The Samba-Bugzilla – Attachment 14728 Details for
Bug 13699
Harden home directory export for [homes] share
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.8
eviluser.v4-8-test.patch (text/plain), 12.99 KB, created by
Andreas Schneider
on 2018-12-10 15:53:34 UTC
(
hide
)
Description:
patch for 4.8
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2018-12-10 15:53:34 UTC
Size:
12.99 KB
patch
obsolete
>From 12032c8cb69eb4d89da6173d77a0e3e53dd189ad Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 15 Nov 2018 16:06:49 +0100 >Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3 >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Böhme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0) >--- > selftest/target/Samba3.pm | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 3747a1e087e..6866afee77b 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1634,8 +1634,10 @@ sub provision($$$$$$$$$) > my ($gid_force_user); > my ($uid_user1); > my ($uid_user2); >+ my ($uid_gooduser); >+ my ($uid_eviluser); > >- if ($unix_uid < 0xffff - 10) { >+ if ($unix_uid < 0xffff - 12) { > $max_uid = 0xffff; > } else { > $max_uid = $unix_uid; >@@ -1651,6 +1653,8 @@ sub provision($$$$$$$$$) > $uid_smbget = $max_uid - 8; > $uid_user1 = $max_uid - 9; > $uid_user2 = $max_uid - 10; >+ $uid_gooduser = $max_uid - 11; >+ $uid_eviluser = $max_uid - 12; > > if ($unix_gids[0] < 0xffff - 8) { > $max_gid = 0xffff; >@@ -2262,6 +2266,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f > smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false > user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false > user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false >+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false >+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false > "; > if ($unix_uid != 0) { > print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false >@@ -2338,6 +2344,8 @@ force_user:x:$gid_force_user: > createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user"); > createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1"); > createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2"); >+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); >+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); > > open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); > print DNS_UPDATE_LIST "A $server. $server_ip\n"; >-- >2.19.2 > > >From b8c103da781f9365bc5f4f896273a1c6dae2a088 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 16 Nov 2018 15:40:59 +0100 >Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes' > share >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This adds a test for CVE-2009-2813. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Böhme <slow@samba.org> >(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6) >--- > selftest/target/Samba3.pm | 4 ++ > source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++ > source3/selftest/tests.py | 1 + > 3 files changed, 104 insertions(+) > create mode 100755 source3/script/tests/test_homes.sh > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 6866afee77b..ca80069e02e 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -945,6 +945,10 @@ sub setup_fileserver($$) > comment = inherit only unix owner > inherit owner = unix only > acl_xattr:ignore system acls = yes >+[homes] >+ comment = Home directories >+ browseable = No >+ read only = No > "; > > my $vars = $self->provision($path, "WORKGROUP", >diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh >new file mode 100755 >index 00000000000..06de0a0c301 >--- /dev/null >+++ b/source3/script/tests/test_homes.sh >@@ -0,0 +1,99 @@ >+#!/bin/sh >+ >+# Copyright (c) Andreas Schneider <asn@samba.org> >+# License: GPLv3 >+ >+if [ $# -lt 7 ]; then >+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION" >+ exit 1 >+fi >+ >+SERVER="${1}" >+USERNAME="${2}" >+PASSWORD="${3}" >+LOCAL_PATH="${4}" >+PREFIX="${5}" >+SMBCLIENT="${6}" >+CONFIGURATION="${7}" >+shift 7 >+ >+incdir=`dirname $0`/../../../testprogs/blackbox >+. $incdir/subunit.sh >+ >+failed=0 >+ >+test_gooduser_home() >+{ >+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands >+ cat > $tmpfile <<EOF >+ls >+quit >+EOF >+ >+ USERNAME=gooduser >+ >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval $cmd) >+ ret=$? >+ rm -f $tmpfile >+ >+ if [ $ret -ne 0 ] ; then >+ echo "$out" >+ echo "failed to connect error $ret" >+ return 1 >+ fi >+ >+ echo "$out" | grep 'Try "help" to get a list of possible commands.' >+ ret=$? >+ if [ $ret -ne 0 ] ; then >+ echo "$out" >+ echo 'failed - should get: Try "help" to get a list of possible commands.' >+ return 1 >+ fi >+ >+ return 0 >+} >+ >+test_eviluser_home() >+{ >+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands >+ cat > $tmpfile <<EOF >+ls >+quit >+EOF >+ >+ USERNAME=eviluser >+ >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval $cmd) >+ ret=$? >+ rm -f $tmpfile >+ >+ if [ $ret -ne 1 ] ; then >+ echo "$out" >+ echo "The server should reject connecting ret=$ret" >+ return 1 >+ fi >+ >+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME' >+ ret=$? >+ if [ $ret -ne 0 ] ; then >+ echo "$out" >+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.' >+ return 1 >+ fi >+ >+ return 0 >+} >+ >+testit "test gooduser home" \ >+ test_gooduser_home || \ >+ failed=`expr $failed + 1` >+ >+testit "test eviluser home reject" \ >+ test_eviluser_home || \ >+ failed=`expr $failed + 1` >+ >+testok $0 $failed >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 7b3552a31b9..196f18b3d8e 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -290,6 +290,7 @@ for env in ["fileserver"]: > plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1']) > plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3']) > plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp']) >+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration]) > > # > # tar command tests >-- >2.19.2 > > >From 5e594655827b2516f3dfdfe0ae27c8068c78abc3 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 22 Nov 2018 18:23:24 +0100 >Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home > dir >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >If "/" (root) is returned as the home directory, prevent exporting it. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Böhme <slow@samba.org> >(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af) >--- > source3/param/service.c | 6 +++++- > source3/smbd/password.c | 7 +++++++ > 2 files changed, 12 insertions(+), 1 deletion(-) > >diff --git a/source3/param/service.c b/source3/param/service.c >index b21be6093d4..22f46f08894 100644 >--- a/source3/param/service.c >+++ b/source3/param/service.c >@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out) > DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out, > phome_dir?phome_dir:"(NULL)")); > >- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir); >+ if (!strequal(phome_dir, "/")) { >+ iService = add_home_service(*p_service_out, >+ *p_service_out, /* username */ >+ phome_dir); >+ } > } > > /* If we still don't have a service, attempt to add it as a printer. */ >diff --git a/source3/smbd/password.c b/source3/smbd/password.c >index edff5d9d2ec..831fe7628e2 100644 >--- a/source3/smbd/password.c >+++ b/source3/smbd/password.c >@@ -140,6 +140,13 @@ int register_homes_share(const char *username) > return -1; > } > >+ if (strequal(pwd->pw_dir, "/")) { >+ DBG_NOTICE("Invalid home directory defined for user '%s'\n", >+ username); >+ TALLOC_FREE(pwd); >+ return -1; >+ } >+ > DEBUG(3, ("Adding homes service for user '%s' using home directory: " > "'%s'\n", username, pwd->pw_dir)); > >-- >2.19.2 > > >From 3d41c3b828254b9171e70709355d24f926178c7c Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 3 Dec 2018 11:05:46 +0100 >Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed > as home dir >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Böhme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144 > >(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87) >--- > selftest/target/Samba3.pm | 6 ++++- > source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++ > 2 files changed, 42 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index ca80069e02e..5b46d35b984 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1640,8 +1640,9 @@ sub provision($$$$$$$$$) > my ($uid_user2); > my ($uid_gooduser); > my ($uid_eviluser); >+ my ($uid_slashuser); > >- if ($unix_uid < 0xffff - 12) { >+ if ($unix_uid < 0xffff - 13) { > $max_uid = 0xffff; > } else { > $max_uid = $unix_uid; >@@ -1659,6 +1660,7 @@ sub provision($$$$$$$$$) > $uid_user2 = $max_uid - 10; > $uid_gooduser = $max_uid - 11; > $uid_eviluser = $max_uid - 12; >+ $uid_slashuser = $max_uid - 13; > > if ($unix_gids[0] < 0xffff - 8) { > $max_gid = 0xffff; >@@ -2272,6 +2274,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false > user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false > gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false > eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false >+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false > "; > if ($unix_uid != 0) { > print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false >@@ -2350,6 +2353,7 @@ force_user:x:$gid_force_user: > createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2"); > createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); > createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); >+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); > > open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); > print DNS_UPDATE_LIST "A $server. $server_ip\n"; >diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh >index 06de0a0c301..90e84550dbc 100755 >--- a/source3/script/tests/test_homes.sh >+++ b/source3/script/tests/test_homes.sh >@@ -88,6 +88,39 @@ EOF > return 0 > } > >+test_slashuser_home() >+{ >+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands >+ cat > $tmpfile <<EOF >+ls >+quit >+EOF >+ >+ USERNAME=slashuser >+ >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval $cmd) >+ ret=$? >+ rm -f $tmpfile >+ >+ if [ $ret -ne 1 ] ; then >+ echo "$out" >+ echo "The server should reject connecting ret=$ret" >+ return 1 >+ fi >+ >+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME' >+ ret=$? >+ if [ $ret -ne 0 ] ; then >+ echo "$out" >+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.' >+ return 1 >+ fi >+ >+ return 0 >+} >+ > testit "test gooduser home" \ > test_gooduser_home || \ > failed=`expr $failed + 1` >@@ -96,4 +129,8 @@ testit "test eviluser home reject" \ > test_eviluser_home || \ > failed=`expr $failed + 1` > >+testit "test slashuser home reject" \ >+ test_slashuser_home || \ >+ failed=`expr $failed + 1` >+ > testok $0 $failed >-- >2.19.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14728">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review?
(
jra
)
Actions:
View
Attachments on
bug 13699
:
14727
| 14728 |
14729