From 39366733c3fe943363566756e2e152c45a1b3cb2 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- patches/source/samba/doinst.sh | 42 + patches/source/samba/pytalloc-util.pc | 11 + patches/source/samba/rc.samba | 48 ++ .../source/samba/samba-4.4.16-CVE-2018-1057.patch | 903 +++++++++++++++++++++ .../samba/samba-4.5.14-security-2017-11-21.patch | 110 +++ patches/source/samba/samba.SlackBuild | 224 +++++ .../samba/samba.install.talloc.tevent.tdb.diff | 102 +++ patches/source/samba/samba.url | 2 + patches/source/samba/slack-desc | 19 + patches/source/samba/smb.conf.default | 223 +++++ patches/source/samba/smb.conf.default.orig | 223 +++++ patches/source/samba/smb.conf.diff | 29 + patches/source/samba/talloc.pc | 11 + 13 files changed, 1947 insertions(+) create mode 100644 patches/source/samba/doinst.sh create mode 100644 patches/source/samba/pytalloc-util.pc create mode 100644 patches/source/samba/rc.samba create mode 100644 patches/source/samba/samba-4.4.16-CVE-2018-1057.patch create mode 100644 patches/source/samba/samba-4.5.14-security-2017-11-21.patch create mode 100755 patches/source/samba/samba.SlackBuild create mode 100644 patches/source/samba/samba.install.talloc.tevent.tdb.diff create mode 100644 patches/source/samba/samba.url create mode 100644 patches/source/samba/slack-desc create mode 100644 patches/source/samba/smb.conf.default create mode 100644 patches/source/samba/smb.conf.default.orig create mode 100644 patches/source/samba/smb.conf.diff create mode 100644 patches/source/samba/talloc.pc (limited to 'patches/source/samba') diff --git a/patches/source/samba/doinst.sh b/patches/source/samba/doinst.sh new file mode 100644 index 000000000..ff09d3161 --- /dev/null +++ b/patches/source/samba/doinst.sh @@ -0,0 +1,42 @@ +#!/bin/sh +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} + +config etc/samba/lmhosts.new +preserve_perms etc/rc.d/rc.samba.new + +# Commented out 2014-09-15 just in case we do need to change this. +## This won't be needed. The point here is to preserve the permissions of the existing +## file, if there is one. I don't see major new development happening in rc.samba... ;-) +#rm -f etc/rc.d/rc.samba.new + +# Since /etc/samba/private/ has moved to /var/lib/samba/private, migrate any +# important files if possible: +if [ -d etc/samba/private -a -d var/lib/samba/private ]; then + for file in etc/samba/private/* ; do + if [ -r "$file" -a ! -r "var/lib/samba/private/$(basename $file)" ]; then + mv "$file" var/lib/samba/private + fi + done + # Might as well try to eliminate this directory, since it should be empty: + rmdir etc/samba/private 1> /dev/null 2> /dev/null +fi diff --git a/patches/source/samba/pytalloc-util.pc b/patches/source/samba/pytalloc-util.pc new file mode 100644 index 000000000..800a9a815 --- /dev/null +++ b/patches/source/samba/pytalloc-util.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${prefix}/lib +includedir=${prefix}/include + +Name: pytalloc-util +Description: Utility functions for using talloc objects with Python +Version: 2.0.8 +Libs: -L${libdir} -lpytalloc-util +Cflags: -Wl,-rpath,/usr/lib -I${includedir} +URL: http://talloc.samba.org/ diff --git a/patches/source/samba/rc.samba b/patches/source/samba/rc.samba new file mode 100644 index 000000000..5b98b879c --- /dev/null +++ b/patches/source/samba/rc.samba @@ -0,0 +1,48 @@ +#!/bin/sh +# +# /etc/rc.d/rc.samba +# +# Start/stop/restart the Samba SMB file/print server. +# +# To make Samba start automatically at boot, make this +# file executable: chmod 755 /etc/rc.d/rc.samba +# + +samba_start() { + if [ -x /usr/sbin/smbd -a -x /usr/sbin/nmbd -a -r /etc/samba/smb.conf ]; then + mkdir -p /var/run/samba + echo "Starting Samba: /usr/sbin/smbd -D" + /usr/sbin/smbd -D + echo " /usr/sbin/nmbd -D" + /usr/sbin/nmbd -D + elif [ ! -r /etc/samba/smb.conf ]; then + echo "ERROR: cannot start Samba since /etc/samba/smb.conf does not exist" + fi +} + +samba_stop() { + killall smbd nmbd +} + +samba_restart() { + samba_stop + sleep 2 + samba_start +} + +case "$1" in +'start') + samba_start + ;; +'stop') + samba_stop + ;; +'restart') + samba_restart + ;; +*) + # Default is "start", for backwards compatibility with previous + # Slackware versions. This may change to a 'usage' error someday. + samba_start +esac + diff --git a/patches/source/samba/samba-4.4.16-CVE-2018-1057.patch b/patches/source/samba/samba-4.4.16-CVE-2018-1057.patch new file mode 100644 index 000000000..8d4c0c0e0 --- /dev/null +++ b/patches/source/samba/samba-4.4.16-CVE-2018-1057.patch @@ -0,0 +1,903 @@ +From 6ff2935f6a1bb2bdfb45beea07d4cb7c69c66a74 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 12:43:09 +0100 +Subject: [PATCH 01/13] CVE-2018-1057: s4:dsdb/tests: add a test for password + change with empty delete + +Note that the request using the clearTextPassword attribute for the +password change is already correctly rejected by the server. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + selftest/knownfail.d/samba4.ldap.passwords.python | 2 + + source4/dsdb/tests/python/passwords.py | 49 +++++++++++++++++++++++ + 2 files changed, 51 insertions(+) + create mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python + +diff --git a/selftest/knownfail.d/samba4.ldap.passwords.python b/selftest/knownfail.d/samba4.ldap.passwords.python +new file mode 100644 +index 0000000..343c5a7 +--- /dev/null ++++ b/selftest/knownfail.d/samba4.ldap.passwords.python +@@ -0,0 +1,2 @@ ++samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword ++samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd +diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py +index fb3eee5..c50f2b6 100755 +--- a/source4/dsdb/tests/python/passwords.py ++++ b/source4/dsdb/tests/python/passwords.py +@@ -931,6 +931,55 @@ userPassword: thatsAcomplPASS4 + # Reset the "minPwdLength" as it was before + self.ldb.set_minPwdLength(minPwdLength) + ++ def test_pw_change_delete_no_value_userPassword(self): ++ """Test password change with userPassword where the delete attribute doesn't have a value""" ++ ++ try: ++ self.ldb2.modify_ldif(""" ++dn: cn=testuser,cn=users,""" + self.base_dn + """ ++changetype: modify ++delete: userPassword ++add: userPassword ++userPassword: thatsAcomplPASS1 ++""") ++ except LdbError, (num, msg): ++ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) ++ else: ++ self.fail() ++ ++ def test_pw_change_delete_no_value_clearTextPassword(self): ++ """Test password change with clearTextPassword where the delete attribute doesn't have a value""" ++ ++ try: ++ self.ldb2.modify_ldif(""" ++dn: cn=testuser,cn=users,""" + self.base_dn + """ ++changetype: modify ++delete: clearTextPassword ++add: clearTextPassword ++clearTextPassword: thatsAcomplPASS2 ++""") ++ except LdbError, (num, msg): ++ self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or ++ num == ERR_NO_SUCH_ATTRIBUTE) # for Windows ++ else: ++ self.fail() ++ ++ def test_pw_change_delete_no_value_unicodePwd(self): ++ """Test password change with unicodePwd where the delete attribute doesn't have a value""" ++ ++ try: ++ self.ldb2.modify_ldif(""" ++dn: cn=testuser,cn=users,""" + self.base_dn + """ ++changetype: modify ++delete: unicodePwd ++add: unicodePwd ++unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """ ++""") ++ except LdbError, (num, msg): ++ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) ++ else: ++ self.fail() ++ + def tearDown(self): + super(PasswordTests, self).tearDown() + delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn) +-- +1.9.1 + + +From 35f8367aa64955d9f34beac9a62f8336e5e6c510 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 10:56:06 +0100 +Subject: [PATCH 02/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper + variable for LDB_FLAG_MOD_TYPE + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/password_hash.