[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Fri Jun 11 19:29:01 UTC 2021 

The branch, master has been updated
       via  0ec865d9795 Fix for https://bugzilla.samba.org/show_bug.cgi?id=9634
      from  4f20d310af2 s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0ec865d979540a63362a2014358c8bb27efc0081
Author: Julien ROPÉ <jrope at linagora.com>
Date:   Fri Nov 23 15:56:59 2018 +0100

    Fix for https://bugzilla.samba.org/show_bug.cgi?id=9634
    
    Add an option to smb.conf to list authorized zone transfer clients.
    Implement restriction in dlz_bind9 module to allow transfers only to selected IPs.
    Deny zone transfer by default in dlz_bind9.
    
    Adds test for the restriction in DNZ zone transfer clients.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=9634
    
    Signed-off-by: Julien ROPÉ <jrope at linagora.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Jun 11 19:28:10 UTC 2021 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                       |  9 +++
 .../domain/dnszonetransferclientsallow.xml         | 26 ++++++++
 .../domain/dnszonetransferclientsdeny.xml          | 26 ++++++++
 source4/dns_server/dlz_bind9.c                     | 55 ++++++++++++++++-
 source4/torture/dns/dlz_bind9.c                    | 71 ++++++++++++++++++++++
 5 files changed, 185 insertions(+), 2 deletions(-)
 create mode 100644 docs-xml/smbdotconf/domain/dnszonetransferclientsallow.xml
 create mode 100644 docs-xml/smbdotconf/domain/dnszonetransferclientsdeny.xml


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1e407da422e..b28722c6f92 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -36,6 +36,15 @@ See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
 
 NEW FEATURES/CHANGES
 ====================
+- bind DLZ: Added the ability to set allow/deny lists for zone
+  transfer clients.
+  Up to now, any client could use a DNS zone transfer request
+  to the bind server, and get an answer from Samba.
+  Now the default behaviour will be to deny those request.
+  Two new options have been added to manage the list of
+  authorized/denied clients for zone transfer requests.
+  In order to be accepted, the request must be issued by a client
+  that is in the allow list and NOT in the deny list.
 
 
 
diff --git a/docs-xml/smbdotconf/domain/dnszonetransferclientsallow.xml b/docs-xml/smbdotconf/domain/dnszonetransferclientsallow.xml
new file mode 100644
index 00000000000..902b6082379
--- /dev/null
+++ b/docs-xml/smbdotconf/domain/dnszonetransferclientsallow.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="dns zone transfer clients allow"
+                 context="G"
+                 type="cmdlist"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option specifies the list IPs authorized to ask for dns zone
+	    transfer from bind DLZ module.
+	</para>
+
+	<para>The IP list is comma and space separated and specified in the same
+	    syntax as used in <smbconfoption name="hosts allow"/>, specifically
+	    including IP address, IP prefixes and IP address masks.
+	</para>
+
+	<para>As this is a DNS server option, hostnames are naturally not permitted.
+	</para>
+
+	<para>The default behaviour is to deny any request.
+              A request will be authorized only if the emitting client is identified
+              in this list, and not in <smbconfoption name="dns zone transfer clients deny"/>
+	</para>
+</description>
+
+<value type="default"></value>
+<value type="example">192.168.0.1</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/domain/dnszonetransferclientsdeny.xml b/docs-xml/smbdotconf/domain/dnszonetransferclientsdeny.xml
new file mode 100644
index 00000000000..f88b15bf1ca
--- /dev/null
+++ b/docs-xml/smbdotconf/domain/dnszonetransferclientsdeny.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="dns zone transfer clients deny"
+                 context="G"
+                 type="cmdlist"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option specifies the list IPs denied to ask for dns zone
+	    transfer from bind DLZ module.
+	</para>
+
+	<para>The IP list is comma and space separated and specified in the same
+	    syntax as used in <smbconfoption name="hosts allow"/>, specifically
+	    including IP address, IP prefixes and IP address masks.
+	</para>
+
+	<para>As this is a DNS server option, hostnames are naturally not permitted.
+	</para>
+
+	<para>If a client identified in this list sends a zone transfer request, it will always
+              be denied, even if they are in <smbconfoption name="dns zone transfer clients allow"/>.
+	      This allows the definition of sepcific denied clients within an authorized subnet.
+	</para>
+</description>
+
+<value type="default"></value>
+<value type="example">192.168.0.1</value>
+</samba:parameter>
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 78f69a4d635..a9946041206 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -40,6 +40,7 @@
 #include "dlz_minimal.h"
 #include "dnsserver_common.h"
 #include "lib/util/smb_strtox.h"
+#include "lib/util/access.h"
 
