[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Jun 9 22:41:01 UTC 2022
The branch, master has been updated
via ef1d04762af s3:smbd: Free allocated strings before leaving user_in_netgroup() function
via b3034f1209a Revert "lib:util: Remove NIS support from string_match()"
via 21796ef8f80 Revert "s3:smbd: Remove NIS support"
via f74e284a9d7 Revert "docs-xml: Update documentation for removal of NIS support"
via dbf3d217e34 Revert "s3:auth: Fix user_in_list() for UNIX groups"
from 174a76cc27f s3:smbd: Out-by-4 error in smbd read reply max_send clamp
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ef1d04762afb6dd54ffb01020b7bf3236c86be0f
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Jun 7 11:06:04 2022 +0200
s3:smbd: Free allocated strings before leaving user_in_netgroup() function
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jun 9 22:40:43 UTC 2022 on sn-devel-184
commit b3034f1209a6c45873882415c4291dde7eee76db
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 3 17:48:21 2022 +0200
Revert "lib:util: Remove NIS support from string_match()"
This partly reverts commit 620de975f147ac9427b51ea0e1e3eabda443d4b6.
Drop chunk including system/nis.h, drop wscript_build modifications,
use getdomainname() from glibc instead of yp_get_default_domain() from
libnsl.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 21796ef8f807d88e01627dc993b757e251788980
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 3 15:07:18 2022 +0200
Revert "s3:smbd: Remove NIS support"
This partly reverts commit edda7a329e5bed442418de9782cec9f567092aae.
Revert the chunks related to netgroups and skip NIS support related ones.
Use getdomainname() from glibc instead of yp_get_default_domain() from
libnsl to get the NIS domain name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f74e284a9d7fa8dc45f22b70dcea27f1aa8bd232
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 3 14:12:01 2022 +0200
Revert "docs-xml: Update documentation for removal of NIS support"
This partly reverts commit a72bc3e15d3ed62e9ad2c0a97ce5d6d653abb048.
Revert only the chunks related to netgroups and skip NIS related ones.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dbf3d217e3424fae64d9bd00e4762dc4d2bda6c2
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 3 14:01:36 2022 +0200
Revert "s3:auth: Fix user_in_list() for UNIX groups"
This partly reverts commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4.
Reverted to allow next revert commits to apply cleanly. Do not recreate
selftest/knownfail.d/usernamemap file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15087
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/hostsallow.xml | 7 ++
docs-xml/smbdotconf/security/invalidusers.xml | 15 ++-
docs-xml/smbdotconf/security/usernamemap.xml | 5 +
docs-xml/smbdotconf/security/validusers.xml | 7 +-
docs-xml/smbdotconf/winbind/winbindseparator.xml | 4 +-
lib/util/access.c | 56 +++++++++
selftest/target/Samba3.pm | 4 +
source3/auth/user_util.c | 142 +++++++++++++++++++----
source3/script/tests/test_smbclient_s3.sh | 13 +++
source3/smbd/share_access.c | 21 ++--
source3/wscript | 4 +
11 files changed, 242 insertions(+), 36 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml
index a052e7f79cd..8b4b62268a3 100644
--- a/docs-xml/smbdotconf/security/hostsallow.xml
+++ b/docs-xml/smbdotconf/security/hostsallow.xml
@@ -41,6 +41,13 @@
<para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+ <para>Example 4: allow only hosts in NIS netgroup "foonet", but
+ deny access from one particular host</para>
+
+ <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+ <para><command moreinfo="none">hosts deny = pirate</command></para>
+
<note><para>Note that access still requires suitable user-level passwords.</para></note>
<para>See <citerefentry><refentrytitle>testparm</refentrytitle>
diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml
index 268cdfad560..b2fb2b9d293 100644
--- a/docs-xml/smbdotconf/security/invalidusers.xml
+++ b/docs-xml/smbdotconf/security/invalidusers.xml
@@ -7,8 +7,21 @@
to login to this service. This is really a <emphasis>paranoid</emphasis>
check to absolutely ensure an improper setting does not breach
your security.</para>
+
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
- <para>A name starting with a '@' is interpreted UNIX group.</para>
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with
+ '&' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&' may be used at the start of the name in either order
+ so the value <parameter moreinfo="none">+&group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter moreinfo="none">&+group</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
<para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
This is useful in the [homes] section.</para>
diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml
index eab72bb8672..809a54c1e2f 100644
--- a/docs-xml/smbdotconf/security/usernamemap.xml
+++ b/docs-xml/smbdotconf/security/usernamemap.xml
@@ -58,6 +58,11 @@
</para>
+ <para>
+ If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename
+ moreinfo="none">/etc/group </filename> database for matching groups.
