CVE-2020-25717: loadparm: Add new parameter "min domain uid"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644 (file)
index 0000000..46ae795
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+                 type="integer"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    The integer parameter specifies the minimum uid allowed when mapping a
+    local account to a domain account.
+  </para>
+
+  <para>
+    Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+  </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>

diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29db1fca1f7cff9f44c8c62d8ba235a..f70f11df75714c9add86bb9679cc1bb0e3e74fe5 100644 (file)
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
                authoritative for a unix ID to SID mapping, so it must be set
                for each individually configured domain and for the default
                configuration. The configured ranges must be mutually disjoint.
+               </para>
+               <para>
+               Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
                </para></listitem>
                </varlistentry>
 
@@ -115,4 +118,5 @@
        </programlisting>
        
 </description>
+<related>min domain uid</related>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 9c725402758ad896e06ad6672277638fa3ae11be..a26dabb9fcae89bed3bf4d437c1e3ac67602c250 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2995,6 +2995,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
                                  "server smb3 encryption algorithms",
                                  DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "min domain uid",
+                                 "1000");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f35db213c14cc7544133a411de49f1441e295d8d..fd1f7b92610791649fd0b1b12f5ccdd6200d9fcc 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -977,6 +977,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.server_smb3_encryption_algorithms =
                str_list_make_v3_const(NULL, DEFAULT_SMB3_ENCRYPTION_ALGORITHMS, NULL);
 
+       Globals.min_domain_uid = 1000;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }