CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

author Andrew Bartlett <abartlet@samba.org>

Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)

committer Jule Anger <janger@samba.org>

Sun, 8 Oct 2023 20:06:47 +0000 (22:06 +0200)
author Andrew Bartlett <abartlet@samba.org>
Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)
committer Jule Anger <janger@samba.org>
Sun, 8 Oct 2023 20:06:47 +0000 (22:06 +0200)
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml

index 8a217cc7f118359d96498a20b1c198b38ff9ba21..c6642b795fd6c8bf11ad4923e3a04aa452744319 100644 (file)
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
         <para>Specifies which DCE/RPC endpoint servers should be run.</para>
  </description>
  
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
  <value type="example">rpcecho</value>
  </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index f70823fe36684e609e32df7cf8e30cbafa7896b4..664fae70c9b52067d883a55116e241f6b8d86e20 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2732,7 +2732,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
         lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
         lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
  
-       lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+       lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
         lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
         lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
         /* the winbind method for domain controllers is for both RODC
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm

index 5cbc5ccf2b8931803937aed7616c763b0ffdc8f4..7033146f46a2cbe9e8f1b5dd27b622fac64757a6 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -782,7 +782,7 @@ sub provision_raw_step1($$)
         wins support = yes
         server role = $ctx->{server_role}
         server services = +echo $services
-        dcerpc endpoint servers = +winreg +srvsvc
+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
         notify:inotify = false
         ldb:nosync = true
         ldap server require strong auth = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 97d02037a897c2a4d456b76b391006a761c8fd6c..1f7b6d16a783da944aef4745617266654aa56dc6 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
  
         Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
  
-       Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+       Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
  
         Globals.tls_enabled = true;
         Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build

index 0e44a3c2baed8e78faeaabf35302ae9eb3e2fb30..31ec4f60c9a6e114c3eebfb6eb5ef899a45e2c08 100644 (file)
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
                   source='echo/rpc_echo.c',
                   subsystem='dcerpc_server',
                   init_function='dcerpc_server_rpcecho_init',
-                 deps='ndr-standard events'
+                 deps='ndr-standard events',
+                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
                   )
author	Andrew Bartlett <abartlet@samba.org>
	Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)
committer	Jule Anger <janger@samba.org>
	Sun, 8 Oct 2023 20:06:47 +0000 (22:06 +0200)
docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml		patch \| blob \| history
lib/param/loadparm.c		patch \| blob \| history
selftest/target/Samba4.pm		patch \| blob \| history
source3/param/loadparm.c		patch \| blob \| history
source4/rpc_server/wscript_build		patch \| blob \| history