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index 05b0854..aa3871d 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -3152,17 +3152,20 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r + } + + while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) { +- if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE) { ++ unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags); ++ ++ if (mtype == LDB_FLAG_MOD_DELETE) { + ++del_attr_cnt; + } +- if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD) { ++ if (mtype == LDB_FLAG_MOD_ADD) { + ++add_attr_cnt; + } +- if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_REPLACE) { ++ if (mtype == LDB_FLAG_MOD_REPLACE) { + ++rep_attr_cnt; + } + if ((passwordAttr->num_values != 1) && +- (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD)) { ++ (mtype == LDB_FLAG_MOD_ADD)) ++ { + talloc_free(ac); + ldb_asprintf_errstring(ldb, + "'%s' attribute must have exactly one value on add operations!", +@@ -3170,7 +3173,8 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((passwordAttr->num_values > 1) && +- (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE)) { ++ (mtype == LDB_FLAG_MOD_DELETE)) ++ { + talloc_free(ac); + ldb_asprintf_errstring(ldb, + "'%s' attribute must have zero or one value(s) on delete operations!", +-- +1.9.1 + + +From 63c91916d15f355e7179292fac998056c0bd6a44 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 14:40:59 +0100 +Subject: [PATCH 03/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper + variable for passwordAttr->num_values + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/password_hash.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index aa3871d..690bb98 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -3153,6 +3153,7 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r + + while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) { + unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags); ++ unsigned int nvalues = passwordAttr->num_values; + + if (mtype == LDB_FLAG_MOD_DELETE) { + ++del_attr_cnt; +@@ -3163,18 +3164,14 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r + if (mtype == LDB_FLAG_MOD_REPLACE) { + ++rep_attr_cnt; + } +- if ((passwordAttr->num_values != 1) && +- (mtype == LDB_FLAG_MOD_ADD)) +- { ++ if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) { + talloc_free(ac); + ldb_asprintf_errstring(ldb, + "'%s' attribute must have exactly one value on add operations!", + *l); + return LDB_ERR_CONSTRAINT_VIOLATION; + } +- if ((passwordAttr->num_values > 1) && +- (mtype == LDB_FLAG_MOD_DELETE)) +- { ++ if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) { + talloc_free(ac); + ldb_asprintf_errstring(ldb, + "'%s' attribute must have zero or one value(s) on delete operations!", +-- +1.9.1 + + +From 895b1d2c9cbbde96646146a3c7b93bd326aada55 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 17:38:31 +0100 +Subject: [PATCH 04/13] CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() + if we checked the acl in acl_check_password_rights() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 62e560f..aa1660c 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -989,12 +989,14 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + GUID_DRS_USER_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, + sid); ++ goto checked; + } + else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) { + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_FORCE_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, + sid); ++ goto checked; + } + else if (add_attr_cnt == 1 && del_attr_cnt == 1) { + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), +@@ -1005,7 +1007,13 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { + ret = LDB_ERR_CONSTRAINT_VIOLATION; + } ++ goto checked; + } ++ ++ talloc_free(tmp_ctx); ++ return LDB_SUCCESS; ++ ++checked: + if (ret != LDB_SUCCESS) { + dsdb_acl_debug(sd, acl_user_token(module), + req->op.mod.message->dn, +-- +1.9.1 + + +From db056b588d40c4c6995ee882286042dbf383f502 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 17:38:31 +0100 +Subject: [PATCH 05/13] CVE-2018-1057: s4:dsdb/acl: remove unused else branches + in acl_check_password_rights() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index aa1660c..5ec5fd3 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -991,14 +991,24 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + sid); + goto checked; + } +- else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) { ++ ++ if (rep_attr_cnt > 0) { + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_FORCE_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, + sid); + goto checked; + } +- else if (add_attr_cnt == 1 && del_attr_cnt == 1) { ++ ++ if (add_attr_cnt != del_attr_cnt) { ++ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), ++ GUID_DRS_FORCE_CHANGE_PASSWORD, ++ SEC_ADS_CONTROL_ACCESS, ++ sid); ++ goto checked; ++ } ++ ++ if (add_attr_cnt == 1 && del_attr_cnt == 1) { + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_USER_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, +-- +1.9.1 + + +From ff82d4c547476751f4506092517952ac682ec38c Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 22:59:24 +0100 +Subject: [PATCH 06/13] CVE-2018-1057: s4:dsdb/acl: check for internal controls + before other checks + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 37 ++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 5ec5fd3..56ba988 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -943,10 +943,33 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0; + struct ldb_message_element *el; + struct ldb_message *msg; ++ struct ldb_control *c = NULL; + const char *passwordAttrs[] = { "userPassword", "clearTextPassword", + "unicodePwd", "dBCSPwd", NULL }, **l; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + ++ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID); ++ if (c != NULL) { ++ /* ++ * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we ++ * have a user password change and not a set as the message ++ * looks like. In it's value blob it contains the NT and/or LM ++ * hash of the old password specified by the user. This control ++ * is used by the SAMR and "kpasswd" password change mechanisms. ++ * ++ * This control can't be used by real LDAP clients, ++ * the only caller is samdb_set_password_internal(), ++ * so we don't have to strict verification of the input. ++ */ ++ ret = acl_check_extended_right(tmp_ctx, ++ sd, ++ acl_user_token(module), ++ GUID_DRS_USER_CHANGE_PASSWORD, ++ SEC_ADS_CONTROL_ACCESS, ++ sid); ++ goto checked; ++ } ++ + msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message); + if (msg == NULL) { + return ldb_module_oom(module); +@@ -977,20 +1000,6 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + return LDB_SUCCESS; + } + +- if (ldb_request_get_control(req, +- DSDB_CONTROL_PASSWORD_CHANGE_OID) != NULL) { +- /* The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we +- * have a user password change and not a set as the message +- * looks like. In it's value blob it contains the NT and/or LM +- * hash of the old password specified by the user. +- * This control is used by the SAMR and "kpasswd" password +- * change mechanisms. */ +- ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), +- GUID_DRS_USER_CHANGE_PASSWORD, +- SEC_ADS_CONTROL_ACCESS, +- sid); +- goto