git.samba.org - samba.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Fri, 12 Nov 2021 03:10:31 +0000 (16:10 +1300)
committer	Jule Anger <janger@samba.org>
	Thu, 18 Nov 2021 07:39:38 +0000 (07:39 +0000)
commit	8ccb26c679ba0b909cbba654d00797f99580679f
tree	9979309d223960c2440b6dd9b69b3980a948167a	tree
parent	ff3798418e8a77492d50dfd32deed4f11f7ba7ce	commit \| diff

CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails

Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184

(cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Thu Nov 18 07:39:38 UTC 2021 on sn-devel-184

selftest/knownfail.d/idmap_nss_sid_mapping	[deleted file]	blob \| history
source3/auth/auth_util.c		diff \| blob \| history