rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import samba-4.16.4-6.el8_7

Browse Source
This commit is contained in:
CentOS Sources 2023-04-04 08:52:15 +00:00 committed by Stepan Oksanichenko
parent af57ae664d
commit 122824123f
2 changed files with 132 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
SOURCES/samba-4.16-share-enum.patch Normal file
View File

@ -0,0 +1,59 @@
From 5c8e34cae96ee65d34da61801a0f04c562006369 Mon Sep 17 00:00:00 2001
From: Andrew <awalker@ixsystems.com>
Date: Fri, 16 Dec 2022 08:16:10 -0800
Subject: [PATCH] rpc_server:srvsvc - retrieve share ACL via root context
share_info.tdb has permissions of 0o600 and so we need
to become_root() prior to retrieving the security info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15265
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 19 20:41:15 UTC 2022 on sn-devel-184
(cherry picked from commit 80c0b416892bfacc0d919fe032461748d7962f05)
---
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index 233718ff310..fbc617c3ac1 100644
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -540,6 +540,7 @@ static bool is_hidden_share(int snum)
static bool is_enumeration_allowed(struct pipes_struct *p,
int snum)
{
+ bool allowed;
struct dcesrv_call_state *dce_call = p->dce_call;
struct auth_session_info *session_info =
dcesrv_call_session_info(dce_call);
@@ -556,9 +557,19 @@ static bool is_enumeration_allowed(struct pipes_struct *p,
return false;
}
- return share_access_check(session_info->security_token,
- lp_servicename(talloc_tos(), lp_sub, snum),
- FILE_READ_DATA, NULL);
+
+ /*
+ * share_access_check() must be opened as root
+ * because it ultimately gets a R/W db handle on share_info.tdb
+ * which has 0o600 permissions
+ */
+ become_root();
+ allowed = share_access_check(session_info->security_token,
+ lp_servicename(talloc_tos(), lp_sub, snum),
+ FILE_READ_DATA, NULL);
+ unbecome_root();
+
+ return allowed;
}
/****************************************************************************
--
2.34.1

145
SPECS/samba.spec
View File

@ -134,7 +134,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global baserelease 4
%global baserelease 6
%global samba_version 4.16.4
%global talloc_version 2.3.3
@ -209,6 +209,7 @@ Patch0: samba-s4u.patch
Patch1: samba-4.16-waf-crypto.patch
Patch2: CVE-2022-38023-v4-16.patch
Patch3: CVE-2022-38023-for-s3-v4-16.patch
Patch4: samba-4.16-share-enum.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -221,6 +222,7 @@ Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-common-tools = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-dcerpc = %{samba_depver}
%if %{with libwbclient}
Requires(post): libwbclient = %{samba_depver}
Requires: libwbclient = %{samba_depver}
@ -490,7 +492,7 @@ SMB/CIFS clients.
### COMMON-TOOLS
%package common-tools
Summary: Tools for Samba servers and clients
Summary: Tools for Samba clients
Requires: samba-common-libs = %{samba_depver}
Requires: samba-client-libs = %{samba_depver}
Requires: samba-libs = %{samba_depver}
@ -498,22 +500,41 @@ Requires: samba-libs = %{samba_depver}
Requires: libwbclient = %{samba_depver}
%endif
Provides: bundled(libreplace)
%description common-tools
The samba-common-tools package contains tools for SMB/CIFS clients.
### SAMBA-TOOLS
%package tools
Summary: Tools for Samba servers
# samba-tool needs python3-samba
Requires: python3-%{name} = %{samba_depver}
# samba-tool needs tdbbackup
Requires: tdb-tools
%if %{with dc}
# samba-tool needs python3-samba-dc on a full build
# samba-tool needs python3-samba-dc also on non-dc build
Requires: python3-%{name}-dc = %{samba_depver}
%if %{with dc}
# samba-tool needs mdb_copy for domain backup or upgrade provision
Requires: lmdb
%endif
Provides: bundled(libreplace)
%description tools
The samba-tools package contains tools for Samba servers
and for GPO management on domain members.
%description common-tools
The samba-common-tools package contains tools for Samba servers and
SMB/CIFS clients.
### RPC
%package dcerpc
Summary: DCE RPC binaries
Requires: samba-common-libs = %{samba_depver}
Requires: samba-client-libs = %{samba_depver}
Requires: samba-libs = %{samba_depver}
%if %{with libwbclient}
Requires: libwbclient = %{samba_depver}
%endif
%description dcerpc
The samba-dcerpc package contains binaries that serve DCERPC over named pipes.
### DC
%if %{with dc} || %{with testsuite}
@ -559,6 +580,9 @@ BuildArch: noarch
%description dc-provision
The samba-dc-provision package provides files to setup a domain controller
#endif with dc || with testsuite
%endif
### DC-LIBS
%package dc-libs
Summary: Samba AD Domain Controller Libraries
@ -575,6 +599,7 @@ Provides: bundled(libreplace)
The %{name}-dc-libs package contains the libraries needed by the DC to
link against the SMB, RPC and other protocols.