+ </para>
+
<para>
You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
<programlisting>
diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml
index 6b0bacfd78a..0b681a1fef5 100644
--- a/docs-xml/smbdotconf/security/validusers.xml
+++ b/docs-xml/smbdotconf/security/validusers.xml
@@ -4,10 +4,9 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This is a list of users that should be allowed to login to this service.
- Names starting with an '@' are interpreted using the same rules as
- described in the
- <parameter moreinfo="none">invalid users</parameter> parameter.
+ This is a list of users that should be allowed to login to this service. Names starting with
+ '@', '+' and '&' are interpreted using the same rules as described in the
+ <parameter moreinfo="none">invalid users</parameter> parameter.
</para>
<para>
diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml
index 9be46109cd6..eda14f4e03a 100644
--- a/docs-xml/smbdotconf/winbind/winbindseparator.xml
+++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml
@@ -10,9 +10,9 @@
and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
</para>
- <para>Please note that setting this parameter to + can cause problems
+ <para>Please note that setting this parameter to + causes problems
with group membership at least on glibc systems, as the character +
- was used as a special character for NIS in /etc/group.</para>
+ is used as a special character for NIS in /etc/group.</para>
</description>
<value type="default">\</value>
diff --git a/lib/util/access.c b/lib/util/access.c
index 5b53894b2ce..b1b4bffaeaa 100644
--- a/lib/util/access.c
+++ b/lib/util/access.c
@@ -114,6 +114,62 @@ static bool string_match(const char *tok,const char *s)
&& strequal_m(tok, s + str_len - tok_len)) {
return true;
}
+ } else if (tok[0] == '@') { /* netgroup: look it up */
+#ifdef HAVE_NETGROUP
+ DATA_BLOB tmp;
+ char *mydomain = NULL;
+ char *hostname = NULL;
+ bool netgroup_ok = false;
+ char nis_domain_buf[256];
+
+ if (memcache_lookup(
+ NULL, SINGLETON_CACHE,
+ data_blob_string_const_null("yp_default_domain"),
+ &tmp)) {
+
+ SMB_ASSERT(tmp.length > 0);
+ mydomain = (tmp.data[0] == '\0')
+ ? NULL : (char *)tmp.data;
+ } else {
+ if (getdomainname(nis_domain_buf,
+ sizeof(nis_domain_buf)) == 0) {
+ mydomain = &nis_domain_buf[0];
+ memcache_add(NULL,
+ SINGLETON_CACHE,
+ data_blob_string_const_null(
+ "yp_default_domain"),
+ data_blob_string_const_null(
+ mydomain));
+ } else {
+ mydomain = NULL;
+ }
+ }
+
+ if (!mydomain) {
+ DEBUG(0,("Unable to get default yp domain. "
+ "Try without it.\n"));
+ }
+ if (!(hostname = smb_xstrdup(s))) {
+ DEBUG(1,("out of memory for strdup!\n"));
+ return false;
+ }
+
+ netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
+
+ DBG_INFO("%s %s of domain %s in netgroup %s\n",
+ netgroup_ok ? "Found" : "Could not find",
+ hostname,
+ mydomain?mydomain:"(ANY)",
+ tok+1);
+
+ SAFE_FREE(hostname);
+
+ if (netgroup_ok)
+ return true;
+#else
+ DEBUG(0,("access: netgroup support is not configured\n"));
+ return false;
+#endif
} else if (strequal_m(tok, "ALL")) { /* all: match any */
return true;
} else if (strequal_m(tok, "FAIL")) { /* fail: match any */
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 042fe10470f..8c3e840eded 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -751,6 +751,10 @@ sub provision_ad_member
path = $share_dir
valid users = \"+$dcvars->{DOMAIN}/domain users\"
+[valid_users_nis_group]
+ path = $share_dir
+ valid users = \"&$dcvars->{DOMAIN}/domain users\"
+
[valid_users_unix_nis_group]
path = $share_dir
valid users = \"+&$dcvars->{DOMAIN}/domain users\"
diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c
index aa765c2a692..805f3ada231 100644
--- a/source3/auth/user_util.c
+++ b/source3/auth/user_util.c
@@ -129,46 +129,144 @@ static void store_map_in_gencache(TALLOC_CTX *ctx, const char *from, const char
}
/****************************************************************************
- Check if a user is in a user list
+ Check if a user is in a netgroup user list. If at first we don't succeed,
+ try lower case.