 #undef strcasecmp
 
@@ -1085,10 +1086,60 @@ _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name,
  */
 _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client)
 {
-	/* just say yes for all our zones for now */
 	struct dlz_bind9_data *state = talloc_get_type(
 		dbdata, struct dlz_bind9_data);
-	return b9_find_zone_dn(state, name, NULL, NULL);
+	isc_result_t ret;
+	const char **authorized_clients, **denied_clients;
+	const char *cname="";
+
+	/* check that the zone is known */
+	ret = b9_find_zone_dn(state, name, NULL, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		return ret;
+	}
+
+	/* default is to deny all transfers */
+
+	authorized_clients = lpcfg_dns_zone_transfer_clients_allow(state->lp);
+	denied_clients = lpcfg_dns_zone_transfer_clients_deny(state->lp);
+
+	/* The logic of allow_access() when both allow and deny lists are given
+	 * does not match our expectation here: it would allow clients thar are
+	 * neither allowed nor denied.
+	 * Here, we want to deny clients by default.
+	 * Using the allow_access() function is still useful as it takes care of
+	 * parsing IP adresses and subnets in a consistent way with other options
+	 * from smb.conf.
+	 *
+	 * We will then check the deny list first, then the allow list, so that
+	 * we accept only clients that are explicitely allowed AND not explicitely
+	 * denied.
+	 */
+	if ((authorized_clients == NULL) && (denied_clients == NULL)) {
+		/* No "allow" or "deny" lists given. Deny by default. */
+		return ISC_R_NOPERM;
+	}
+
+	if (denied_clients != NULL) {
+		bool ok = allow_access(denied_clients, NULL, cname, client);
+		if (!ok) {
+			/* client on deny list. Deny. */
+			return ISC_R_NOPERM;
+		}
+	}
+
+	if (authorized_clients != NULL) {
+		bool ok = allow_access(NULL, authorized_clients, cname, client);
+		if (ok) {
+			/*
+			 * client is not on deny list and is on allow list.
+			 * This is the only place we should return "allow".
+			 */
+			return ISC_R_SUCCESS;
+		}
+	}
+	/* We shouldn't get here, but deny by default. */
+	return ISC_R_NOPERM;
 }
 
 /*
diff --git a/source4/torture/dns/dlz_bind9.c b/source4/torture/dns/dlz_bind9.c
index 1e1f1e8bef9..9ec2702dc1d 100644
--- a/source4/torture/dns/dlz_bind9.c
+++ b/source4/torture/dns/dlz_bind9.c
@@ -1200,6 +1200,76 @@ cancel_version:
 	return ret;
 }
 
+/*
+ * Test zone transfer requests restrictions
+ *
+ * 1: test that zone transfer is denied by default
+ * 2: with an authorized list of IPs set in smb.conf, test that zone transfer
+ *    is accepted only for selected IPs.
+ */
+static bool test_dlz_bind9_allowzonexfr(struct torture_context *tctx)
+{
+	void *dbdata;
+	const char *argv[] = {
+		"samba_dlz",
+		"-H",
+		test_dlz_bind9_binddns_dir(tctx, "dns/sam.ldb"),
+		NULL
+	};
+	isc_result_t ret;
+	dns_dlzdb_t *dlzdb = NULL;
+	bool ok;
+
+	tctx_static = tctx;
+	torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
+						  "log", dlz_bind9_log_wrapper,
+						  "writeable_zone", dlz_bind9_writeable_zone_hook,
+						  "putrr", dlz_bind9_putrr_hook,
+						  "putnamedrr", dlz_bind9_putnamedrr_hook,
+						  NULL),
+				 ISC_R_SUCCESS,
+				 "Failed to create samba_dlz");
+
+	torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata),
+						     ISC_R_SUCCESS,
+				             "Failed to configure samba_dlz");
+
+    /* Ask for zone transfer with no specific config => expect denied */
+    ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1");
+    torture_assert_int_equal(tctx, ret, ISC_R_NOPERM,
+                            "Zone transfer accepted with default settings");
+
+    /* Ask for zone transfer with authorizations set */
+    ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients allow=127.0.0.1,1234:5678::1,192.168.0.");
+    torture_assert(tctx, ok, "Failed to set dns zone transfer clients allow option.");
+
+    ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients deny=192.168.0.2");
+    torture_assert(tctx, ok, "Failed to set dns zone transfer clients deny option.");
+
+    ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1");
+    torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS,
+                            "Zone transfer refused for authorized IPv4 address");
+
+    ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "1234:5678::1");
+    torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS,
+                             "Zone transfer refused for authorized IPv6 address.");
+
+    ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "10.0.0.1");
+    torture_assert_int_equal(tctx, ret, ISC_R_NOPERM,
+                            "Zone transfer accepted for unauthorized IP");
+
+    ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.1");
+    torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS,
+                             "Zone transfer refused for address in authorized IPv4 subnet.");
+
+    ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.2");
+    torture_assert_int_equal(tctx, ret, ISC_R_NOPERM,
+                            "Zone transfer allowed for denied client.");
+
+    dlz_destroy(dbdata);
+    return true;
+}
+
 static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx)
 {
 	struct torture_suite *suite = torture_suite_create(ctx, "dlz_bind9");
@@ -1221,6 +1291,7 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx)
 	torture_suite_add_simple_test(suite, "lookup", test_dlz_bind9_lookup);
 	torture_suite_add_simple_test(suite, "zonedump", test_dlz_bind9_zonedump);
 	torture_suite_add_simple_test(suite, "update01", test_dlz_bind9_update01);
+	torture_suite_add_simple_test(suite, "allowzonexfr", test_dlz_bind9_allowzonexfr);
 	return suite;
 }
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list