%if %{with dc} || %{with testsuite}
### DC-BIND
%package dc-bind-dlz
Summary: Bind DLZ module for Samba AD
@ -751,9 +776,7 @@ Summary: Samba Python3 libraries
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
%if %{with dc}
Requires: %{name}-dc-libs = %{samba_depver}
%endif
Requires: python3-talloc
Requires: python3-tevent
Requires: python3-tdb
@ -789,7 +812,6 @@ Requires: %{name}-libs = %{samba_depver}
The python3-%{name}-test package contains the Python libraries used by the test suite of Samba.
If you want to run full set of Samba tests, you need to install this package.
%if %{with dc} || %{with testsuite}
%package -n python3-samba-dc
Summary: Samba Python libraries for Samba AD
Requires: %{name}-client-libs = %{samba_depver}
@ -799,7 +821,6 @@ Requires: python3-%{name} = %{samba_depver}
%description -n python3-samba-dc
The python3-%{name}-dc package contains the Python libraries needed by programs
to manage Samba AD.
%endif
### PIDL
%package pidl
@ -881,11 +902,13 @@ Requires(post): %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires(post): %{name}-libs = %{samba_depver}
Requires: %{name}-winbind-modules = %{samba_depver}
Recommends: %{name}-tools = %{samba_depver}
%if %{with libwbclient}
Requires(post): libwbclient = %{samba_depver}
Requires: libwbclient = %{samba_depver}
%endif
Requires: %{name}-dcerpc = %{samba_depver}
Provides: samba4-winbind = %{samba_depver}
Obsoletes: samba4-winbind < %{samba_depver}
@ -987,6 +1010,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB)
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-winbind-clients = %{samba_depver}
Requires: coreutils
# for ps and killall
@ -1292,62 +1316,18 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if %{without dc} && %{without testsuite}
for i in \
%{_libdir}/samba/libdfs-server-ad-samba4.so \
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
%{_libdir}/samba/libscavenge-dns-records-samba4.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba_downgrade_db.8 \
%{_mandir}/man8/samba-gpupdate.8 \
%{_libdir}/samba/ldb/ildap.so \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \
%{_unitdir}/samba.service \
%{python3_sitearch}/samba/dcerpc/dnsserver.*.so \
%{python3_sitearch}/samba/dnsserver.py \
%{python3_sitearch}/samba/domain_update.py \
%{python3_sitearch}/samba/forest_update.py \
%{python3_sitearch}/samba/kcc/__init__.py \
%{python3_sitearch}/samba/kcc/debug.py \
%{python3_sitearch}/samba/kcc/graph.py \
%{python3_sitearch}/samba/kcc/graph_utils.py \
%{python3_sitearch}/samba/kcc/kcc_utils.py \
%{python3_sitearch}/samba/kcc/ldif_import_export.py \
%{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc \
%{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc \
%{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc \
%{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc \
%{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc \
%{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc \
%{python3_sitearch}/samba/ms_forest_updates_markdown.py \
%{python3_sitearch}/samba/ms_schema_markdown.py \
%{python3_sitearch}/samba/provision/__init__.py \
%{python3_sitearch}/samba/provision/backend.py \
%{python3_sitearch}/samba/provision/common.py \
%{python3_sitearch}/samba/provision/kerberos_implementation.py \
%{python3_sitearch}/samba/provision/kerberos.py \
%{python3_sitearch}/samba/provision/sambadns.py \
%{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc \
%{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc \
%{python3_sitearch}/samba/provision/__pycache__/common.*.pyc \
%{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc \
%{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc \
%{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc \
%{python3_sitearch}/samba/__pycache__/domain_update.*.pyc \
%{python3_sitearch}/samba/__pycache__/forest_update.*.pyc \
%{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc \
%{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc \
%{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc \
%{python3_sitearch}/samba/__pycache__/schema.*.pyc \
%{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc \
%{python3_sitearch}/samba/remove_dc.py \
%{python3_sitearch}/samba/samdb.py \
%{python3_sitearch}/samba/schema.py \
%{python3_sitearch}/samba/third_party/iso8601/__init__.py \
