The branch, v4-18-stable has been updated
via 85475a0cb20 CVE-2023-42670 s3-rpc_server: Remove cross-check with
"samba" EPM lookup
via 614d9c22357 CVE-2023-42670 s3-rpc_server: Strictly refuse to start
RPC servers in conflict with AD DC
via 2e2a9feecff CVE-2023-42669 s3-rpc_server: Disable rpcecho for
consistency with the AD DC
via 808a46b1877 CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
default
via 23c5300d099 CVE-2023-4154: Unimplement the original DirSync
behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via 6925e6b6051 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync
tests
via 84dcfc3b40f CVE-2023-4154 dsdb/tests: Add test for
SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via 9499526ba8e CVE-2023-4154 dsdb/tests: Speed up DirSync test by only
checking positive matches once
via 5dc5062ba28 CVE-2023-4154 dsdb/tests: Check that secret attributes
are not visible with DirSync ever.
via 029c47f2a40 CVE-2023-4154 dsdb/tests: Force the test attribute to
be not-confidential at the start
via ee3ac4fb9af CVE-2023-4154 dsdb/tests: Use self.addCleanup() and
delete_force()
via 2cff332edb5 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests
twice
via 9dade2ab67f CVE-2023-4154 libcli/security: add
security_descriptor_[s|d]acl_insert() helpers
via 939f243222e CVE-2023-4154 libcli/security: prepare
security_descriptor_acl_add() to place the ace at a position
via c896afcaf2f CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
via 571d3bf48ee CVE-2023-4154 python/samba/ndr: add ndr_deepcopy()
helper
via b56849aa64b CVE-2023-4154 py_security: allow idx argument to
descriptor.[s|d]acl_add()
via f29255affdf CVE-2023-4154 python:sd_utils: add
dacl_{prepend,append,delete}_aces() helpers
via 39707a06cc5 CVE-2023-4154 python:sd_utils: introduce
update_aces_in_dacl() helper
via 563b7a56672 CVE-2023-4154 s4-dsdb: Remove
DSDB_ACL_CHECKS_DIRSYNC_FLAG
via 13eac83bc6e CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via d1e0ee0ba7f CVE-2023-4154 s4:dsdb:tests: Refactor confidential
attributes test
via fbc27662712 CVE-2023-4154 dsdb: Remove remaining references to
DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
via 53c9e1c9d3b CVE-2023-4091: smbd: use open_access_mask for access
check in open_file()
via ae5c0e1914a CVE-2023-4091: smbtorture: test overwrite dispositions
on read-only file
via 682a9a808b4 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that
crashes on bad pipenames.
via fbb9cf8d118 CVE-2023-3961:s3:torture: Add test
SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators
through to the UNIX domain socket code.
via 1688b6d3dd4 CVE-2023-3961:s3:smbd: Catch any incoming pipe path
that could exit socket_dir.
from 7ee4d12e5c3 VERSION: Disable GIT_SNAPSHOT for the 4.18.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable
- Log -----------------------------------------------------------------
commit 85475a0cb20c2714ec30d3ef8de9ec7dcf395b5f
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 16:23:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 614d9c2235757510579e6d5122d6ec3c6be50105
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 12:28:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in
conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 2e2a9feecff6dda90ef27ee7534a69bc4c3ee960
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 19:01:03 2023 +1200
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 808a46b1877dc67e131d9d1cbcac701964c75571
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 18:59:44 2023 +1200
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 23c5300d0990129edd29328bfbbd86b9e24deb86
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 8 17:58:27 2023 +1200
CVE-2023-4154: Unimplement the original DirSync behaviour without
LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 6925e6b6051bc3e1bbac9f17fa3e29c66b956883
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 22 15:08:17 2023 +1200
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 84dcfc3b40fe9bdda61aea9942bffbd48b681643
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 8 14:30:19 2023 +1200
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 9499526ba8e3f96843bc378ba52d4adf18dbaf3a
