Stefan Metzmacher [Fri, 30 Jun 2023 16:25:32 +0000 (18:25 +0200)]
Revert "HACK auth/credentials/credentials_ntlm.c break anonymous session_key"
This reverts commit
72c616b75c51c74fdfbb0cfa2c780871734be623.
Stefan Metzmacher [Fri, 30 Jun 2023 16:25:13 +0000 (18:25 +0200)]
HACK auth/credentials/credentials_ntlm.c break anonymous session_key
Stefan Metzmacher [Fri, 30 Jun 2023 16:24:37 +0000 (18:24 +0200)]
HACK smbclient anonymous signing and encryption
Stefan Metzmacher [Mon, 3 Jul 2023 13:14:38 +0000 (15:14 +0200)]
s3:utils: let smbstatus report anonymous signing/encryption explicitly
We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:12:38 +0000 (15:12 +0200)]
s3:utils: let smbstatus also report partial tcon signing/encryption
We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:10:08 +0000 (15:10 +0200)]
s3:utils: let connections_forall_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:08:31 +0000 (15:08 +0200)]
s3:lib: let sessionid_traverse_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:05:59 +0000 (15:05 +0200)]
s3:utils: remove unused signing_flags in connections_forall()
We never use the signing flags from the session, as the tcon
has its own signing flags.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 30 Jun 2023 16:05:51 +0000 (18:05 +0200)]
s3:smbd: allow anonymous encryption after one authenticated session setup
I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit
da7dcc443f45d07d9963df9daae458fbdd991a47
was released with samba-4.15.0rc1.
Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Christof Schmitt [Wed, 31 May 2023 18:13:51 +0000 (11:13 -0700)]
vfs_gpfs: Register smbd process with GPFS
Issue API call to tell the file system that this is a Samba process.
This fixed the GPFS handling of Samba since the rename of smbd processes
in commit
5955dc1e4fd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3b72136f6782d9704a197ab7b17201df6ff4d60d)
Christof Schmitt [Wed, 24 May 2023 21:06:36 +0000 (14:06 -0700)]
gpfswrap: Add wrapper for gpfs_register_cifs_export
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
34b9c54ff2f089dbffe65bdc69f3024b5d3efd5c)
Stefan Metzmacher [Thu, 27 Oct 2022 12:32:27 +0000 (14:32 +0200)]
testprogs/blackbox: add 'net ads keytab delete' tests to test_net_ads.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 27 Oct 2022 12:31:42 +0000 (14:31 +0200)]
testprogs/blackbox: fix prinicple => principal in test_net_ads.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 27 Oct 2022 12:30:48 +0000 (14:30 +0200)]
testprogs/blackbox: let test_net_ads.sh consistently use the tmp WORKDIR
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 27 Oct 2022 12:29:17 +0000 (14:29 +0200)]
Revert "TODO testprogs/blackbox/test_net_ads.sh"
This reverts commit
de6ed6816c7104956fd9eb246911e2d444f72ce5.
Stefan Metzmacher [Thu, 27 Oct 2022 12:29:17 +0000 (14:29 +0200)]
Revert "remove debugging testprogs/blackbox/test_net_ads.sh"
This reverts commit
7580527fac0f66240f7a9b672f1e5968bfad4a0c.
Stefan Metzmacher [Thu, 27 Oct 2022 12:28:55 +0000 (14:28 +0200)]
remove debugging testprogs/blackbox/test_net_ads.sh
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
TODO testprogs/blackbox/test_net_ads.sh
Stefan Metzmacher [Mon, 10 Oct 2022 14:48:57 +0000 (16:48 +0200)]
HACK selftest/target/Samba3.pm ad_member only ad_dc
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
s3:util: add 'net ads keytab delete'
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
s3:libads: add ads_keytab_delete_entry()
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
lib/krb5_warp: add explicit keep_old_kvno/enctype_only args to smb_krb5_kt_seek_and_delete_old_entries()
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
s3:libads: ads_keytab_flush() doesn't need a valid kvno
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
document the enctype argument of smb_krb5_kt_seek_and_delete_old_entries()
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_seek_and_delete_old_entries()
Stefan Metzmacher [Thu, 27 Oct 2022 12:03:42 +0000 (14:03 +0200)]
lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_add_entry()
Stefan Metzmacher [Wed, 17 May 2023 09:26:48 +0000 (11:26 +0200)]
testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224
(cherry picked from commit
91eb3f1d2236ad88eb3cf6ad036ae16ea2eac6b8)
Stefan Metzmacher [Wed, 17 May 2023 09:26:48 +0000 (11:26 +0200)]
testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
11741791cc6ae339efd71b122ea9313b710bf1ac)
[metze@samba.org: using $new_acl for 4.17]
Stefan Metzmacher [Wed, 17 May 2023 09:26:48 +0000 (11:26 +0200)]
testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
619f097b7d4c0fa4614ab12042292c1e9a8fe234)
[metze@samba.org: backported to 4.17 with just an new CONFIGURATION variable]
Stefan Metzmacher [Tue, 2 May 2023 14:18:51 +0000 (16:18 +0200)]
samba-tool/ntacl: implement set --recursive
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
16b9b508af4432abe5717da129b1be921c0227c6)
Stefan Metzmacher [Tue, 2 May 2023 14:18:26 +0000 (16:18 +0200)]
samba-tool/ntacl: add set --verbose and print out the file/directory name
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
27b29cfa766099252b417da06599aee585a228bc)
Stefan Metzmacher [Tue, 2 May 2023 14:18:26 +0000 (16:18 +0200)]
samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6327fd9cdbaf3dad4b09ce291de1f42259e11d2b)
Stefan Metzmacher [Tue, 16 May 2023 11:57:51 +0000 (13:57 +0200)]
samba-tool/ntacl: let changedomsid ignore symlinks
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4ca5b78f5b7c35e6276d92f7948334dad7a59456)
Andreas Schneider [Fri, 22 Apr 2022 13:46:05 +0000 (15:46 +0200)]
testprogs: Reformat test_samba-tool_ntacl.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/test_samba-tool_ntacl.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
(cherry picked from commit
eff28db8d6ae68f93a2a1ea0522ec4ac466b06a8)
Jule Anger [Tue, 10 Oct 2023 15:13:29 +0000 (17:13 +0200)]
VERSION: Bump version up to Samba 4.17.13...
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 10 Oct 2023 15:08:22 +0000 (17:08 +0200)]
Merge branch 'v4-17-stable' into v4-17-test
Jule Anger [Tue, 10 Oct 2023 14:54:15 +0000 (16:54 +0200)]
Merge tag 'samba-4.17.12' into v4-17-stable
samba: tag release samba-4.17.12
Jule Anger [Tue, 10 Oct 2023 08:42:49 +0000 (10:42 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.17.12 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 10 Oct 2023 08:41:53 +0000 (10:41 +0200)]
WHATSNEW: Add release notes for Samba 4.17.12.
Signed-off-by: Jule Anger <janger@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 04:23:49 +0000 (16:23 +1200)]
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)]
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 07:01:03 +0000 (19:01 +1200)]
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)]
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 8 Aug 2023 05:58:27 +0000 (17:58 +1200)]
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 22 Aug 2023 03:08:17 +0000 (15:08 +1200)]
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 8 Aug 2023 02:30:19 +0000 (14:30 +1200)]
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 23:18:46 +0000 (11:18 +1200)]
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 6 Aug 2023 23:56:56 +0000 (11:56 +1200)]
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 02:44:28 +0000 (14:44 +1200)]
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 01:15:40 +0000 (13:15 +1200)]
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 6 Aug 2023 23:55:55 +0000 (11:55 +1200)]
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2023 09:03:44 +0000 (10:03 +0100)]
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
2c02378029fff6636b8f19e45af78b265f2210ed)
Stefan Metzmacher [Thu, 16 Mar 2023 09:00:11 +0000 (10:00 +0100)]
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
c3cb915a67aff6739b72b86d7d139609df309ada)
Stefan Metzmacher [Thu, 16 Mar 2023 08:57:43 +0000 (09:57 +0100)]
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)
Stefan Metzmacher [Fri, 17 Mar 2023 13:08:34 +0000 (14:08 +0100)]
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
4627997ddae44265ad35b3234232eb74458c6c34)
Stefan Metzmacher [Thu, 16 Mar 2023 09:11:05 +0000 (10:11 +0100)]
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)
Stefan Metzmacher [Thu, 16 Mar 2023 17:03:10 +0000 (18:03 +0100)]
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
a1109a9bf12e020636b8d66fc54984aac58bfe6b)
Stefan Metzmacher [Fri, 10 Mar 2023 17:25:18 +0000 (18:25 +0100)]
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
8411e6d302e25d10f1035ebbdcbde7308566e930)
Joseph Sutton [Tue, 14 Feb 2023 04:19:27 +0000 (17:19 +1300)]
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)
Andreas Schneider [Wed, 2 Aug 2023 08:44:32 +0000 (10:44 +0200)]
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
b29793ffdee5d9b9c1c05830622e80f7faec7670)
Joseph Sutton [Thu, 26 Jan 2023 18:43:40 +0000 (07:43 +1300)]
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2e5d08c908b3fa48b9b374279a331061cb77bce3)
Andrew Bartlett [Wed, 1 Mar 2023 01:49:06 +0000 (14:49 +1300)]
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
82d2ec786f7e75ff6f34eb3357964345b10de091)
Christian Merten [Mon, 19 Sep 2022 21:01:34 +0000 (23:01 +0200)]
CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the
security descriptor class to python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
84a54d2fa2b1590fdb4e2ea986ded9c39a82cf78)
