| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
(cherry picked from commit e2dff319a6d5c0c54acdba3d4fec05477ca60f11)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
(cherry picked from commit 6fd272875d27c6974a194d0cb2cde39a98ca4af2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
Part 2/2 of a fix for CVE-2009-2948.
(cherry picked from commit acfc9978afbde87dde3b70daccdbfd7e0a1d52e4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
Part 1/2 of a fix for CVE-2009-2948.
(cherry picked from commit b656deb5d7e97176c32b61b7659258846db16887)
|
| |
|
|
|
| |
Karolin
(cherry picked from commit ab4af60c8311b0f60f18390b670f01e1296c5141)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
samu_set_unix() does not use the rid allocator, but forces to use the
algoritmic allocator unconditionally, this is wrong and inconsistent.
Use samu_alloc_rid_unix() instead.
(If we create a new user we should do it in a way consistent with all
other commands like pdbedit -a and net rpc user add.)
(cherry picked from commit e1d4db8f55b25c7e9c408cb334fb89ccfd4c6565)
Signed-off-by: Michael Adam <obnox@samba.org>
This fixes bug #6628.
|
| |
|
|
|
|
|
| |
metze
(similar to commit 1e1445bc7672b17a1d689fa0f0732b05b6e04da5)
Fixes bug #6627.
|
| |
|
|
|
|
| |
With the previous code, the cache can never have been hit at all.
Michael
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a crash bug hit when multiple mappings were found by
the ldap search. This crash was caused by an ldap asssertion
in ldap_next_entry because was set to NULL in each iteration.
The corresponding fix was applied to the idmap_ldap_sids_to_unixids()
by Jerry in 2007 (b066668b74768d9ed547f16bf7b6ba6aea5df20a).
This fixes the crash part of bug #6387.
There is a logic part, too:
The problem currently only occurs when multiple mappings are found
for one given unixid. Now winbindd does not crash any more but
it does not correctly handle this situation. It just returns the
last mapping from the ldap search results.
This needs fixing.
Michael
(cherry picked from commit e9010fa366746ec1ae948dbcf3493d446e23b14c)
Signed-off-by: Michael Adam <obnox@samba.org>
|
| |
|
|
| |
Karolin
|
| |
|
|
|
|
| |
Karolin
(cherry picked from commit 54dffbea663ecf4542d6c5e30da6e346d5d60424)
(cherry picked from commit 2538df1ea3229ea6d8242b5ae6fdd3d453395609)
|
| |
|
|
|
|
|
| |
to what we're giving Everyone. Jeremy.
Fixes bug #6504.
(cherry picked from commit 4e854cb52cfb4f3c25c92324c6e7505f1c8290b3)
|
| |
|
|
|
|
|
|
|
| |
lookupname failed, cannot find domain when attempt
to change password.
This addresses bug #6560.
Signed-off-by: Bo Yang <boyang@samba.org>
|
| |
|
|
|
|
|
|
|
| |
metze
(cherry picked from commit a14efbadd53ac9678d75e6029f947d63cfa0c4e5)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This addresses bug #6526.
|
| |
|
|
|
|
|
|
|
| |
E.g. last mod time is not preserved when "unix extensions=yes" are set - and u
Cancel out any pending "sticky" writes or "last write" changes when
doing a UNIX info level set.
Jeremy.
(cherry picked from commit 5b03af33ad45368bea7cf6cabc91f62e2503de99)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
stopped working when "modify properties" permissions were not granted (meaning you had to be allowed to disable the account that you were about to delete).
Libnetapi should not delete machine accounts, as this does not
happen on win32. The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag
really means "disable" (both in practice and docs).
However, to keep the functionality in "net ads leave", we
will still try to do the delete. If this fails, we try
to do the disable.
Additionally, it is possible in windows to not disable or
delete the account, but just tell the local machine that it
is no longer in the account. libnet can now do this as well.
Don't use ads realm name for non-ads case. #6481
Also check that the connection to ads worked.
|
| |
|
|
| |
Guenther
|
| |
|
|
|
| |
Karolin
(cherry picked from commit 0239c6555dbf515935fed7b958cfcce24810f07f)
|
| |
|
|
|
| |
This is the part of checkin cfee2025 that is relevant to this bug.
(cherry picked from commit 91ea0d3fa11fc209dc653dd09dfab6244fb80f0d)
|
| |
|
|
|
|
| |
This addresses bug #6498.
(cherry picked from commit a702dea5a86f22e0b7857b67447152a06b3bbea2)
(cherry picked from commit aa769edfcef6937927201f765509c10b60764817)
|
| |
|
|
|
|
| |
be retrieved.
Guenther
|
| |
|
|
|
|
| |
uninitialized variable.
(cherry picked from commit f92195e3a1baaddda47a5d496f9488c8445b41ad)
|
| |
|
|
|
|
| |
commit 1a0005e1c508cf3b170d1c7e43b94a47b2820506)
(cherry picked from commit 133cdb46be154eeceb080fa9db88a38d9f87c919)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
a NULL sid_array since 3.2.0.
Found by torture test.
This makes it possible to search for users while adding them to groups via
windows usermanager.
Fixes bug #6484.
Guenther
(cherry picked from commit 0cfe59f1b580371f445b50151ceae5aef02bf0c4)
|
| |
|
|
|
|
|
| |
We weren't reaping children in the [x]inetd case.
Jeremy.
(cherry picked from commit 7e51314f2e18241876b049642fcb133df7e44c70)
|
| |
|
|
|
|
| |
to smbd/trans2.c opens up SETFILEINFO calls to POSIX_OPEN only. The change to first smbd/open.c closes 2 holes that would have been exposed by allowing POSIX_OPENS on readonly shares, and their ability to set arbitrary flags permutations. The O_CREAT -> O_CREAT|O_EXCL change removes an illegal combination (O_EXCL without O_CREAT) that previously was being passed down to the open syscall. Jeremy.