checked; +- } + + if (rep_attr_cnt > 0) { + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), +-- +1.9.1 + + +From 5c92da9918e2ccbcb39db2b060406f05973c0a24 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 17:43:43 +0100 +Subject: [PATCH 07/13] CVE-2018-1057: s4:dsdb/acl: add check for + DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 56ba988..00d52fe 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -970,6 +970,26 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + goto checked; + } + ++ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID); ++ if (c != NULL) { ++ /* ++ * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without ++ * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we ++ * have a force password set. ++ * This control is used by the SAMR/NETLOGON/LSA password ++ * reset mechanisms. ++ * ++ * This control can't be used by real LDAP clients, ++ * the only caller is samdb_set_password_internal(), ++ * so we don't have to strict verification of the input. ++ */ ++ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), ++ GUID_DRS_FORCE_CHANGE_PASSWORD, ++ SEC_ADS_CONTROL_ACCESS, ++ sid); ++ goto checked; ++ } ++ + msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message); + if (msg == NULL) { + return ldb_module_oom(module); +-- +1.9.1 + + +From 6417b18bc767d471e3c88935073acdc19448dc54 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 16 Feb 2018 15:17:26 +0100 +Subject: [PATCH 08/13] CVE-2018-1057: s4:dsdb/acl: add a NULL check for + talloc_new() in acl_check_password_rights() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 00d52fe..4146cbc 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -948,6 +948,10 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + "unicodePwd", "dBCSPwd", NULL }, **l; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + ++ if (tmp_ctx == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ + c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID); + if (c != NULL) { + /* +-- +1.9.1 + + +From bf6c7e1b4510242750de64b0a7a112c2024b4372 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 22 Feb 2018 10:54:37 +0100 +Subject: [PATCH 09/13] CVE-2018-1057: s4/dsdb: correctly detect password + resets + +This change ensures we correctly treat the following LDIF + + dn: cn=testuser,cn=users,... + changetype: modify + delete: userPassword + add: userPassword + userPassword: thatsAcomplPASS1 + +as a password reset. Because delete and add element counts are both +one, the ACL module wrongly treated this as a password change +request. + +For a password change we need at least one value to delete and one value +to add. This patch ensures we correctly check attributes and their +values. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + selftest/knownfail.d/samba4.ldap.passwords.python | 2 -- + source4/dsdb/samdb/ldb_modules/acl.c | 18 +++++++++++++++++- + 2 files changed, 17 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python + +diff --git a/selftest/knownfail.d/samba4.ldap.passwords.python b/selftest/knownfail.d/samba4.ldap.passwords.python +deleted file mode 100644 +index 343c5a7..0000000 +--- a/selftest/knownfail.d/samba4.ldap.passwords.python ++++ /dev/null +@@ -1,2 +0,0 @@ +-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword +-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 4146cbc..7a003df 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -941,6 +941,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + { + int ret = LDB_SUCCESS; + unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0; ++ unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0; + struct ldb_message_element *el; + struct ldb_message *msg; + struct ldb_control *c = NULL; +@@ -1006,12 +1007,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + while ((el = ldb_msg_find_element(msg, *l)) != NULL) { + if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) { + ++del_attr_cnt; ++ del_val_cnt += el->num_values; + } + if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD) { + ++add_attr_cnt; ++ add_val_cnt += el->num_values; + } + if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) { + ++rep_attr_cnt; ++ rep_val_cnt += el->num_values; + } + ldb_msg_remove_element(msg, el); + } +@@ -1041,7 +1045,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + goto checked; + } + +- if (add_attr_cnt == 1 && del_attr_cnt == 1) { ++ if (add_val_cnt == 1 && del_val_cnt == 1) { + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_USER_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, +@@ -1053,6 +1057,18 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + goto checked; + } + ++ if (add_val_cnt == 1 && del_val_cnt == 0) { ++ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), ++ GUID_DRS_FORCE_CHANGE_PASSWORD, ++ SEC_ADS_CONTROL_ACCESS, ++ sid); ++ /* Very strange, but we get constraint violation in this case */ ++ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { ++ ret = LDB_ERR_CONSTRAINT_VIOLATION; ++ } ++ goto checked; ++ } ++ + talloc_free(tmp_ctx); + return LDB_SUCCESS; + +-- +1.9.1 + + +From fba762e9d7599e4e2f5022a1486f3ab777d18e6d Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 14 Feb 2018 19:15:49 +0100 +Subject: [PATCH 10/13] CVE-2018-1057: s4:dsdb/acl: run password checking only + once + +This is needed, because a later commit will let the acl module add a +control to the change request msg and we must ensure that this is only +done once. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 7a003df..c239c01 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -1097,6 +1097,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) + struct ldb_control *as_system; + struct ldb_control *is_undelete; + bool userPassword; ++ bool password_rights_checked = false; + TALLOC_CTX *tmp_ctx; + const struct ldb_message *msg = req->op.mod.message; + static const char *acl_attrs[] = { +@@ -1242,6 +1243,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) + } else if (ldb_attr_cmp("unicodePwd", el->name) == 0 || + (userPassword && ldb_attr_cmp("userPassword", el->name) == 0) || + ldb_attr_cmp("clearTextPassword", el->name) == 0) { ++ if (password_rights_checked) { ++ continue; ++ } + ret = acl_check_password_rights(tmp_ctx, + module, + req, +@@ -1252,6 +1256,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) + if (ret != LDB_SUCCESS) { + goto fail; + } ++ password_rights_checked = true; + } else if (ldb_attr_cmp("servicePrincipalName", el->name) == 0) { + ret = acl_check_spn(tmp_ctx, + module, +-- +1.9.1 + + +From bc733fce398658e2c280dae4ba5041113e7cd500 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 16 Feb 2018 15:30:13 +0100 +Subject: [PATCH 11/13] CVE-2018-1057: s4:dsdb/samdb: define + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control + +Will be used to pass "user password change" vs "password reset" from the +ACL to the password_hash module, ensuring both modules treat the request +identical. