The branch, master has been updated via eaf63f0b845 docs-xml: "cluster addresses" dns registration via 3e25d4d55f8 docs-xml: Update documentation for 'restrict anonymous' option via f132c3767ef s3/lib/popt_common: use stack buffer in set_logfile() via 901ca24e43a s3/lib/popt_common: don't assume stackframe presence via c824240cd48 lib/debug: retain full string in state.prog_name global from 61670169d52 Clean up reference used with PyDict_Setxxx
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit eaf63f0b845fb766ff243b1a7d0587c9507ab31e Author: David Disseldorp <dd...@samba.org> Date: Tue Jan 29 12:49:28 2019 +0100 docs-xml: "cluster addresses" dns registration Bug 7871 added functionality to register smb.conf "cluster addresses" when net ads dns register is called with clustering=yes, but the man page was not updated. Add documentation for this behaviour. Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Thu Feb 7 21:33:15 CET 2019 on sn-devel-144 commit 3e25d4d55f85be3323861b9a2f59626246b57182 Author: Andreas Schneider <a...@samba.org> Date: Tue Feb 5 16:08:46 2019 +0100 docs-xml: Update documentation for 'restrict anonymous' option Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Rowland Penny <rpe...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> commit f132c3767efd4197ae32a7114a7b91b55759adb4 Author: David Disseldorp <dd...@samba.org> Date: Wed Feb 6 12:01:12 2019 +0100 s3/lib/popt_common: use stack buffer in set_logfile() Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 901ca24e43a1b2b441f070e5dc40a6c7ddcba883 Author: David Disseldorp <dd...@samba.org> Date: Wed Feb 6 00:58:17 2019 +0100 s3/lib/popt_common: don't assume stackframe presence popt_common_callback() should be leak-safe if a talloc stackframe isn't available, as it's invoked early on. Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c824240cd48aea9e0655287c98c8de7c3ffd5f94 Author: David Disseldorp <dd...@samba.org> Date: Wed Feb 6 12:39:03 2019 +0100 lib/debug: retain full string in state.prog_name global setup_logging() retains a global pointer to the provided const string in state.prog_name, which is later used in the debug_backend->reload() callback. Some setup_logging() callers, such as popt_common_callback(), incorrectly assume that a dynamic buffer is safe to provide as a prog_name parameter. Fix this by copying the entire string in setup_logging(). Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/smbdotconf/misc/clusteraddresses.xml | 12 +++--- docs-xml/smbdotconf/security/restrictanonymous.xml | 45 +++++++++++----------- lib/util/debug.c | 12 ++++-- source3/lib/popt_common.c | 42 ++++++++++++++------ 4 files changed, 67 insertions(+), 44 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/misc/clusteraddresses.xml b/docs-xml/smbdotconf/misc/clusteraddresses.xml index d01a4f9004b..66878cdb642 100644 --- a/docs-xml/smbdotconf/misc/clusteraddresses.xml +++ b/docs-xml/smbdotconf/misc/clusteraddresses.xml @@ -3,12 +3,12 @@ type="cmdlist" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>With this parameter you can add additional addresses - nmbd will register with a WINS server. These addresses are not - necessarily present on all nodes simultaneously, but they will - be registered with the WINS server so that clients can contact - any of the nodes. - </para> + <para>With this parameter you can add additional addresses that + nmbd will register with a WINS server. Similarly, these + addresses will be registered by default when + <emphasis>net ads dns register</emphasis> is called with + <smbconfoption name="clustering">yes</smbconfoption> + configured.</para> </description> <value type="default"></value> diff --git a/docs-xml/smbdotconf/security/restrictanonymous.xml b/docs-xml/smbdotconf/security/restrictanonymous.xml index 78cafd21d55..06abe7b2bf7 100644 --- a/docs-xml/smbdotconf/security/restrictanonymous.xml +++ b/docs-xml/smbdotconf/security/restrictanonymous.xml @@ -3,34 +3,35 @@ context="G" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>The setting of this parameter determines whether user and - group list information is returned for an anonymous connection. - and mirrors the effects of the -<programlisting> -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ - Control\LSA\RestrictAnonymous -</programlisting> - registry key in Windows 2000 and Windows NT. When set to 0, user - and group list information is returned to anyone who asks. When set - to 1, only an authenticated user can retrieve user and - group list information. For the value 2, supported by - Windows 2000/XP and Samba, no anonymous connections are allowed at - all. This can break third party and Microsoft - applications which expect to be allowed to perform - operations anonymously.