(cherry picked from commit 79f26472b4ae561ec00c30f31dd63ccab6dfc0c4)
|
| |
|
|
|
|
|
|
| |
Thanks to Herb Lewis <hlewis [at] panasas.com> for noticing!
Was commit 095f66b0 in master.
Karolin
|
| |
|
|
| |
This fixes bug #5945.
|
| |
|
|
|
| |
These were added between 3.2.4 and 3.2.5 that have caused users problems.
This fixes among others bug #6089 and #6112.
|
| |
|
|
|
|
|
|
|
|
|
| |
It is totally valid to have an alias with no members.
This fixes bug #6465.
Tridge, please check.
Found by RPC-SAMR torture test.
Guenther
|
| |
|
|
|
|
|
|
| |
This is aiming bug #6351.
Karolin
(cherry picked from commit c94d1cd7b1dc3ff99ae5a1eb9058ed6015fb9749)
(cherry picked from commit 11ed212591d612632fcb47f1eac10507b89ffdec)
|
| |
|
|
|
|
|
| |
This is now also verified with the RPC-SAMR-LARGE-DC test.
Guenther
(cherry picked from commit fca7dce1a908570e463ddcbd663955fcafd1d843)
|
| |
|
|
| |
Karolin
|
| |
|
|
|
|
|
|
| |
Invalid pointers were being dereferenced in lookup_sids causing
occasional seg faults.
Signed-off-by: Tim Prouty <tprouty@samba.org>
(cherry picked from commit 34ca12c9396f7c8475cd1525bdbc40021b0e533f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In winbind, we do multiple events in one select round. This needs fixing, but
as long as we're still using it, for efficiency reasons we need to do that.
What can happen is the following: We have outgoing data pending for a client,
thus
state->fd_event.flags == EVENT_FD_WRITE
Now a new client comes in, we go through the list of clients to find an idle
one. The detection for idle clients in remove_idle_client does not take the
pending data into account. We close the socket that has pending outgoing data,
the accept(2) one syscall later gives us the same socket.
In new_connection(), we do a setup_async_read, setting up a read fde. The
select from before however had found the socket (that we had already closed!!)
to be writable. In rw_callback we only want to see a readable flag, and we
panic in the SMB_ASSERT(flags == EVENT_FD_READ).
Found using
bin/smbtorture //127.0.0.1/tmp -U% -N 500 -o 2 local-wbclient
Volker
(commit 68c5c6df in master)
|
| | |
|
| |
|
|
|
|
|
| |
It is not technically an ldb bug, but apparently some callers try to access
res before checking the ldb_search() return code.
So make their attempt very evident (a NULL dereference will make it cristal
clear where the bug is).
|
| |
|
|
|
|
| |
Jeremy.
(cherry picked from commit 8d178837f259757340a09a688ed194e3e4a92c36)
(cherry picked from commit 6631ca4a51d4b13d2edd2dc899f7b76c233825b5)
|
| |
|
|
|
|
|
|
|
| |
Was missing case of "If file exists open. If file doesn't exist error."
Damn damn damn. CIFSFS client will have to have fallback cases
for this error for a long time.
Jeremy.
(cherry picked from commit b652082648c49b525d2b2ce619b575ee75bc242e)
(cherry picked from commit 12cf12f10c1c6adad568daf6c16144a99b0f822e)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch from Jeremy.
With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a
Samba 3 Domain.
There are still two registry settings required:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Do *not* modify the other netlogon registry parameters that were passed around,
they weaken security.
Guenther / Jeremy.
|
| |
|
|
|
|
| |
Found by SCHANNEL torture tests.
Guenther
|
| |
|
|
| |
need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy.
|
| |
|
|
|
|
| |
negotiate flags (which are a pointer to the out negotiate flags assigned in the generated netlogon server code). So, while you wanted to just set the *out* negflags, you did in fact reset the *in* negflags, effectively eliminating the NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then caused creds_server_init() to generate 64bit creds instead of 128bit, causing the whole chain to break. *Please* check.
Guenther
|
| |
|
|
|
| |
this is a backport of f238809d236443b8968e1b4b197a55935c7c7e85 from master
(cherry picked from commit 1b040289f14bb22d3b6ab07a452236549d6c9bf6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
owner (bug#2346)
The problem of bug #2346 remains for users exported by
winbindd, because create_token_from_username() just fakes
the token when the user is not in the local sam domain. This causes
user_in_group_sid() to give totally wrong results.
In uid_entry_in_group() we need to check if we already
have the full unix token in the current_user struct.
If so we should use the current_user unix token,
instead of doing a very complex user_in_group_sid()
which doesn't give reliable results anyway.
metze
(cherry picked from commit b79eff843be392f3065e912edca1434081d93c44)
(cherry picked from commit cb5c72c0a05a78ff1b86eb02cf5ecd3d7d69623d)
|
| |
|
|
|
|
|
| |
picked from 9097a67de
Volker
(cherry picked from commit 9ffb1e6f0ded2647efe567912873a1a63e2ffed1)
|
| |
|
|
|
|
| |
that *uid is always initialized on return from create_token_from_username(). Restore it. Jeremy.
(cherry picked from commit 09b76c57098ed4d11855000ae31cd346cb9a765d)
|
| |
|
|
|
|
| |
Port of 67ca76c288eb095ae to 3.2
Signed-off-by: Volker Lendecke <vl@samba.org>
|
| |
|
|
|
| |
Guenther
(cherry picked from commit c3843c40b5c426910a184dcef3b17283e6e224e9)
|