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 8 11:18:46 2023 +1200
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive
matches once
When we (expect to) get back a result, do not waste time against a
potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 5dc5062ba28037a0a67de7887925da4726112b04
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 11:56:56 2023 +1200
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with
DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 029c47f2a4002a25a8a1f93698f3675f3d06df78
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 14:44:28 2023 +1200
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential
at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit ee3ac4fb9af7fd9007a4bca30977a89fc2b6de45
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 13:15:40 2023 +1200
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 2cff332edb5516656c047483245cc14e836c68ab
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 11:55:55 2023 +1200
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 9dade2ab67fedacf047047d2a7634945b8ee83d3
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 16 10:03:44 2023 +0100
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert()
helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)
commit 939f243222e45f37f27db96bdd1502958b6e9c6c
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 16 10:00:11 2023 +0100
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to
place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)
commit c896afcaf2f0027bc495155317666bd3bfe0a84d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 16 09:57:43 2023 +0100
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)
commit 571d3bf48ee095dd3aca6dfd19d52854688827fc
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Mar 17 14:08:34 2023 +0100
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)
commit b56849aa64b64d1991a60ee50bae53e5569d1ceb
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 16 10:11:05 2023 +0100
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)
commit f29255affdfed72916114da6200d0ab517d25bf2
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 16 18:03:10 2023 +0100
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces()
helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)
commit 39707a06cc562c154788328cdd60834a6920016f
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Mar 10 18:25:18 2023 +0100
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)
commit 563b7a566721ba4a4355b4915133c1b042ae76dc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 14 17:19:27 2023 +1300
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)
commit 13eac83bc6ef57172dc6fefbb89fafdb55791af4
Author: Andreas Schneider <a...@samba.org>
Date: Wed Aug 2 10:44:32 2023 +0200
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
commit d1e0ee0ba7f4ab76d8a438f9fd862474f2c970c6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jan 27 07:43:40 2023 +1300
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)
commit fbc27662712aba02c8c99346f21d26df05d16232
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Mar 1 14:49:06 2023 +1300
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and
DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)
commit 53c9e1c9d3b660837d4517cfe0f3da2f0744660b
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 1 13:04:36 2023 +0200
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <s...@samba.org>
commit ae5c0e1914a92a4cc73f37ff18a266b7d39d5b42
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 1 12:30:00 2023 +0200
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 682a9a808b4578fef2d984e47d227bc181603cbf
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jul 25 17:54:41 2023 -0700
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad
pipenames.
We correctly handle this and just return ENOENT
(NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <j...@samba.org>
commit fbb9cf8d11840828cbb2ef2249f10fbf766d65ea
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jul 25 17:49:21 2023 -0700
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow
bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <j...@samba.org>
commit 1688b6d3dd4d6490e10c57d7431cb300f8286e73
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jul 25 17:41:04 2023 -0700
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit
socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
lib/param/loadparm.c | 2 +-
lib/replace/replace.h | 15 +
libcli/security/security_descriptor.c | 55 ++-
libcli/security/security_descriptor.h | 6 +
python/samba/ndr.py | 19 +
python/samba/sd_utils.py | 153 ++++++-
selftest/knownfail | 2 +-
selftest/knownfail.d/dirsync | 13 +
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +-
source3/rpc_client/local_np.c | 13 +
source3/rpc_server/rpc_host.c | 154 +------
source3/rpc_server/rpcd_classic.c | 45 +-
source3/rpc_server/rpcd_epmapper.c | 33 +-
source3/rpc_server/rpcd_lsad.c | 21 +
source3/rpc_server/rpcd_rpcecho.c | 33 +-
source3/rpc_server/wscript_build | 1 +
source3/selftest/tests.py | 14 +
source3/smbd/open.c | 4 +-
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 107 +++++
source3/torture/torture.c | 4 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 33 +-
source4/dsdb/samdb/samdb.h | 1 -
source4/dsdb/tests/python/acl.py | 12 +-
.../dsdb/tests/python/ad_dc_search_performance.py | 2 +-
source4/dsdb/tests/python/confidential_attr.py | 212 ++++-----
source4/dsdb/tests/python/dirsync.py | 473 ++++++++++++++++++---
source4/dsdb/tests/python/ldap.py | 14 +-
source4/dsdb/tests/python/ldap_modify_order.py | 4 +-
source4/dsdb/tests/python/ldap_syntaxes.py | 4 +-
source4/dsdb/tests/python/login_basics.py | 2 +-
source4/dsdb/tests/python/password_settings.py | 4 +-
source4/dsdb/tests/python/passwords.py | 4 +-
source4/dsdb/tests/python/sam.py | 2 +-
source4/dsdb/tests/python/sec_descriptor.py | 14 +-
source4/dsdb/tests/python/token_group.py | 4 +-
source4/dsdb/tests/python/user_account_control.py | 2 +-
source4/librpc/ndr/py_security.c | 10 +-
source4/rpc_server/wscript_build | 3 +-
source4/torture/smb2/acls.c | 143 +++++++
42 files changed, 1205 insertions(+), 439 deletions(-)
create mode 100644 selftest/knownfail.d/dirsync
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 8a217cc7f11..c6642b795fd 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
</description>
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc,
drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi,
dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
<value type="example">rpcecho</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 16cb0d47f31..83b05260e09 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper
wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6
backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper
wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6
backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt
wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index b15f3d14c8a..25e6e145eeb 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -885,6 +885,21 @@ typedef unsigned long long ptrdiff_t ;
#define ARRAY_DEL_ELEMENT(a,i,n) \
if((i)<((n)-1)){memmove(&((a)[(i)]),&((a)[(i)+1]),(sizeof(*(a))*((n)-(i)-1)));}
+/**
+ * Insert an array element by moving the rest one up
+ *
+ */
+#define ARRAY_INSERT_ELEMENT(__array,__old_last_idx,__new_elem,__new_idx) do {
\
+ if ((__new_idx) < (__old_last_idx)) { \
+ const void *__src = &((__array)[(__new_idx)]); \
+ void *__dst = &((__array)[(__new_idx)+1]); \
+ size_t __num = (__old_last_idx)-(__new_idx); \
+ size_t __len = sizeof(*(__array)) * __num; \
+ memmove(__dst, __src, __len); \
+ } \
+ (__array)[(__new_idx)] = (__new_elem); \
+} while(0)
+
/**
* Pointer difference macro
*/
diff --git a/libcli/security/security_descriptor.c
b/libcli/security/security_descriptor.c
index 23d436dbaeb..db998bbf816 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -268,9 +268,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX
*mem_ctx,
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
bool add_to_sacl,
- const struct security_ace *ace)
+ const struct security_ace *ace,
+ ssize_t _idx)
{
struct security_acl *acl = NULL;
+ ssize_t idx;
if (add_to_sacl) {
acl = sd->sacl;
