The Samba-Bugzilla – Attachment 17265 Details for
Bug 15041
username map - samba erroneously applies unix group memberships to user account entries
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.15
4.15.patch (text/plain), 12.05 KB, created by
Pavel Filipenský
on 2022-04-07 17:06:17 UTC
(
hide
)
Description:
patch for 4.15
Filename:
MIME Type:
Creator:
Pavel Filipenský
Created:
2022-04-07 17:06:17 UTC
Size:
12.05 KB
patch
obsolete
>From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com> >Date: Fri, 1 Apr 2022 15:56:30 +0200 >Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 > >Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> >Reviewed-by: Noel Power <npower@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a) >--- > selftest/target/Samba3.pm | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 62fb3d1e39e..b0ea9804c50 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss > my $extra_member_options = " > # bob:x:65521:65531:localbob gecos:/:/bin/false > # jane:x:65520:65531:localjane gecos:/:/bin/false >+ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false >+ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false > idmap config $dcvars->{DOMAIN} : backend = nss >- idmap config $dcvars->{DOMAIN} : range = 65520-65521 >+ idmap config $dcvars->{DOMAIN} : range = 65518-65521 > > # Support SMB1 so that we can use posix_whoami(). > client min protocol = CORE >@@ -2532,6 +2534,8 @@ sub provision($$) > my ($uid_slashuser); > my ($uid_localbob); > my ($uid_localjane); >+ my ($uid_localjackthemapper); >+ my ($uid_localjacknomapper); > > if ($unix_uid < 0xffff - 13) { > $max_uid = 0xffff; >@@ -2554,6 +2558,8 @@ sub provision($$) > $uid_slashuser = $max_uid - 13; > $uid_localbob = $max_uid - 14; > $uid_localjane = $max_uid - 15; >+ $uid_localjackthemapper = $max_uid - 16; >+ $uid_localjacknomapper = $max_uid - 17; > > if ($unix_gids[0] < 0xffff - 8) { > $max_gid = 0xffff; >@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false > slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false > bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false > jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false >+jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false >+jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false > "; > if ($unix_uid != 0) { > print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false >@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user: > createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); > createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); > createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); >+ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper"); >+ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper"); > > open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); > print DNS_UPDATE_LIST "A $server. $server_ip\n"; >-- >2.34.1 > > >From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com> >Date: Tue, 5 Apr 2022 08:30:23 +0200 >Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and > "jacknomappergroup" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 > >Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Noel Power <npower@samba.org> >(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d) >--- > selftest/target/Samba3.pm | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index b0ea9804c50..131034a0e07 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -2527,6 +2527,8 @@ sub provision($$) > my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); > my ($gid_userdup, $gid_everyone); > my ($gid_force_user); >+ my ($gid_jackthemapper); >+ my ($gid_jacknomapper); > my ($uid_user1); > my ($uid_user2); > my ($uid_gooduser); >@@ -2575,6 +2577,8 @@ sub provision($$) > $gid_userdup = $max_gid - 6; > $gid_everyone = $max_gid - 7; > $gid_force_user = $max_gid - 8; >+ $gid_jackthemapper = $max_gid - 9; >+ $gid_jacknomapper = $max_gid - 10; > > ## > ## create conffile >@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins: > userdup:x:$gid_userdup:$unix_name > everyone:x:$gid_everyone: > force_user:x:$gid_force_user: >+jackthemappergroup:x:$gid_jackthemapper:jackthemapper >+jacknomappergroup:x:$gid_jacknomapper:jacknomapper > "; > if ($unix_gids[0] != 0) { > print GROUP "root:x:$gid_root: >-- >2.34.1 > > >From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com> >Date: Tue, 5 Apr 2022 08:31:41 +0200 >Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for > jackthemappergroup >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 > >Only for environment ad_member_idmap_nss. > >* !jacknompapper = \@jackthemappergroup > jackthemaper from group jackthemappergroup is mapped to jacknompapper > >* !root = jacknomappergroup > since there is no '@' or '+' prefix, it is not an UNIX group mapping > >Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Noel Power <npower@samba.org> >(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979) >--- > selftest/target/Samba3.pm | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 131034a0e07..8d309f9c99a 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss > > open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); > print USERMAP " >+!jacknomapper = \@jackthemappergroup >+!root = jacknomappergroup > root = $dcvars->{DOMAIN}/root > bob = $dcvars->{DOMAIN}/bob > "; >-- >2.34.1 > > >From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com> >Date: Tue, 5 Apr 2022 14:04:52 +0200 >Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 > >Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Noel Power <npower@samba.org> >(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0) >--- > selftest/knownfail.d/usernamemap | 1 + > source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++ > source3/selftest/tests.py | 2 ++ > 3 files changed, 31 insertions(+) > create mode 100644 selftest/knownfail.d/usernamemap > create mode 100755 source3/script/tests/test_usernamemap.sh > >diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap >new file mode 100644 >index 00000000000..1c720fe892d >--- /dev/null >+++ b/selftest/knownfail.d/usernamemap >@@ -0,0 +1 @@ >+samba3.blackbox.smbclient_usernamemap.jacknomapper >diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh >new file mode 100755 >index 00000000000..3a3344a8781 >--- /dev/null >+++ b/source3/script/tests/test_usernamemap.sh >@@ -0,0 +1,28 @@ >+#!/bin/sh >+# >+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com> >+# >+# Tests for "username map" smb.conf parameter for UNIX groups >+ >+if [ $# -lt 2 ]; then >+cat <<EOF >+Usage: test_usernamemap.sh SERVER SMBCLIENT >+EOF >+exit 1; >+fi >+ >+SERVER="$1" >+SMBCLIENT="$2" >+SMBCLIENT="${VALGRIND} ${SMBCLIENT}" >+ >+incdir=$(dirname "$0")/../../../testprogs/blackbox >+. "${incdir}"/subunit.sh >+ >+failed=0 >+ >+# jackthemapper is mapped to jacknomapper, so we need jacknomapper password >+testit "jackthemapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jackthemapper%nOmApsEcrEt" -c ls || failed=$((failed + 1)) >+# jacknomapper is not mapped, so we need jacknomapper password >+testit "jacknomapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jacknomapper%nOmApsEcrEt" -c ls || failed=$((failed + 1)) >+ >+testok "$0" "${failed}" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 06c71363d5b..390e77ad41d 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -393,6 +393,8 @@ plantestsuite("samba3.blackbox.smbclient_basic.SMB2_10", "nt4_dc_schannel", [os. > plantestsuite("samba3.blackbox.smbclient_basic.SMB3_02", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_02"]) > plantestsuite("samba3.blackbox.smbclient_basic.SMB3_11", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_11"]) > >+plantestsuite("samba3.blackbox.smbclient_usernamemap", "ad_member_idmap_nss:local", [os.path.join(samba3srcdir, "script/tests/test_usernamemap.sh"), '$SERVER', smbclient3]) >+ > plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration]) > for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]: > if "NT1" in options or "LANMAN2" in options: >-- >2.34.1 > > >From e1bb74a5fe7f0b4f5f16da5c355973e94f7a07ef Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com> >Date: Fri, 25 Mar 2022 11:11:50 +0100 >Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 > >Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Noel Power <npower@samba.org> > >Autobuild-User(master): Noel Power <npower@samba.org> >Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184 > >(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4) >--- > selftest/knownfail.d/usernamemap | 1 - > source3/auth/user_util.c | 12 +++++++----- > 2 files changed, 7 insertions(+), 6 deletions(-) > delete mode 100644 selftest/knownfail.d/usernamemap > >diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap >deleted file mode 100644 >index 1c720fe892d..00000000000 >--- a/selftest/knownfail.d/usernamemap >+++ /dev/null >@@ -1 +0,0 @@ >-samba3.blackbox.smbclient_usernamemap.jacknomapper >diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c >index 70b4f320c5e..aa765c2a692 100644 >--- a/source3/auth/user_util.c >+++ b/source3/auth/user_util.c >@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) > return false; > } > >- DBG_DEBUG("Checking user %s in list\n", user); >- > while (*list) { > const char *p = *list; >- bool ok; >+ bool check_unix_group = false; >+ >+ DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list); > > /* Check raw username */ > if (strequal(user, p)) { >@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) > } > > while (*p == '@' || *p == '&' || *p == '+') { >+ if (*p == '@' || *p == '+') { >+ check_unix_group = true; >+ } > p++; > } > >- ok = user_in_group(user, p); >- if (ok) { >+ if (check_unix_group && user_in_group(user, p)) { > return true; > } > >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
npower
:
review+
asn
:
review+
Actions:
View
Attachments on
bug 15041
: 17265 |
17266