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/samdb.h | 9 +++++++++ + source4/libcli/ldap/ldap_controls.c | 1 + + source4/setup/schema_samba4.ldif | 2 ++ + 3 files changed, 12 insertions(+) + +diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h +index 0a1d90d..98faa4f 100644 +--- a/source4/dsdb/samdb/samdb.h ++++ b/source4/dsdb/samdb/samdb.h +@@ -158,6 +158,15 @@ struct dsdb_control_password_change { + */ + #define DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID "1.3.6.1.4.1.7165.4.3.25" + ++/* ++ * Used to pass "user password change" vs "password reset" from the ACL to the ++ * password_hash module, ensuring both modules treat the request identical. ++ */ ++#define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33" ++struct dsdb_control_password_acl_validation { ++ bool pwd_reset; ++}; ++ + #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1" + struct dsdb_extended_replicated_object { + struct ldb_message *msg; +diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c +index 14a80af..7837e05 100644 +--- a/source4/libcli/ldap/ldap_controls.c ++++ b/source4/libcli/ldap/ldap_controls.c +@@ -1281,6 +1281,7 @@ static const struct ldap_control_handler ldap_known_controls[] = { + { DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, NULL, NULL }, + { DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, NULL, NULL }, + { DSDB_CONTROL_PASSWORD_CHANGE_OID, NULL, NULL }, ++ { DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, NULL, NULL }, + { DSDB_CONTROL_APPLY_LINKS, NULL, NULL }, + { LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL }, + { DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL }, +diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif +index 69aa363..6e184bc 100644 +--- a/source4/setup/schema_samba4.ldif ++++ b/source4/setup/schema_samba4.ldif +@@ -200,6 +200,8 @@ + #Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23 + #Allocated: DSDB_CONTROL_RESTORE_TOMBSTONE_OID 1.3.6.1.4.1.7165.4.3.24 + #Allocated: DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID 1.3.6.1.4.1.7165.4.3.25 ++#Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33 ++ + + # Extended 1.3.6.1.4.1.7165.4.4.x + #Allocated: DSDB_EXTENDED_REPLICATED_OBJECTS_OID 1.3.6.1.4.1.7165.4.4.1 +-- +1.9.1 + + +From 7fc6a5ef5b1bad171dd6d2c019a4fe4c0ec00eb6 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 16 Feb 2018 15:38:19 +0100 +Subject: [PATCH 12/13] CVE-2018-1057: s4:dsdb: use + DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID + +This is used to pass information about which password change operation (change +or reset) the acl module validated, down to the password_hash module. + +It's very important that both modules treat the request identical. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 41 ++++++++++++++++++++++++-- + source4/dsdb/samdb/ldb_modules/password_hash.c | 30 ++++++++++++++++++- + 2 files changed, 67 insertions(+), 4 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index c239c01..17e1e67 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -948,13 +948,22 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + const char *passwordAttrs[] = { "userPassword", "clearTextPassword", + "unicodePwd", "dBCSPwd", NULL }, **l; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); ++ struct dsdb_control_password_acl_validation *pav = NULL; + + if (tmp_ctx == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + ++ pav = talloc_zero(req, struct dsdb_control_password_acl_validation); ++ if (pav == NULL) { ++ talloc_free(tmp_ctx); ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ + c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID); + if (c != NULL) { ++ pav->pwd_reset = false; ++ + /* + * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we + * have a user password change and not a set as the message +@@ -977,6 +986,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + + c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID); + if (c != NULL) { ++ pav->pwd_reset = true; ++ + /* + * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without + * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we +@@ -1030,6 +1041,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + + + if (rep_attr_cnt > 0) { ++ pav->pwd_reset = true; ++ + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_FORCE_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, +@@ -1038,6 +1051,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + } + + if (add_attr_cnt != del_attr_cnt) { ++ pav->pwd_reset = true; ++ + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_FORCE_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, +@@ -1046,6 +1061,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + } + + if (add_val_cnt == 1 && del_val_cnt == 1) { ++ pav->pwd_reset = false; ++ + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_USER_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, +@@ -1058,6 +1075,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + } + + if (add_val_cnt == 1 && del_val_cnt == 0) { ++ pav->pwd_reset = true; ++ + ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module), + GUID_DRS_FORCE_CHANGE_PASSWORD, + SEC_ADS_CONTROL_ACCESS, +@@ -1069,6 +1088,14 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + goto checked; + } + ++ /* ++ * Everything else is handled by the password_hash module where it will ++ * fail, but with the correct error code when the module is again ++ * checking the attributes. As the change request will lack the ++ * DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control, we can be sure that ++ * any modification attempt that went this way will be rejected. ++ */ ++ + talloc_free(tmp_ctx); + return LDB_SUCCESS; + +@@ -1078,11 +1105,19 @@ checked: + req->op.mod.message->dn, + true, + 10); ++ talloc_free(tmp_ctx); ++ return ret; + } +- talloc_free(tmp_ctx); +- return ret; +-} + ++ ret = ldb_request_add_control(req, ++ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, false, pav); ++ if (ret != LDB_SUCCESS) { ++ ldb_debug(ldb_module_get_ctx(module), LDB_DEBUG_ERROR, ++ "Unable to register ACL validation control!\n"); ++ return ret; ++ } ++ return LDB_SUCCESS; ++} + + static int acl_modify(struct ldb_module *module, struct ldb_request *req) + { +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index 690bb98..de565bc 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -2572,7 +2572,35 @@ static int setup_io(struct ph_context *ac, + /* On "add" we have only "password reset" */ + ac->pwd_reset = true; + } else if (ac->req->operation == LDB_MODIFY) { +- if (io->og.cleartext_utf8 || io->og.cleartext_utf16 ++ struct ldb_control *pav_ctrl = NULL; ++ struct dsdb_control_password_acl_validation *pav = NULL; ++ ++ pav_ctrl = ldb_request_get_control(ac->req, ++ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID); ++ if (pav_ctrl != NULL) { ++ pav = talloc_get_type_abort(pav_ctrl->data, ++ struct dsdb_control_password_acl_validation); ++ } ++ ++ if (pav == NULL) { ++ bool ok; ++ ++ /* ++ * If the DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID ++ * control is missing, we require system access! ++ */ ++ ok = dsdb_module_am_system(ac->module); ++ if (!ok) { ++ return ldb_module_operr(ac->module); ++ } ++ } ++ ++ if (pav != NULL) { ++ /* ++ * We assume what the acl module has validated. ++ */ ++ ac->pwd_reset = pav->pwd_reset; ++ } else if (io->og.cleartext_utf8 || io->og.cleartext_utf16 + || io->og.nt_hash || io->og.lm_hash) { + /* If we have an old password specified then for sure it + * is a user "password change" */ +-- +1.9.1 + + +From 0815e8653277383918530f8dd8afaeadfe8085d5 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 15 Feb 2018 23:11:38 +0100 +Subject: [PATCH 13/13] CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only + allowed with a control + +This is not strictly needed to fig bug 13272, but it makes sense to also +fix this while fixing the overall ACL checking logic. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/dsdb/samdb/ldb_modules/acl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c +index 17e1e67..8d9b780 100644 +--- a/source4/dsdb/samdb/ldb_modules/acl.c ++++ b/source4/dsdb/samdb/ldb_modules/acl.c +@@ -946,7 +946,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + struct ldb_message *msg; + struct ldb_control *c = NULL; + const char *passwordAttrs[] = { "userPassword", "clearTextPassword", +- "unicodePwd", "dBCSPwd", NULL }, **l; ++ "unicodePwd", NULL }, **l; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct dsdb_control_password_acl_validation *pav = NULL; + +@@ -1006,6 +1006,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, + goto checked; + } + ++ el = ldb_msg_find_element(req->op.mod.message, "dBCSPwd"); ++ if (el != NULL) { ++ /* ++ * dBCSPwd is only allowed with a control. ++ */ ++ talloc_free(tmp_ctx); ++ return LDB_ERR_UNWILLING_TO_PERFORM; ++ } ++ + msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message); + if (msg == NULL) { + return ldb_module_oom(module); +-- +1.9.1 + diff --git a/patches/source/samba/samba-4.5.14-security-2017-11-21.patch b/patches/source/samba/samba-4.5.14-security-2017-11-21.patch new file mode 100644 index 000000000..40b9dd084 --- /dev/null +++ b/patches/source/samba/samba-4.5.14-security-2017-11-21.patch @@ -0,0 +1,110 @@ +From 007f5b54d76bf69f441cc277b7f41f478e258aab Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 19 Sep 2017 16:11:33 -0700 +Subject: [PATCH 1/2] s3: smbd: Fix SMB1 use-after-free crash bug. + CVE-2017-14746 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When setting up the chain, always use 'next->' variables +not the 'req->' one. + +Bug discovered by 连一汉 + +CVE-2017-14746 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 + +Signed-off-by: Jeremy Allison +--- + source3/smbd/process.c | 7 ++++--- + source3/smbd/reply.c | 5 +++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/source3/smbd/process.c b/source3/smbd/process.c +index 656f1c0a667..2641894d1d7 100644 +--- a/source3/smbd/process.c ++++ b/source3/smbd/process.c +@@ -1854,12 +1854,13 @@ void smb_request_done(struct smb_request *req) + + next->vuid = SVAL(req->outbuf, smb_uid); + next->tid = SVAL(req->outbuf, smb_tid); +- status = smb1srv_tcon_lookup(req->xconn, req->tid, ++ status = smb1srv_tcon_lookup(req->xconn, next->tid, + now, &tcon); ++ + if (NT_STATUS_IS_OK(status)) { +- req->conn = tcon->compat; ++ next->conn = tcon->compat; + } else { +- req->conn = NULL; ++ next->conn = NULL; + } + next->chain_fsp = req->chain_fsp; + next->inbuf = req->inbuf; +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index a40ff81b240..26918b6d9d5 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -921,6 +921,11 @@ void reply_tcon_and_X(struct smb_request *req) + } + + TALLOC_FREE(tcon); ++ /* ++ * This tree id is gone. Make sure we can't re-use it ++ * by accident. ++ */ ++ req->tid = 0; + } + + if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) { +-- +2.11.0 + + +From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 20 Sep 2017 11:04:50 -0700 +Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when + talloc buffer is grown. + +Ensure we zero out unused grown area. + +CVE-2017-15275 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 + +Signed-off-by: Jeremy Allison +--- + source3/smbd/srvstr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c +index 56dceba8c6c..c2d70b32c32 100644 +--- a/source3/smbd/srvstr.c ++++ b/source3/smbd/srvstr.c +@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags) + DEBUG(0, ("srvstr_push failed\n")); + return -1; + } ++ ++ /* ++ * Ensure we clear out the extra data we have ++ * grown the buffer by, but not written to. ++ */ ++ if (buf_size + result < buf_size) { ++ return -1; ++ } ++ if (grow_size < result) { ++ return -1; ++ } ++ ++ memset(tmp + buf_size + result, '\0', grow_size - result); ++ + set_message_bcc((char *)tmp, smb_buflen(tmp) + result); + + *outbuf = tmp; +-- +2.11.0 + diff --git a/patches/source/samba/samba.SlackBuild b/patches/source/samba/samba.SlackBuild new file mode 100755 index 000000000..de6bbf45e --- /dev/null +++ b/patches/source/samba/samba.SlackBuild @@ -0,0 +1,224 @@ +#!/bin/sh + +# Copyright 2008, 2009, 2010, 2012, 2013, 2015, 2016 Patrick J. Volkerding, Sebeka, Minnesota, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Modified 2012 by Eric Hameleers for ARM port. + + +VERSION=${VERSION:-$(echo samba-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-3_slack14.2} + +if [ -e $CWD/machine.conf ]; then + . $CWD/machine.conf ] +elif [ -e /etc/slackbuild/machine.conf ]; then + . /etc/slackbuild/machine.conf ] +else + # Automatically determine the architecture we're building on: + if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i586 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac + fi + # Set CFLAGS/CXXFLAGS and LIBDIRSUFFIX: + if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" + elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" + elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" + else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" + fi +fi + +case "$ARCH" in + arm*) TARGET=$ARCH-slackware-linux-gnueabi ;; + *) TARGET=$ARCH-slackware-linux ;; +esac + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-samba +rm -rf $PKG +mkdir -p $TMP $PKG + +if [ -r /usr/lib${LIBDIRSUFFIX}/libtalloc.so.? -a ! -r /var/log/packages/talloc* ]; then + echo "The Samba package needs to be removed before building to ensure that" + echo "talloc (and possibly other bundled libraries) are included in the build." + echo + echo "Removing the Samba package in 15 seconds, and then continuing with the build." + sleep 15 + removepkg samba +fi + +cd $TMP +rm -rf samba-$VERSION +tar xvf $CWD/samba-$VERSION.tar.xz || exit 1 +cd samba-$VERSION || exit 1 + +# Patch to install talloc/tevent/tdb libraries and includes: +zcat $CWD/samba.install.talloc.tevent.tdb.diff.gz | patch -p1 --verbose || exit 1 + +# Patch CVE-2017-14746 and CVE-2017-15275: +zcat $CWD/samba-4.5.14-security-2017-11-21.patch.gz | patch -p1 --verbose || exit 1 + +# Patch CVE-2018-1057: +zcat $CWD/samba-4.4.16-CVE-2018-1057.patch.gz | patch -p1 --verbose || exit 1 + +if [ ! -d source3/lib/cmdline ]; then + ( cd source3/lib + mkdir cmdline + cd cmdline + ln -sf ../../../source3/include/popt_common.h . ) +fi + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +# Some of these options could be auto-detected, but declaring them +# here doesn't hurt and helps document what features we're trying to +# build in. +# +# LDFLAGS are needed to avoid problems with missing symbols. +LDFLAGS="-Wl,--no-as-needed" \ +CFLAGS="$SLKCFLAGS" \ +./configure \ + --enable-fhs \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --includedir=/usr/include \ + --bindir=/usr/bin \ + --sbindir=/usr/sbin \ + --mandir=/usr/man \ + --sysconfdir=/etc \ + --with-configdir=/etc/samba \ + --with-piddir=/var/run \ + --with-privatedir=/var/lib/samba/private \ + --with-privatelibdir=/usr/lib${LIBDIRSUFFIX} \ + --with-modulesdir=/usr/lib${LIBDIRSUFFIX} \ + --with-lockdir=/var/cache/samba \ + --with-logfilebase=/var/log/samba \ + --localstatedir=/var \ + --enable-cups \ + --with-acl-support \ + --with-automount \ + --with-quotas \ + --with-syslog \ + --with-utmp \ + --with-winbind \ + --with-ldap \ + --with-ads \ + --without-pam \ + --build=$TARGET + # Gives errors: + #--builtin-libraries=replace,ccan \ + #--bundled-libraries=heimdal \ + +# -j options don't seem to work... [Yes they do! At least try to use -j below...] +JOBS=6 +MAXJOBS=6 +export JOBS MAXJOBS +make -j $MAXJOBS || make || exit 1 + +mkdir -p \ + $PKG/usr/doc/samba-$VERSION \ + $PKG/var/spool/samba \ + $PKG/var/log/samba \ + $PKG/var/lib/samba/private \ + $PKG/var/cache/samba +chmod 700 $PKG/var/lib/samba/private +chmod 1777 $PKG/var/spool/samba + +make install DESTDIR=$PKG || exit 1 + +# Install the smbprint script: +install -m0744 packaging/printing/smbprint $PKG/usr/bin/smbprint + +# Add a sample config file: +cat $CWD/smb.conf.default > $PKG/etc/samba/smb.conf-sample + +# Setup a default lmhosts file: +echo "127.0.0.1 localhost" > $PKG/etc/samba/lmhosts.new + +if [ ! -r $PKG/usr/bin/smbget ]; then + rm -f $PKG/usr/share/man/man1/smbget.1 +fi + +# We'll add rc.samba to the init directory, but chmod 644 so that it doesn't +# start by default: +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.samba > $PKG/etc/rc.d/rc.samba.new +chmod 644 $PKG/etc/rc.d/rc.samba.new + +mv $PKG/usr/share/man $PKG/usr +gzip -9 $PKG/usr/man/man?