@@ -289,15 +291,28 @@ static NTSTATUS security_descriptor_acl_add(struct
security_descriptor *sd,
acl->aces = NULL;
}
+ if (_idx < 0) {
+ idx = (acl->num_aces + 1) + _idx;
+ } else {
+ idx = _idx;
+ }
+
+ if (idx < 0) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ } else if (idx > acl->num_aces) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ }
+
acl->aces = talloc_realloc(acl, acl->aces,
struct security_ace, acl->num_aces+1);
if (acl->aces == NULL) {
return NT_STATUS_NO_MEMORY;
}
- acl->aces[acl->num_aces] = *ace;
+ ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
+ acl->num_aces++;
- switch (acl->aces[acl->num_aces].type) {
+ switch (acl->aces[idx].type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
@@ -308,8 +323,6 @@ static NTSTATUS security_descriptor_acl_add(struct
security_descriptor *sd,
break;
}
- acl->num_aces++;
-
if (add_to_sacl) {
sd->sacl = acl;
sd->type |= SEC_DESC_SACL_PRESENT;
@@ -328,7 +341,21 @@ static NTSTATUS security_descriptor_acl_add(struct
security_descriptor *sd,
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, true, ace);
+ return security_descriptor_acl_add(sd, true, ace, -1);
+}
+
+/*
+ insert an ACE at a given index to the SACL of a security_descriptor
+
+ idx can be negative, which means it's related to the new size from the
+ end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx)
+{
+ return security_descriptor_acl_add(sd, true, ace, idx);
}
/*
@@ -338,7 +365,21 @@ NTSTATUS security_descriptor_sacl_add(struct
security_descriptor *sd,
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, false, ace);
+ return security_descriptor_acl_add(sd, false, ace, -1);
+}
+
+/*
+ insert an ACE at a given index to the DACL of a security_descriptor
+
+ idx can be negative, which means it's related to the new size from the
+ end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx)
+{
+ return security_descriptor_acl_add(sd, false, ace, idx);
}
/*
diff --git a/libcli/security/security_descriptor.h
b/libcli/security/security_descriptor.h
index 46545321d15..354bc17e925 100644
--- a/libcli/security/security_descriptor.h
+++ b/libcli/security/security_descriptor.h
@@ -33,8 +33,14 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
struct security_descriptor **_csd);
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx);
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx);
NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
const struct dom_sid *trustee);
NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
diff --git a/python/samba/ndr.py b/python/samba/ndr.py
index 35b2414e8ae..8369abfb2d0 100644
--- a/python/samba/ndr.py
+++ b/python/samba/ndr.py
@@ -56,6 +56,25 @@ def ndr_print(object):
return ndr_print()
+def ndr_deepcopy(object):
+ """Create a deep copy of a NDR object, using pack/unpack
+
+ :param object: Object to copy
+ :return: The object copy
+ """
+ ndr_pack = getattr(object, "__ndr_pack__", None)
+ if ndr_pack is None:
+ raise TypeError("%r is not a NDR object" % object)
+ data = ndr_pack()
+ cls = type(object)
+ copy = cls()
+ ndr_unpack = getattr(copy, "__ndr_unpack__", None)
+ if ndr_unpack is None:
+ raise TypeError("%r is not a NDR object" % copy)
+ ndr_unpack(data, allow_remaining=False)
+ return copy
+
+
def ndr_pack_in(object, bigendian=False, ndr64=False):
"""Pack the input of an NDR function object.
diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py
index 26e80ee2f4a..462bbfbaf18 100644
--- a/python/samba/sd_utils.py
+++ b/python/samba/sd_utils.py
@@ -21,8 +21,11 @@
import samba
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_REPLACE, SCOPE_BASE
-from samba.ndr import ndr_pack, ndr_unpack
+from samba.ndr import ndr_pack, ndr_unpack, ndr_deepcopy
from samba.dcerpc import security
+from samba.ntstatus import (
+ NT_STATUS_OBJECT_NAME_NOT_FOUND,
+)
class SDUtils(object):
@@ -63,19 +66,145 @@ class SDUtils(object):
res = self.ldb.search(object_dn)
return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
+ def update_aces_in_dacl(self, dn, del_aces=None, add_aces=None,
+ sddl_attr=None, controls=None):
+ if del_aces is None:
+ del_aces=[]
+ if add_aces is None:
+ add_aces=[]
+
+ def ace_from_sddl(ace_sddl):
+ ace_sd = security.descriptor.from_sddl("D:" + ace_sddl,
