", samba_version_string());
+			talloc_free(mem_ctx);
 			exit(0);
 		}
 
 		if (is_default_dyn_CONFIGFILE()) {
-			if(getenv("SMB_CONF_PATH")) {
+			if (getenv("SMB_CONF_PATH")) {
 				set_dyn_CONFIGFILE(getenv("SMB_CONF_PATH"));
 			}
 		}
 
 		if (override_logfile) {
-			setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
+			char *logfile = lp_logfile(mem_ctx);
+			if (logfile == NULL) {
+				talloc_free(mem_ctx);
+				exit(1);
+			}
+			setup_logging(logfile, DEBUG_FILE);
 		}
 
 		/* Further 'every Samba program must do this' hooks here. */
+		talloc_free(mem_ctx);
 		return;
 	}
 
@@ -105,18 +118,21 @@ static void popt_common_callback(poptContext con,
 	case OPT_OPTION:
 	{
 		struct loadparm_context *lp_ctx;
+		bool ok;
 
-		lp_ctx = loadparm_init_s3(talloc_tos(), loadparm_s3_helpers());
+		lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
 		if (lp_ctx == NULL) {
 			fprintf(stderr, "loadparm_init_s3() failed!\n");
+			talloc_free(mem_ctx);
 			exit(1);
 		}
 
-		if (!lpcfg_set_option(lp_ctx, arg)) {
+		ok = lpcfg_set_option(lp_ctx, arg);
+		if (!ok) {
 			fprintf(stderr, "Error setting option '%s'\n", arg);
+			talloc_free(mem_ctx);
 			exit(1);
 		}
-		TALLOC_FREE(lp_ctx);
 		break;
 	}
 	case 'd':
@@ -167,6 +183,8 @@ static void popt_common_callback(poptContext con,
 		}
 		break;
 	}
+
+	talloc_free(mem_ctx);
 }
 
 struct poptOption popt_common_connection[] = {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list