</para> + <para> + The setting of this parameter determines whether SAMR and LSA + DCERPC services can be accessed anonymously. This corresponds + to the following Windows Server registry options: + </para> + + <programlisting> + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous + </programlisting> + + <para> + The option also affects the browse option which is required by + legacy clients which rely on Netbios browsing. While modern + Windows version should be fine with restricting the access + there could still be applications relying on anonymous access. + </para> <para> - The security advantage of using restrict anonymous = 1 is dubious, - as user and group list information can be obtained using other - means. + Setting <smbconfoption name="restrict anonymous">1</smbconfoption> + will disable anonymous SAMR access. </para> - <note> <para> - The security advantage of using restrict anonymous = 2 is removed - by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share. + Setting <smbconfoption name="restrict anonymous">2</smbconfoption> + will, in addition to restricting SAMR access, disallow anonymous + connections to the IPC$ share in general. + Setting <smbconfoption name="guest ok">yes</smbconfoption> on any share + will remove the security advantage. </para> - </note> </description> <value type="default">0</value> diff --git a/lib/util/debug.c b/lib/util/debug.c index 30e5a28a233..e6a1ba4f96f 100644 --- a/lib/util/debug.c +++ b/lib/util/debug.c @@ -87,7 +87,7 @@ static struct { bool initialized; enum debug_logtype logtype; /* The type of logging we are doing: eg stdout, file, stderr */ - const char *prog_name; + char prog_name[255]; bool reopening_logs; bool schedule_reopen_logs; @@ -227,11 +227,15 @@ static void debug_syslog_reload(bool enabled, bool previously_enabled, const char *prog_name, char *option) { if (enabled && !previously_enabled) { + const char *ident = NULL; + if ((prog_name != NULL) && (prog_name[0] != '\0')) { + ident = prog_name; + } #ifdef LOG_DAEMON - openlog(prog_name, LOG_PID, SYSLOG_FACILITY); + openlog(ident, LOG_PID, SYSLOG_FACILITY); #else /* for old systems that have no facility codes. */ - openlog(prog_name, LOG_PID ); + openlog(ident, LOG_PID); #endif return; } @@ -1001,7 +1005,7 @@ void setup_logging(const char *prog_name, enum debug_logtype new_logtype) prog_name = p + 1; } - state.prog_name = prog_name; + strlcpy(state.prog_name, prog_name, sizeof(state.prog_name)); } reopen_logs_internal(); } diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c index 6379135a267..fa21668000e 100644 --- a/source3/lib/popt_common.c +++ b/source3/lib/popt_common.c @@ -42,22 +42,23 @@ extern bool override_logfile; static void set_logfile(poptContext con, const char * arg) { - char *lfile = NULL; + char lfile[PATH_MAX]; const char *pname; + int ret; /* Find out basename of current program */ - pname = strrchr_m(poptGetInvocationName(con),'/'); - - if (!pname) + pname = strrchr_m(poptGetInvocationName(con), '/'); + if (pname == NULL) { pname = poptGetInvocationName(con); - else + } else { pname++; + } - if (asprintf(&lfile, "%s/log.%s", arg, pname) < 0) { + ret = snprintf(lfile, sizeof(lfile), "%s/log.%s", arg, pname); + if (ret >= sizeof(lfile)) { return; } lp_set_logfile(lfile); - SAFE_FREE(lfile); } static bool PrintSambaVersionString; @@ -72,11 +73,16 @@ static void popt_common_callback(poptContext con, const struct poptOption *opt, const char *arg, const void *data) { + TALLOC_CTX *mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + exit(1); + } if (reason == POPT_CALLBACK_REASON_PRE) { set_logfile(con, get_dyn_LOGFILEBASE()); talloc_set_log_fn(popt_s3_talloc_log_fn); talloc_set_abort_fn(smb_panic); + talloc_free(mem_ctx); return; } @@ -84,20 +90,27 @@ static void popt_common_callback(poptContext con, if (PrintSambaVersionString) { printf( "Version %s\n", samba_version_string()); + talloc_free(mem_ctx); exit(0); } if (is_default_dyn_CONFIGFILE()) { - if(getenv("SMB_CONF_PATH")) { + if (getenv("SMB_CONF_PATH")) { set_dyn_CONFIGFILE(getenv("SMB_CONF_PATH")); } } if (override_logfile) { - setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE ); + char *logfile = lp_logfile(mem_ctx); + if (logfile == NULL) { + talloc_free(mem_ctx); + exit(1); + } + setup_logging(logfile, DEBUG_FILE); } /* Further 'every Samba program must do this' hooks here. */ + talloc_free(mem_ctx); return; } @@ -105,18 +118,21 @@ static void popt_common_callback(poptContext con, case OPT_OPTION: { struct loadparm_context *lp_ctx; + bool ok; - lp_ctx = loadparm_init_s3(talloc_tos(), loadparm_s3_helpers()); + lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); if (lp_ctx == NULL) { fprintf(stderr, "loadparm_init_s3() failed!\n"); + talloc_free(mem_ctx); exit(1); } - if (!lpcfg_set_option(lp_ctx, arg)) { + ok = lpcfg_set_option(lp_ctx, arg); + if (!ok) { fprintf(stderr, "Error setting option '%s'\n", arg); + talloc_free(mem_ctx); exit(1); } - TALLOC_FREE(lp_ctx); break; } case 'd': @@ -167,6 +183,8 @@ static void popt_common_callback(poptContext con, } break; } + + talloc_free(mem_ctx); } struct poptOption popt_common_connection[] = { -- Samba Shared Repository