self.domain_sid)
+ assert(len(ace_sd.dacl.aces)==1)
+ return ace_sd.dacl.aces[0]
+
+ if sddl_attr is None:
+ if controls is None:
+ controls=["sd_flags:1:%d" % security.SECINFO_DACL]
+ sd = self.read_sd_on_dn(dn, controls=controls)
+ if not sd.type & security.SEC_DESC_DACL_PROTECTED:
+ # if the DACL is not protected remove all
+ # inherited aces, as they will be re-inherited
+ # on the server, we need a ndr_deepcopy in order
+ # to avoid reference problems while deleting
+ # the aces while looping over them
+ dacl_copy = ndr_deepcopy(sd.dacl)
+ for ace in dacl_copy.aces:
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ try:
+ sd.dacl_del_ace(ace)
+ except samba.NTSTATUSError as err:
+ if err.args[0] != NT_STATUS_OBJECT_NAME_NOT_FOUND:
+ raise err
+ # dacl_del_ace may remove more than
+ # one ace, so we may not find it anymore
+ pass
+ else:
+ if controls is None:
+ controls=[]
+ res = self.ldb.search(dn, SCOPE_BASE, None,
+ [sddl_attr], controls=controls)
+ old_sddl = str(res[0][sddl_attr][0])
+ sd = security.descriptor.from_sddl(old_sddl, self.domain_sid)
+
+ num_changes = 0
+ del_ignored = []
+ add_ignored = []
+ inherited_ignored = []
+
+ for ace in del_aces:
+ if isinstance(ace, str):
+ ace = ace_from_sddl(ace)
+ assert(isinstance(ace, security.ace))
+
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ inherited_ignored.append(ace)
+ continue
+
+ if ace not in sd.dacl.aces:
+ del_ignored.append(ace)
+ continue
+
+ sd.dacl_del_ace(ace)
+ num_changes += 1
+
+ for ace in add_aces:
+ add_idx = -1
+ if isinstance(ace, dict):
+ if "idx" in ace:
+ add_idx = ace["idx"]
+ ace = ace["ace"]
+ if isinstance(ace, str):
+ ace = ace_from_sddl(ace)
+ assert(isinstance(ace, security.ace))
+
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ inherited_ignored.append(ace)
+ continue
+
+ if ace in sd.dacl.aces:
+ add_ignored.append(ace)
+ continue
+
+ sd.dacl_add(ace, add_idx)
+ num_changes += 1
+
+ if num_changes == 0:
+ return del_ignored, add_ignored, inherited_ignored
+
+ if sddl_attr is None:
+ self.modify_sd_on_dn(dn, sd, controls=controls)
+ else:
+ new_sddl = sd.as_sddl(self.domain_sid)
+ m = Message()
+ m.dn = dn
+ m[sddl_attr] = MessageElement(new_sddl.encode('ascii'),
+ FLAG_MOD_REPLACE,
+ sddl_attr)
+ self.ldb.modify(m, controls=controls)
+
+ return del_ignored, add_ignored, inherited_ignored
+
+ def dacl_prepend_aces(self, object_dn, aces, controls=None):
+ """Prepend an ACE (or more) to an objects security descriptor
+ """
+ ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
+ add_aces = []
+ add_idx = 0
+ for ace in ace_sd.dacl.aces:
+ add_aces.append({"idx": add_idx, "ace": ace})
+ add_idx += 1
+ _,ai,ii = self.update_aces_in_dacl(object_dn, add_aces=add_aces,
+ controls=controls)
+ return ai, ii
+
def dacl_add_ace(self, object_dn, ace):
- """Add an ACE to an objects security descriptor
+ """Add an ACE (or more) to an objects security descriptor
"""
- desc = self.read_sd_on_dn(object_dn, ["show_deleted:1"])
- desc_sddl = desc.as_sddl(self.domain_sid)
- if ace in desc_sddl:
- return
- if desc_sddl.find("(") >= 0:
- desc_sddl = (desc_sddl[:desc_sddl.index("(")] + ace +
- desc_sddl[desc_sddl.index("("):])
- else:
- desc_sddl = desc_sddl + ace
- self.modify_sd_on_dn(object_dn, desc_sddl, ["show_deleted:1"])
+ _,_ = self.dacl_prepend_aces(object_dn, ace,
+ controls=["show_deleted:1"])
+
+ def dacl_append_aces(self, object_dn, aces, controls=None):
+ """Append an ACE (or more) to an objects security descriptor
+ """
+ ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
+ add_aces = []
+ for ace in ace_sd.dacl.aces:
+ add_aces.append(ace)
+ _,ai,ii = self.update_aces_in_dacl(object_dn, add_aces=add_aces,
+ controls=controls)
+ return ai, ii
+
+ def dacl_delete_aces(self, object_dn, aces, controls=None):
+ """Delete an ACE (or more) to an objects security descriptor
+ """
+ del_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
+ del_aces = []
+ for ace in del_sd.dacl.aces:
+ del_aces.append(ace)
+ di,_,ii = self.update_aces_in_dacl(object_dn, del_aces=del_aces,
+ controls=controls)
+ return di, ii
def get_sd_as_sddl(self, object_dn, controls=[]):