/*.? + +find $PKG | xargs file | grep -e "executable" -e "shared object" \ + | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +# PAM related stuff we don't use: +rm -r $PKG/usr/share/locale +rm -f $PKG/usr/man/man8/pam* + +cp -a \ + COPYING* MAINTAINERS Manifest PFIF.txt README* \ + Read-Manifest-Now Roadmap WHATSNEW.txt docs examples \ + $PKG/usr/doc/samba-$VERSION +# These are installed elsewhere: +rm -rf $PKG/usr/doc/samba-$VERSION/docs/htmldocs \ + $PKG/usr/doc/samba-$VERSION/docs/manpages +# Empty now? +rmdir $PKG/usr/doc/samba-$VERSION/docs 2> /dev/null +# I'm sorry, but when all this info is included in HTML, adding 7MB worth of +# PDF files just to have extra artwork is more fluff than I'll agree to. +rm -f $PKG/usr/doc/samba-$VERSION/docs/*.pdf +# Also redundant also: +rm -rf $PKG/usr/doc/samba-$VERSION/docs/docbook + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh + +cat << EOF + +*** Be sure the package contains: + +drwxr-xr-x 2 root root 4096 May 3 15:46 /var/cache/samba/ +drwx------ 2 root root 1024 Mar 12 13:21 /var/lib/samba/private +drwxr-xr-x 2 root root 48 Aug 29 13:06 /var/log/samba/ +drwxrwxrwt 2 root root 1024 Mar 12 13:21 /var/spool/samba/ + +EOF + +cd $PKG +/sbin/makepkg -l y -c n $TMP/samba-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/samba/samba.install.talloc.tevent.tdb.diff b/patches/source/samba/samba.install.talloc.tevent.tdb.diff new file mode 100644 index 000000000..9410f2b71 --- /dev/null +++ b/patches/source/samba/samba.install.talloc.tevent.tdb.diff @@ -0,0 +1,102 @@ +--- ./lib/tevent/wscript.orig 2016-03-08 05:07:45.000000000 -0600 ++++ ./lib/tevent/wscript 2016-04-11 12:45:14.299532166 -0500 +@@ -92,11 +92,8 @@ + if bld.CONFIG_SET('HAVE_SOLARIS_PORTS'): + SRC += ' tevent_port.c' + +- if bld.env.standalone_tevent: +- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' +- private_library = False +- else: +- private_library = True ++ bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' ++ private_library = False + + if not bld.CONFIG_SET('USING_SYSTEM_TEVENT'): + bld.SAMBA_LIBRARY('tevent', +--- ./lib/tdb/wscript.orig 2016-01-26 05:45:46.000000000 -0600 ++++ ./lib/tdb/wscript 2016-04-11 12:45:14.301532166 -0500 +@@ -117,11 +117,8 @@ + + COMMON_SRC = bld.SUBDIR('common', COMMON_FILES) + +- if bld.env.standalone_tdb: +- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' +- private_library = False +- else: +- private_library = True ++ bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' ++ private_library = False + + if not bld.CONFIG_SET('USING_SYSTEM_TDB'): + +--- ./lib/talloc/wscript.orig 2016-04-11 12:45:14.295532166 -0500 ++++ ./lib/talloc/wscript 2016-04-11 12:45:26.761531768 -0500 +@@ -77,41 +77,39 @@ + def build(bld): + bld.RECURSE('lib/replace') + +- if bld.env.standalone_talloc: +- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' +- bld.env.TALLOC_VERSION = VERSION +- private_library = False +- +- # should we also install the symlink to libtalloc1.so here? +- bld.SAMBA_LIBRARY('talloc-compat1-%s' % (VERSION), +- 'compat/talloc_compat1.c', +- public_deps='talloc', +- soname='libtalloc.so.1', +- pc_files=[], +- public_headers=[], +- enabled=bld.env.TALLOC_COMPAT1) +- +- testsuite_deps = 'talloc' +- if bld.CONFIG_SET('HAVE_PTHREAD'): +- testsuite_deps += ' pthread' +- +- bld.SAMBA_BINARY('talloc_testsuite', +- 'testsuite_main.c testsuite.c', +- testsuite_deps, +- install=False) +- +- bld.SAMBA_BINARY('talloc_test_magic_differs_helper', +- 'test_magic_differs_helper.c', +- 'talloc', install=False) ++ bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' ++ bld.env.TALLOC_VERSION = VERSION ++ private_library = False ++ ++ # should we also install the symlink to libtalloc1.so here? ++ bld.SAMBA_LIBRARY('talloc-compat1-%s' % (VERSION), ++ 'compat/talloc_compat1.c', ++ public_deps='talloc', ++ soname='libtalloc.so.1', ++ pc_files=[], ++ public_headers=[], ++ enabled=bld.env.TALLOC_COMPAT1) ++ ++ testsuite_deps = 'talloc' ++ if bld.CONFIG_SET('HAVE_PTHREAD'): ++ testsuite_deps += ' pthread' ++ ++ bld.SAMBA_BINARY('talloc_testsuite', ++ 'testsuite_main.c testsuite.c', ++ testsuite_deps, ++ install=False) ++ ++ bld.SAMBA_BINARY('talloc_test_magic_differs_helper', ++ 'test_magic_differs_helper.c', ++ 'talloc', install=False) + +- else: +- private_library = True + + if not bld.CONFIG_SET('USING_SYSTEM_TALLOC'): + + bld.SAMBA_LIBRARY('talloc', + 'talloc.c', + deps='replace', ++ includes='.', + abi_directory='ABI', + abi_match='talloc* _talloc*', + hide_symbols=True, diff --git a/patches/source/samba/samba.url b/patches/source/samba/samba.url new file mode 100644 index 000000000..2b35c1fb0 --- /dev/null +++ b/patches/source/samba/samba.url @@ -0,0 +1,2 @@ +https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.gz +https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.asc diff --git a/patches/source/samba/slack-desc b/patches/source/samba/slack-desc new file mode 100644 index 000000000..f4352c607 --- /dev/null +++ b/patches/source/samba/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +samba: samba (CIFS file and print server) +samba: +samba: Samba is a CIFS file and print server for CIFS clients. It allows +samba: you to make file space or printers on a Samba host available to CIFS +samba: clients (such as PCs running Windows). +samba: +samba: If you have any Windows file servers, you may be able to replace them +samba: or supplement them with Samba. One of Samba's big strengths is +samba: integration, so you can use it to tie together your Linux hosts and +samba: Windows PC clients. +samba: diff --git a/patches/source/samba/smb.conf.default b/patches/source/samba/smb.conf.default new file mode 100644 index 000000000..c41cfff60 --- /dev/null +++ b/patches/source/samba/smb.conf.default @@ -0,0 +1,223 @@ +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options (perhaps too +# many!) most of which are not shown in this example +# +# For a step to step guide on installing, configuring and using samba, +# read the Samba-HOWTO-Collection. This may be obtained from: +# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf +# +# Many working examples of smb.conf files can be found in the +# Samba-Guide which is generated daily and can be downloaded from: +# http://www.samba.org/samba/docs/Samba-Guide.pdf +# +# Any line which starts with a ; (semi-colon) or a # (hash) +# is a comment and is ignored. In this example we will use a # +# for commentry and a ; for parts of the config file that you +# may wish to enable +# +# NOTE: Whenever you modify this file you should run the command "testparm" +# to check that you have not made any basic syntactic errors. +# +#======================= Global Settings ===================================== +[global] + +# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2 + workgroup = MYGROUP + +# server string is the equivalent of the NT Description field + server string = Samba Server + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone sever" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + +# This option is important for security. It allows you to restrict +# connections to machines which are on your local network. The +# following example restricts access to two C class networks and +# the "loopback" interface. For more examples of the syntax see +# the smb.conf man page +; hosts allow = 192.168.1. 