Christian Merten [Mon, 19 Sep 2022 20:47:10 +0000 (22:47 +0200)]
CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
7efe673fbdcd27ddd23f36281c5f5338681a68fe)
Ralph Boehme [Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)]
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 1 Aug 2023 10:30:00 +0000 (12:30 +0200)]
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:54:41 +0000 (17:54 -0700)]
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:49:21 +0000 (17:49 -0700)]
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
[abartlet@samba.org backported to Samba 4.17 due to conflicts from
context of other new torture tests missing in this version and
changes in smb2cli_create() arguments]
Jeremy Allison [Wed, 26 Jul 2023 00:41:04 +0000 (17:41 -0700)]
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
Jule Anger [Thu, 7 Sep 2023 08:54:42 +0000 (10:54 +0200)]
VERSION: Bump version up to Samba 4.17.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
(cherry picked from commit
b0b25f067ba3a6ef0e1e76ea7d18a67c0d5b6edd)
Andrew Bartlett [Tue, 12 Sep 2023 04:23:49 +0000 (16:23 +1200)]
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)]
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 07:01:03 +0000 (19:01 +1200)]
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)]
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 8 Aug 2023 05:58:27 +0000 (17:58 +1200)]
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 22 Aug 2023 03:08:17 +0000 (15:08 +1200)]
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 8 Aug 2023 02:30:19 +0000 (14:30 +1200)]
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 23:18:46 +0000 (11:18 +1200)]
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 6 Aug 2023 23:56:56 +0000 (11:56 +1200)]
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 02:44:28 +0000 (14:44 +1200)]
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 01:15:40 +0000 (13:15 +1200)]
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 6 Aug 2023 23:55:55 +0000 (11:55 +1200)]
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2023 09:03:44 +0000 (10:03 +0100)]
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
2c02378029fff6636b8f19e45af78b265f2210ed)
Stefan Metzmacher [Thu, 16 Mar 2023 09:00:11 +0000 (10:00 +0100)]
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
c3cb915a67aff6739b72b86d7d139609df309ada)
Stefan Metzmacher [Thu, 16 Mar 2023 08:57:43 +0000 (09:57 +0100)]
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)
Stefan Metzmacher [Fri, 17 Mar 2023 13:08:34 +0000 (14:08 +0100)]
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
4627997ddae44265ad35b3234232eb74458c6c34)
Stefan Metzmacher [Thu, 16 Mar 2023 09:11:05 +0000 (10:11 +0100)]
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)
Stefan Metzmacher [Thu, 16 Mar 2023 17:03:10 +0000 (18:03 +0100)]
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
a1109a9bf12e020636b8d66fc54984aac58bfe6b)
Stefan Metzmacher [Fri, 10 Mar 2023 17:25:18 +0000 (18:25 +0100)]
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
8411e6d302e25d10f1035ebbdcbde7308566e930)
Joseph Sutton [Tue, 14 Feb 2023 04:19:27 +0000 (17:19 +1300)]
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)
Andreas Schneider [Wed, 2 Aug 2023 08:44:32 +0000 (10:44 +0200)]
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
b29793ffdee5d9b9c1c05830622e80f7faec7670)
Joseph Sutton [Thu, 26 Jan 2023 18:43:40 +0000 (07:43 +1300)]
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2e5d08c908b3fa48b9b374279a331061cb77bce3)
Andrew Bartlett [Wed, 1 Mar 2023 01:49:06 +0000 (14:49 +1300)]
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
82d2ec786f7e75ff6f34eb3357964345b10de091)
Christian Merten [Mon, 19 Sep 2022 21:01:34 +0000 (23:01 +0200)]
CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the
security descriptor class to python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
84a54d2fa2b1590fdb4e2ea986ded9c39a82cf78)
Christian Merten [Mon, 19 Sep 2022 20:47:10 +0000 (22:47 +0200)]
CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
7efe673fbdcd27ddd23f36281c5f5338681a68fe)
Ralph Boehme [Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)]
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 1 Aug 2023 10:30:00 +0000 (12:30 +0200)]
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:54:41 +0000 (17:54 -0700)]
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:49:21 +0000 (17:49 -0700)]
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
[abartlet@samba.org backported to Samba 4.17 due to conflicts from
context of other new torture tests missing in this version and
changes in smb2cli_create() arguments]
Jeremy Allison [Wed, 26 Jul 2023 00:41:04 +0000 (17:41 -0700)]
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>