+****************************************************************************/
+
+bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname)
+{
+#ifdef HAVE_NETGROUP
+ char nis_domain_buf[256];
+ const char *nis_domain = NULL;
+ char *lowercase_user = NULL;
+
+ if (getdomainname(nis_domain_buf, sizeof(nis_domain_buf)) == 0) {
+ nis_domain = &nis_domain_buf[0];
+ } else {
+ DEBUG(5,("Unable to get default yp domain, "
+ "let's try without specifying it\n"));
+ nis_domain = NULL;
+ }
+
+ DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+ user, nis_domain ? nis_domain : "(ANY)", ngname));
+
+ if (innetgr(ngname, NULL, user, nis_domain)) {
+ DEBUG(5,("user_in_netgroup: Found\n"));
+ return true;
+ }
+
+ /*
+ * Ok, innetgr is case sensitive. Try once more with lowercase
+ * just in case. Attempt to fix #703. JRA.
+ */
+ lowercase_user = talloc_strdup(ctx, user);
+ if (!lowercase_user) {
+ return false;
+ }
+ if (!strlower_m(lowercase_user)) {
+ TALLOC_FREE(lowercase_user);
+ return false;
+ }
+
+ if (strcmp(user,lowercase_user) == 0) {
+ /* user name was already lower case! */
+ TALLOC_FREE(lowercase_user);
+ return false;
+ }
- We removed NIS support in 2021, but need to keep configs working.
+ DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+ lowercase_user, nis_domain ? nis_domain : "(ANY)", ngname));
- TOOD FIXME: Remove this funciton
+ if (innetgr(ngname, NULL, lowercase_user, nis_domain)) {
+ DEBUG(5,("user_in_netgroup: Found\n"));
+ TALLOC_FREE(lowercase_user);
+ return true;
+ }
+#endif /* HAVE_NETGROUP */
+ return false;
+}
+
+/****************************************************************************
+ Check if a user is in a user list - can check combinations of UNIX
+ and netgroup lists.
****************************************************************************/
bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
{
+ if (!list || !*list)
+ return False;
- if (list == NULL || *list == NULL) {
- return false;
- }
+ DEBUG(10,("user_in_list: checking user %s in list\n", user));
while (*list) {
- const char *p = *list;
- bool check_unix_group = false;
- DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list);
+ DEBUG(10,("user_in_list: checking user |%s| against |%s|\n",
+ user, *list));
+
+ /*
+ * Check raw username.
+ */
+ if (strequal(user, *list))
+ return(True);
+
+ /*
+ * Now check to see if any combination
+ * of UNIX and netgroups has been specified.
+ */
+
+ if(**list == '@') {
+ /*
+ * Old behaviour. Check netgroup list
+ * followed by UNIX list.
+ */
+ if(user_in_netgroup(ctx, user, *list +1))
+ return True;
+ if(user_in_group(user, *list +1))
+ return True;
+ } else if (**list == '+') {
- /* Check raw username */
- if (strequal(user, p)) {
- return true;
- }
+ if((*(*list +1)) == '&') {
+ /*
+ * Search UNIX list followed by netgroup.
+ */
+ if(user_in_group(user, *list +2))
+ return True;
+ if(user_in_netgroup(ctx, user, *list +2))
+ return True;
+
+ } else {
+
+ /*
+ * Just search UNIX list.
