[SCM] Samba Shared Repository - branch v4-11-test updated
Karolin Seeger
kseeger at samba.org
Tue Sep 3 11:14:53 UTC 2019
The branch, v4-11-test has been updated
via 96961348432 VERSION: Bump verison up to 4.11.0rc4...
via c1d9e02d06a VERSION: Disable GIT_SNAPSHOT for the 4.11.0rc3 release.
via f04985fe9b5 WHATSNEW: Add release notes for Samba 4.11.0rc3.
via efd6d670997 CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
via a6ff560aa13 CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
via 7b39df0f144 CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory
via d690f6f3c4d CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root()
via ae9bdef5c8a CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir
via bcfb7749869 CVE-2019-10197: smbd: separate out impersonation debug info into a new function.
from aa3ad5c451f WHATSNEW: BIND9_FLATFILE / rndc command deprecated
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit 96961348432cd1171b99ea2d8e64d4bc9d897f72
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Sep 3 13:13:47 2019 +0200
VERSION: Bump verison up to 4.11.0rc4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit c1d9e02d06a158f637475ffeca7a6c3f2fb1d773
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Sep 3 13:12:53 2019 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.11.0rc3 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit f04985fe9b54824fb61683c67065da2fdb8f2e1a
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Sep 3 13:12:16 2019 +0200
WHATSNEW: Add release notes for Samba 4.11.0rc3.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit efd6d670997eff81c94b1ece3814b1da2c3705cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 11 17:02:15 2019 +0200
CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
This makes sure we always call chdir_current_service() even
when we still impersonated the user. Which is important
in order to run the SMB* request within the correct working directory
and only if the user has permissions to enter that directory.
It makes sure we always update conn->lastused_count
in chdir_current_service() for each request.
Note that vfs_ChDir() (called from chdir_current_service())
maintains its own cache and avoids calling SMB_VFS_CHDIR()
if possible.
It means we still avoid syscalls if we get a multiple requests
for the same session/tcon tuple.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a6ff560aa134fb4fa5ceaba83d29aae0bc398f4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 16 15:40:38 2019 +0200
CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 7b39df0f1449024c8b9f2954a63f0b265c4269e8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 30 17:16:59 2019 +0200
CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory
The next patch will otherwise break the fsrvp related tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit d690f6f3c4d82a5ff887df40e2a60a1828eb87eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 18 14:04:08 2019 +0200
CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ae9bdef5c8a2dea2efca6295799a42ba01c3b98d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 11 17:01:29 2019 +0200
CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir
We should not leave current_user.done_chdir as true if we didn't call
chdir_current_service() with success.
This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
chdir_current_service() worked once on one share but later failed on another
share.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit bcfb7749869241a6a85fedca551ae6a4a4dec4fc
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jul 12 12:10:35 2019 -0700
CVE-2019-10197: smbd: separate out impersonation debug info into a new function.
Will be called on elsewhere on successful impersonation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 47 ++++++++++++++++++++++-
selftest/target/Samba3.pm | 19 +++++++++-
source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++
source3/smbd/uid.c | 62 ++++++++++++++++++++++---------
5 files changed, 138 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 67ae2000ebf..ae98c26560f 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c273117c72f..eece43fcd9e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the second release candidate of Samba 4.11. This is *not*
+This is the third release candidate of Samba 4.11. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -359,6 +359,51 @@ smb.conf changes
rndc command Deprecated
+CHANGES SINCE 4.11.0rc2
+=======================
+
+o Michael Adam <obnox at samba.org>
+ * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data
+ loss in CTDB cluster.
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
+ from the share.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what
+ is happening).
+ * BUG 14092: docs: Deprecate "rndc command" for Samba 4.11.
+
+o Tim Beale <timbeale at catalyst.net.nz>
+ * BUG 14059: ldb: Free memory when repacking database.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id.
+ * BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and
+ st_ex_iflags.
+
+o Anoop C S <anoopcs at redhat.com>
+ * BUG 14093: vfs_glusterfs: Enable profiling for file system operations.
+
+o Aaron Haslett <aaronhaslett at catalyst.net.nz>
+ * BUG 14059: Backport sambadowngradedatabase for v4.11.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
+ from the share.
+
+o Christof Schmitt <cs at samba.org>
+ * BUG 14032: vfs_gpfs: Implement special case for denying owner access to
+ ACL.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14084: Avoid marking a node as connected before it can receive packets.
+ * BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7.
+ * BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing
+ databases.