192.168.2. 127. + +# Uncomment this if you want a guest account, you must add this to /etc/passwd +# otherwise the user "nobody" is used +; guest account = pcguest + +# this tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba.%m + +# Put a capping on the size of the log files (in Kb). + max log size = 50 + +# Specifies the Kerberos or Active Directory realm the host is part of +; realm = MY_REALM + +# Backend to store user information in. New installations should +# use either tdbsam or ldapsam. smbpasswd is available for backwards +# compatibility. tdbsam requires no further configuration. +; passdb backend = tdbsam + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting. +# Note: Consider carefully the location in the configuration file of +# this line. The included file is read at that point. +; include = /usr/local/samba/lib/smb.conf.%m + +# Configure Samba to use multiple interfaces +# If you have multiple network interfaces then you must list them +# here. See the man page for details. +; interfaces = 192.168.12.2/24 192.168.13.2/24 + +# Where to store roving profiles (only for Win95 and WinNT) +# %L substitutes for this servers netbios name, %U is username +# You must uncomment the [Profiles] share below +; logon path = \\%L\Profiles\%U + +# Windows Internet Name Serving Support Section: +# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server +; wins support = yes + +# WINS Server - Tells the NMBD components of Samba to be a WINS Client +# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both +; wins server = w.x.y.z + +# WINS Proxy - Tells Samba to answer name resolution queries on +# behalf of a non WINS capable client, for this to work there must be +# at least one WINS Server on the network. The default is NO. +; wins proxy = yes + +# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names +# via DNS nslookups. The default is NO. + dns proxy = no + +# These scripts are used on a domain controller or stand-alone +# machine to add or delete corresponding unix accounts +; add user script = /usr/sbin/useradd %u +; add group script = /usr/sbin/groupadd %g +; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u +; delete user script = /usr/sbin/userdel %u +; delete user from group script = /usr/sbin/deluser %u %g +; delete group script = /usr/sbin/groupdel %g + + +#============================ Share Definitions ============================== +[homes] + comment = Home Directories + browseable = no + writable = yes + +# Un-comment the following and create the netlogon directory for Domain Logons +; [netlogon] +; comment = Network Logon Service +; path = /usr/local/samba/lib/netlogon +; guest ok = yes +; writable = no +; share modes = no + + +# Un-comment the following to provide a specific roving profile share +# the default is to use the user's home directory +;[Profiles] +; path = /usr/local/samba/profiles +; browseable = no +; guest ok = yes + + +# NOTE: If you have a BSD-style print system there is no need to +# specifically define each individual printer +[printers] + comment = All Printers + path = /var/spool/samba + browseable = no +# Set public = yes to allow user 'guest account' to print + guest ok = no + writable = no + printable = yes + +# This one is useful for people to share files +;[tmp] +; comment = Temporary file space +; path = /tmp +; read only = no +; public = yes + +# A publicly accessible directory, but read only, except for people in +# the "staff" group +;[public] +; comment = Public Stuff +; path = /home/samba +; public = yes +; writable = no +; printable = no +; write list = @staff + +# Other examples. +# +# A private printer, usable only by fred. Spool data will be placed in fred's +# home directory. Note that fred must have write access to the spool directory, +# wherever it is. +;[fredsprn] +; comment = Fred's Printer +; valid users = fred +; path = /homes/fred +; printer = freds_printer +; public = no +; writable = no +; printable = yes + +# A private directory, usable only by fred. Note that fred requires write +# access to the directory. +;[fredsdir] +; comment = Fred's Service +; path = /usr/somewhere/private +; valid users = fred +; public = no +; writable = yes +; printable = no + +# a service which has a different directory for each machine that connects +# this allows you to tailor configurations to incoming machines. You could +# also use the %U option to tailor it by user name. +# The %m gets replaced with the machine name that is connecting. +;[pchome] +; comment = PC Directories +; path = /usr/pc/%m +; public = no +; writable = yes + +# A publicly accessible directory, read/write to all users. Note that all files +# created in the directory by users will be owned by the default user, so +# any user with access can delete any other user's files. Obviously this +# directory must be writable by the default user. Another user could of course +# be specified, in which case all files would be owned by that user instead. +;[public] +; path = /usr/somewhere/else/public +; public = yes +; only guest = yes +; writable = yes +; printable = no + +# The following two entries demonstrate how to share a directory so that two +# users can place files there that will be owned by the specific users. In this +# setup, the directory should be writable by both users and should have the +# sticky bit set on it to prevent abuse. Obviously this could be extended to +# as many users as required. +;[myshare] +; comment = Mary's and Fred's stuff +; path = /usr/somewhere/shared +; valid users = mary fred +; public = no +; writable = yes +; printable = no +; create mask = 0765 + + diff --git a/patches/source/samba/smb.conf.default.orig b/patches/source/samba/smb.conf.default.orig new file mode 100644 index 000000000..bb9c2e25e --- /dev/null +++ b/patches/source/samba/smb.conf.default.orig @@ -0,0 +1,223 @@ +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options (perhaps too +# many!) most of which are not shown in this example +# +# For a step to step guide on installing, configuring and using samba, +# read the Samba-HOWTO-Collection. This may be obtained from: +# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf +# +# Many working examples of smb.conf files can be found in the +# Samba-Guide which is generated daily and can be downloaded from: +# http://www.samba.org/samba/docs/Samba-Guide.pdf +# +# Any line which starts with a ; (semi-colon) or a # (hash) +# is a comment and is ignored. In this example we will use a # +# for commentry and a ; for parts of the config file that you +# may wish to enable +# +# NOTE: Whenever you modify this file you should run the command "testparm" +# to check that you have not made any basic syntactic errors. +# +#======================= Global Settings ===================================== +[global] + +# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH + workgroup = MYGROUP + +# server string is the equivalent of the NT Description field + server string = Samba Server + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone sever" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + +# This option is important for security. It allows you to restrict +# connections to machines which are on your local network. The +# following example restricts access to two C class networks and +# the "loopback" interface. For more examples of the syntax see +# the smb.conf man page +; hosts allow = 192.168.1. 