+ */
- while (*p == '@' || *p == '&' || *p == '+') {
- if (*p == '@' || *p == '+') {
- check_unix_group = true;
+ if(user_in_group(user, *list +1))
+ return True;
}
- p++;
- }
- if (check_unix_group && user_in_group(user, p)) {
- return true;
+ } else if (**list == '&') {
+
+ if(*(*list +1) == '+') {
+ /*
+ * Search netgroup list followed by UNIX list.
+ */
+ if(user_in_netgroup(ctx, user, *list +2))
+ return True;
+ if(user_in_group(user, *list +2))
+ return True;
+ } else {
+ /*
+ * Just search netgroup list.
+ */
+ if(user_in_netgroup(ctx, user, *list +1))
+ return True;
+ }
}
list++;
}
-
- return false;
+ return(False);
}
bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out)
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index fc608bdfc9b..c23f8deecb8 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -1965,6 +1965,19 @@ EOF
return 1
fi
+ # User not in NIS group in "valid users" can't login to service
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_nis_group $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+ ret=$?
+
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo "test_valid_users:valid_users_nis_group 'User not in NIS group in 'valid users' can't login to service' failed - $ret"
+ return 1
+ fi
+
# Check user in UNIX, then in NIS group in "valid users" can login to service
cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$DC_USERNAME%$DC_PASSWORD //$SERVER/valid_users_unix_nis_group $ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"
diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
index c44c4bd8c69..45928144693 100644
--- a/source3/smbd/share_access.c
+++ b/source3/smbd/share_access.c
@@ -26,21 +26,23 @@
#include "source3/lib/substitute.h"
/*
- * We dropped NIS support in 2021, but need to keep configs working.
- *
- * TODO FIXME: Remove me in future
+ * No prefix means direct username
+ * @name means netgroup first, then unix group
+ * &name means netgroup
+ * +name means unix group
+ * + and & may be combined
*/
static bool do_group_checks(const char **name, const char **pattern)
{
if ((*name)[0] == '@') {
- *pattern = "+";
+ *pattern = "&+";
*name += 1;
return True;
}
if (((*name)[0] == '+') && ((*name)[1] == '&')) {
- *pattern = "+";
+ *pattern = "+&";
*name += 2;
return True;
}
@@ -52,13 +54,13 @@ static bool do_group_checks(const char **name, const char **pattern)
}
if (((*name)[0] == '&') && ((*name)[1] == '+')) {
- *pattern = "+";
+ *pattern = "&+";
*name += 2;
return True;
}
if ((*name)[0] == '&') {
- *pattern = "+";
+ *pattern = "&";
*name += 1;
return True;
}
@@ -146,6 +148,11 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
continue;
}
if (*prefix == '&') {
+ if (username) {
+ if (user_in_netgroup(mem_ctx, username, name)) {
+ return True;
+ }
+ }
continue;
}
smb_panic("got invalid prefix from do_groups_check");
diff --git a/source3/wscript b/source3/wscript
index 412f315c662..2121b8b6510 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -139,6 +139,7 @@ def configure(conf):
conf.CHECK_FUNCS('lutimes utimensat futimens')
conf.CHECK_FUNCS('mlock munlock mlockall munlockall')
conf.CHECK_FUNCS('memalign posix_memalign hstrerror')
+ conf.CHECK_FUNCS('getdomainname')
conf.CHECK_FUNCS_IN('dn_expand _dn_expand __dn_expand', 'resolv')
conf.CHECK_FUNCS_IN('dn_expand', 'inet')
conf.CHECK_DECLS('readahead', reverse=True, headers='fcntl.h')
@@ -613,6 +614,9 @@ msg.msg_accrightslen = sizeof(fd);
headers='unistd.h sys/types.h dirent.h',
define='HAVE_DIRENT_D_OFF')
+ if (conf.CONFIG_SET('HAVE_GETDOMAINNAME')):
+ conf.DEFINE('HAVE_NETGROUP', '1')
+
# Look for CUPS
if Options.options.with_cups:
conf.find_program('cups-config', var='CUPS_CONFIG')
--
Samba Shared Repository
More information about the samba-cvs
mailing list