+
+
KNOWN ISSUES
============
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 5c327cab543..9638bb44f08 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1425,6 +1425,9 @@ sub provision($$$$$$$$$)
my $ro_shrdir="$shrdir/root-tmp";
push(@dirs,$ro_shrdir);
+ my $noperm_shrdir="$shrdir/noperm-tmp";
+ push(@dirs,$noperm_shrdir);
+
my $msdfs_shrdir="$shrdir/msdfsshare";
push(@dirs,$msdfs_shrdir);
@@ -1449,6 +1452,9 @@ sub provision($$$$$$$$$)
my $widelinks_linkdir="$shrdir/widelinks_foo";
push(@dirs,$widelinks_linkdir);
+ my $fsrvp_shrdir="$shrdir/fsrvp";
+ push(@dirs,$fsrvp_shrdir);
+
my $shadow_tstdir="$shrdir/shadow";
push(@dirs,$shadow_tstdir);
my $shadow_mntdir="$shadow_tstdir/mount";
@@ -1492,6 +1498,11 @@ sub provision($$$$$$$$$)
chmod 0755, $piddir;
+ ##
+ ## Create a directory without permissions to enter
+ ##
+ chmod 0000, $noperm_shrdir;
+
##
## create ro and msdfs share layout
##
@@ -1815,6 +1826,10 @@ sub provision($$$$$$$$$)
[ro-tmp]
path = $ro_shrdir
guest ok = yes
+[noperm]
+ path = $noperm_shrdir
+ wide links = yes
+ guest ok = yes
[write-list-tmp]
path = $shrdir
read only = yes
@@ -2024,14 +2039,14 @@ sub provision($$$$$$$$$)
guest ok = yes
[fsrvp_share]
- path = $shrdir
+ path = $fsrvp_shrdir
comment = fake shapshots using rsync
vfs objects = shell_snap shadow_copy2
shell_snap:check path command = $fake_snap_pl --check
shell_snap:create command = $fake_snap_pl --create
shell_snap:delete command = $fake_snap_pl --delete
# a relative path here fails, the snapshot dir is no longer found
- shadow:snapdir = $shrdir/.snapshots
+ shadow:snapdir = $fsrvp_shrdir/.snapshots
[shadow1]
path = $shadow_shrdir
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index bf033ccd2fb..0bae1d78fac 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -1329,6 +1329,32 @@ EOF
fi
}
+#
+# Regression test for CVE-2019-10197
+# we should always get ACCESS_DENIED
+#
+test_noperm_share_regression()
+{
+ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo "$out"
+ echo "failed accessing no perm share should not work"
+ return 1
+ fi
+
+ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l`
+ if [ "$num" -ne "2" ] ; then
+ echo "$out"
+ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected"
+ return 1
+ fi
+
+ return 0
+}
+
# Test smbclient deltree command
test_deltree()
{
@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \
test_local_symlinks || \
failed=`expr $failed + 1`
+testit "noperm share regression" \
+ test_noperm_share_regression || \
+ failed=`expr $failed + 1`
+
testit "smbclient deltree command" \
test_deltree || \
failed=`expr $failed + 1`
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index a4bcb747d37..5c39baade5c 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -279,14 +279,36 @@ static bool check_user_ok(connection_struct *conn,
return(True);
}
+static void print_impersonation_info(connection_struct *conn)
+{
+ struct smb_filename *cwdfname = NULL;
+
+ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) {
+ return;
+ }
+
+ cwdfname = vfs_GetWd(talloc_tos(), conn);
+ if (cwdfname == NULL) {
+ return;
+ }
+
+ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
+ (int)getuid(),
+ (int)geteuid(),
+ (int)getgid(),
+ (int)getegid(),
+ cwdfname->base_name);
+ TALLOC_FREE(cwdfname);
+}
+
/****************************************************************************
Become the user of a connection number without changing the security context
stack, but modify the current_user entries.
****************************************************************************/
-static bool change_to_user_internal(connection_struct *conn,
- const struct auth_session_info *session_info,
- uint64_t vuid)
+static bool change_to_user_impersonate(connection_struct *conn,
+ const struct auth_session_info *session_info,
+ uint64_t vuid)
{
int snum;
gid_t gid;
@@ -299,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn,
if ((current_user.conn == conn) &&
(current_user.vuid == vuid) &&
- (current_user.need_chdir == conn->tcon_done) &&
(current_user.ut.uid == session_info->unix_token->uid))
{
DBG_INFO("Skipping user change - already user\n");
@@ -404,7 +425,22 @@ static bool change_to_user_internal(connection_struct *conn,
current_user.conn = conn;
current_user.vuid = vuid;
+ return true;
+}
+
+static bool change_to_user_internal(connection_struct *conn,
+ const struct auth_session_info *session_info,
+ uint64_t vuid)
+{
+ bool ok;
+
+ ok = change_to_user_impersonate(conn, session_info, vuid);
+ if (!ok) {
+ return false;
+ }
+
current_user.need_chdir = conn->tcon_done;
+ current_user.done_chdir = false;
if (current_user.need_chdir) {
ok = chdir_current_service(conn);
@@ -415,20 +451,7 @@ static bool change_to_user_internal(connection_struct *conn,
current_user.done_chdir = true;
}
- if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn);
- if (cwdfname == NULL) {
- return false;
- }
- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
- (int)getuid(),
- (int)geteuid(),
- (int)getgid(),
- (int)getegid(),
- cwdfname->base_name);
- TALLOC_FREE(cwdfname);
- }
-
+ print_impersonation_info(conn);
return true;
}
@@ -614,6 +637,9 @@ void smbd_become_root(void)
}
push_conn_ctx();
set_root_sec_ctx();
+
+ current_user.need_chdir = false;
+ current_user.done_chdir = false;
}
/* Unbecome the root user */
--
Samba Shared Repository
More information about the samba-cvs
mailing list