"""Return object nTSecutiryDescriptor in SDDL format
diff --git a/selftest/knownfail b/selftest/knownfail
index c6e0a242ecb..f1768a270b5 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -151,7 +151,7 @@
^samba4.smb2.acls.*.inheritflags
^samba4.smb2.acls.*.owner
^samba4.smb2.acls.*.ACCESSBASED
-^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items
+^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.SimpleDirsyncTests.test_dirsync_deleted_items_OBJECT_SECURITY
#^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.*
^samba4.libsmbclient.opendir.(NT1|SMB3).opendir # This requires netbios
browsing
^samba4.rpc.drsuapi.*.drsuapi.DsGetDomainControllerInfo\(.*\)$
diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
new file mode 100644
index 00000000000..fcf4d469d6e
--- /dev/null
+++ b/selftest/knownfail.d/dirsync
@@ -0,0 +1,13 @@
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_OBJ_SEC_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_OBJ_SEC_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index d15156a538b..5687d2a8587 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
wins support = yes
server role = $ctx->{server_role}
server services = +echo $services
- dcerpc endpoint servers = +winreg +srvsvc
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
notify:inotify = false
ldb:nosync = true
ldap server require strong auth = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 12718ced9e7..e33751a27e3 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx,
bool reinit_globals)
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt
wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL,
"epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser
eventlog6 backupkey dnsserver", NULL);
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL,
"epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser
eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
index 0b323404f06..791ded99a47 100644
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -542,6 +542,19 @@ struct tevent_req *local_np_connect_send(
return tevent_req_post(req, ev);
}
+ /*
+ * Ensure we cannot process a path that exits
+ * the socket_dir.
+ */
+ if (ISDOTDOT(lower_case_pipename) ||
+ (strchr(lower_case_pipename, '/')!=NULL))
+ {
+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+ lower_case_pipename);
+ tevent_req_error(req, ENOENT);
+ return tevent_req_post(req, ev);
+ }
+
state->socketpath = talloc_asprintf(
state, "%s/np/%s", socket_dir, lower_case_pipename);
if (tevent_req_nomem(state->socketpath, req)) {
diff --git a/source3/rpc_server/rpc_host.c b/source3/rpc_server/rpc_host.c
index 1e27776d6fc..39ecd09f846 100644
--- a/source3/rpc_server/rpc_host.c
+++ b/source3/rpc_server/rpc_host.c
@@ -214,7 +214,6 @@ struct rpc_server_get_endpoints_state {
char **argl;
char *ncalrpc_endpoint;
enum dcerpc_transport_t only_transport;
- struct dcerpc_binding **existing_bindings;
struct rpc_host_iface_name *iface_names;
struct rpc_host_endpoint **endpoints;
@@ -235,7 +234,6 @@ static void rpc_server_get_endpoints_done(struct tevent_req
*subreq);
* @param[in] ev Event context to run this on
* @param[in] rpc_server_exe Binary to ask with --list-interfaces
* @param[in] only_transport Filter out anything but this
- * @param[in] existing_bindings Filter out endpoints served by "samba"
* @return The tevent_req representing this process
*/
@@ -243,8 +241,7 @@ static struct tevent_req *rpc_server_get_endpoints_send(
TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
const char *rpc_server_exe,
- enum dcerpc_transport_t only_transport,
- struct dcerpc_binding **existing_bindings)
+ enum dcerpc_transport_t only_transport)
{
struct tevent_req *req = NULL, *subreq = NULL;
struct rpc_server_get_endpoints_state *state = NULL;
@@ -256,7 +253,6 @@ static struct tevent_req *rpc_server_get_endpoints_send(
return NULL;
}
state->only_transport = only_transport;
- state->existing_bindings = existing_bindings;
progname = strrchr(rpc_server_exe, '/');
if (progname != NULL) {
@@ -417,37 +413,17 @@ static bool dcerpc_binding_same_endpoint(
* In member mode, we only serve named pipes. Indicated by NCACN_NP
* passed in via "only_transport".
--
Samba Shared Repository