%{python3_sitearch}/samba/third_party/iso8601/__pycache__/__init__.*.pyc \
%{python3_sitearch}/samba/third_party/iso8601/__pycache__/iso8601.*.pyc \
%{python3_sitearch}/samba/third_party/iso8601/__pycache__/test_iso8601.*.pyc \
%{python3_sitearch}/samba/third_party/iso8601/iso8601.py \
%{python3_sitearch}/samba/third_party/iso8601/test_iso8601.py \
%{python3_sitearch}/samba/uptodateness.py \
%{_sbindir}/samba-gpupdate \
; do
rm -f %{buildroot}$i
@ -1649,15 +1629,6 @@ fi
%dir %{_libexecdir}/samba
%{_libexecdir}/samba/samba-bgqd
%{_libexecdir}/samba/samba-dcerpcd
%{_libexecdir}/samba/rpcd_classic
%{_libexecdir}/samba/rpcd_epmapper
%{_libexecdir}/samba/rpcd_fsrvp
%{_libexecdir}/samba/rpcd_lsad
%{_libexecdir}/samba/rpcd_mdssvc
%{_libexecdir}/samba/rpcd_rpcecho
%{_libexecdir}/samba/rpcd_spoolss
%{_libexecdir}/samba/rpcd_winreg
%dir %{_datadir}/samba
%dir %{_datadir}/samba/mdssvc
@ -1671,7 +1642,6 @@ fi
%{_mandir}/man1/smbstatus.1*
%{_mandir}/man8/eventlogadm.8*
%{_mandir}/man8/samba-bgqd.8*
%{_mandir}/man8/samba-dcerpcd.8*
%{_mandir}/man8/smbd.8*
%{_mandir}/man8/nmbd.8*
%{_mandir}/man8/vfs_acl_tdb.8*
@ -1962,11 +1932,11 @@ fi
%{_libdir}/samba/pdb/smbpasswd.so
%{_libdir}/samba/pdb/tdbsam.so
### COMMON-TOOLS
%files common-tools
%{_bindir}/net
%{_bindir}/pdbedit
%{_bindir}/profiles
%{_bindir}/samba-tool
%{_bindir}/smbcontrol
%{_bindir}/smbpasswd
%{_bindir}/testparm
@ -1975,9 +1945,27 @@ fi
%{_mandir}/man1/testparm.1*
%{_mandir}/man8/net.8*
%{_mandir}/man8/pdbedit.8*
%{_mandir}/man8/samba-tool.8*
%{_mandir}/man8/smbpasswd.8*
### TOOLS
%files tools
%{_bindir}/samba-tool
%{_mandir}/man8/samba-tool.8*
### RPC
%files dcerpc
%dir %{_libexecdir}/samba
%{_libexecdir}/samba/samba-dcerpcd
%{_libexecdir}/samba/rpcd_classic
%{_libexecdir}/samba/rpcd_epmapper
%{_libexecdir}/samba/rpcd_fsrvp
%{_libexecdir}/samba/rpcd_lsad
%{_libexecdir}/samba/rpcd_mdssvc
%{_libexecdir}/samba/rpcd_rpcecho
%{_libexecdir}/samba/rpcd_spoolss
%{_libexecdir}/samba/rpcd_winreg
%{_mandir}/man8/samba-dcerpcd.8*
### DC
%if %{with dc} || %{with testsuite}
%files dc
@ -1993,7 +1981,6 @@ fi
%{_libdir}/krb5/plugins/kdb/samba.so
%{_libdir}/samba/auth/samba4.so
%{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so
%{_libdir}/samba/ldb/acl.so
@ -2058,9 +2045,15 @@ fi
%license source4/setup/ad-schema/licence.txt
%{_datadir}/samba/setup
#endif with dc || with testsuite
%endif
### DC-LIBS
%files dc-libs
%{_libdir}/samba/libauth4-samba4.so
%if %{with dc} || %{with testsuite}
%{_libdir}/samba/libdb-glue-samba4.so
%{_libdir}/samba/libpac-samba4.so
%{_libdir}/samba/libprocess-model-samba4.so
%{_libdir}/samba/libservice-samba4.so
@ -2270,7 +2263,6 @@ fi
%{_libdir}/libdcerpc-samr.so.*
%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
%{_libdir}/samba/libauth4-samba4.so
%{_libdir}/samba/libauth-unix-token-samba4.so
%{_libdir}/samba/libdcerpc-samba4.so
%{_libdir}/samba/libdnsserver-common-samba4.so
@ -2642,7 +2634,6 @@ fi
%{_libdir}/libsamba-policy.*.so
%{_libdir}/pkgconfig/samba-policy.*.pc
%if %{with dc} || %{with testsuite}
%files -n python3-%{name}-dc
%{python3_sitearch}/samba/samdb.py
%{python3_sitearch}/samba/schema.py
@ -2658,7 +2649,9 @@ fi
%{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc
%{python3_sitearch}/samba/dcerpc/dnsserver.*.so
%if %{with dc} || %{with testsuite}
%{python3_sitearch}/samba/dckeytab.*.so
%endif
%{python3_sitearch}/samba/domain_update.py
%{python3_sitearch}/samba/forest_update.py
%{python3_sitearch}/samba/ms_forest_updates_markdown.py
@ -2699,7 +2692,6 @@ fi
%{python3_sitearch}/samba/remove_dc.py
%{python3_sitearch}/samba/uptodateness.py
%endif
%files -n python3-%{name}-test
%dir %{python3_sitearch}/samba/tests
@ -4165,6 +4157,15 @@ fi
%endif
%changelog
* Thu Feb 16 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.16.4-6
- resolves: rhbz#2170468 - Remove libnetapi dependency from dcerpc
* Thu Feb 16 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.16.4-5
- resolves: rhbz#2170394 - Fix share enum
- resolves: rhbz#2170467 - Add to package ctdb dependency for package samba-winbind-clients
- resolves: rhbz#2170468 - Add package dcerpc - fix winbind to retrieve user groups from AD
- resolves: rhbz#2170469 - Create package samba-tools
* Mon Jan 16 2023 Andreas Schneider <asn@redhat.com> - 4.16.4-4
- related: rhbz#2154369 - Add additional patch for CVE-2022-38023