192.168.2. 127. + +# Uncomment this if you want a guest account, you must add this to /etc/passwd +# otherwise the user "nobody" is used +; guest account = pcguest + +# this tells Samba to use a separate log file for each machine +# that connects + log file = /usr/local/samba/var/log.%m + +# Put a capping on the size of the log files (in Kb). + max log size = 50 + +# Specifies the Kerberos or Active Directory realm the host is part of +; realm = MY_REALM + +# Backend to store user information in. New installations should +# use either tdbsam or ldapsam. smbpasswd is available for backwards +# compatibility. tdbsam requires no further configuration. +; passdb backend = tdbsam + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting. +# Note: Consider carefully the location in the configuration file of +# this line. The included file is read at that point. +; include = /usr/local/samba/lib/smb.conf.%m + +# Configure Samba to use multiple interfaces +# If you have multiple network interfaces then you must list them +# here. See the man page for details. +; interfaces = 192.168.12.2/24 192.168.13.2/24 + +# Where to store roving profiles (only for Win95 and WinNT) +# %L substitutes for this servers netbios name, %U is username +# You must uncomment the [Profiles] share below +; logon path = \\%L\Profiles\%U + +# Windows Internet Name Serving Support Section: +# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server +; wins support = yes + +# WINS Server - Tells the NMBD components of Samba to be a WINS Client +# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both +; wins server = w.x.y.z + +# WINS Proxy - Tells Samba to answer name resolution queries on +# behalf of a non WINS capable client, for this to work there must be +# at least one WINS Server on the network. The default is NO. +; wins proxy = yes + +# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names +# via DNS nslookups. The default is NO. + dns proxy = no + +# These scripts are used on a domain controller or stand-alone +# machine to add or delete corresponding unix accounts +; add user script = /usr/sbin/useradd %u +; add group script = /usr/sbin/groupadd %g +; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u +; delete user script = /usr/sbin/userdel %u +; delete user from group script = /usr/sbin/deluser %u %g +; delete group script = /usr/sbin/groupdel %g + + +#============================ Share Definitions ============================== +[homes] + comment = Home Directories + browseable = no + writable = yes + +# Un-comment the following and create the netlogon directory for Domain Logons +; [netlogon] +; comment = Network Logon Service +; path = /usr/local/samba/lib/netlogon +; guest ok = yes +; writable = no +; share modes = no + + +# Un-comment the following to provide a specific roving profile share +# the default is to use the user's home directory +;[Profiles] +; path = /usr/local/samba/profiles +; browseable = no +; guest ok = yes + + +# NOTE: If you have a BSD-style print system there is no need to +# specifically define each individual printer +[printers] + comment = All Printers + path = /usr/spool/samba + browseable = no +# Set public = yes to allow user 'guest account' to print + guest ok = no + writable = no + printable = yes + +# This one is useful for people to share files +;[tmp] +; comment = Temporary file space +; path = /tmp +; read only = no +; public = yes + +# A publicly accessible directory, but read only, except for people in +# the "staff" group +;[public] +; comment = Public Stuff +; path = /home/samba +; public = yes +; writable = no +; printable = no +; write list = @staff + +# Other examples. +# +# A private printer, usable only by fred. Spool data will be placed in fred's +# home directory. Note that fred must have write access to the spool directory, +# wherever it is. +;[fredsprn] +; comment = Fred's Printer +; valid users = fred +; path = /homes/fred +; printer = freds_printer +; public = no +; writable = no +; printable = yes + +# A private directory, usable only by fred. Note that fred requires write +# access to the directory. +;[fredsdir] +; comment = Fred's Service +; path = /usr/somewhere/private +; valid users = fred +; public = no +; writable = yes +; printable = no + +# a service which has a different directory for each machine that connects +# this allows you to tailor configurations to incoming machines. You could +# also use the %U option to tailor it by user name. +# The %m gets replaced with the machine name that is connecting. +;[pchome] +; comment = PC Directories +; path = /usr/pc/%m +; public = no +; writable = yes + +# A publicly accessible directory, read/write to all users. Note that all files +# created in the directory by users will be owned by the default user, so +# any user with access can delete any other user's files. Obviously this +# directory must be writable by the default user. Another user could of course +# be specified, in which case all files would be owned by that user instead. +;[public] +; path = /usr/somewhere/else/public +; public = yes +; only guest = yes +; writable = yes +; printable = no + +# The following two entries demonstrate how to share a directory so that two +# users can place files there that will be owned by the specific users. In this +# setup, the directory should be writable by both users and should have the +# sticky bit set on it to prevent abuse. Obviously this could be extended to +# as many users as required. +;[myshare] +; comment = Mary's and Fred's stuff +; path = /usr/somewhere/shared +; valid users = mary fred +; public = no +; writable = yes +; printable = no +; create mask = 0765 + + diff --git a/patches/source/samba/smb.conf.diff b/patches/source/samba/smb.conf.diff new file mode 100644 index 000000000..b08d2b12d --- /dev/null +++ b/patches/source/samba/smb.conf.diff @@ -0,0 +1,29 @@ +--- smb.conf.default.orig 2013-06-13 04:21:02.000000000 -0500 ++++ smb.conf.default 2013-10-15 20:02:31.684043875 -0500 +@@ -22,7 +22,7 @@ + #======================= Global Settings ===================================== + [global] + +-# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH ++# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2 + workgroup = MYGROUP + + # server string is the equivalent of the NT Description field +@@ -52,7 +52,7 @@ + + # this tells Samba to use a separate log file for each machine + # that connects +- log file = /usr/local/samba/var/log.%m ++ log file = /var/log/samba.%m + + # Put a capping on the size of the log files (in Kb). + max log size = 50 +@@ -136,7 +136,7 @@ + # specifically define each individual printer + [printers] + comment = All Printers +- path = /usr/spool/samba ++ path = /var/spool/samba + browseable = no + # Set public = yes to allow user 'guest account' to print + guest ok = no diff --git a/patches/source/samba/talloc.pc b/patches/source/samba/talloc.pc new file mode 100644 index 000000000..125977d19 --- /dev/null +++ b/patches/source/samba/talloc.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${prefix}/lib +includedir=${prefix}/include + +Name: talloc +Description: A hierarchical pool based memory system with destructors +Version: 2.0.8 +Libs: -Wl,-rpath,/usr/lib -L${libdir} -ltalloc +Cflags: -I${includedir} +URL: http://talloc.samba.org/ -- cgit v1.2.3