Attachment 7787 Details for Bug 9100 – Removes the SID filtering behavior

[patch] Removes the SID filtering behavior

samba-3.5.17-remove_sid_filtering.patch (text/plain), 4.03 KB, created by pr0ntab on 2012-08-17 02:50:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: pr0ntab

Created: 2012-08-17 02:50:56 UTC

Size: 4.03 KB

patch

obsolete

>diff -c -r samba-3.5.17/source3/auth/auth_util.c samba-3.5.17-patch/source3/auth/auth_util.c
>*** samba-3.5.17/source3/auth/auth_util.c	2012-08-02 13:27:59.000000000 -0400
>--- samba-3.5.17-patch/source3/auth/auth_util.c	2012-08-16 22:45:20.000000000 -0400
>***************
>*** 1826,1832 ****
>  	nt_status = sid_array_from_info3(result, info3,
>  					 &result->sids,
>  					 &result->num_sids,
>! 					 false, false);
>  	if (!NT_STATUS_IS_OK(nt_status)) {
>  		TALLOC_FREE(result);
>  		return nt_status;
>--- 1826,1832 ----
>  	nt_status = sid_array_from_info3(result, info3,
>  					 &result->sids,
>  					 &result->num_sids,
>! 					 false);
>  	if (!NT_STATUS_IS_OK(nt_status)) {
>  		TALLOC_FREE(result);
>  		return nt_status;
>diff -c -r samba-3.5.17/source3/include/proto.h samba-3.5.17-patch/source3/include/proto.h
>*** samba-3.5.17/source3/include/proto.h	2012-08-02 13:27:59.000000000 -0400
>--- samba-3.5.17-patch/source3/include/proto.h	2012-08-16 22:45:20.000000000 -0400
>***************
>*** 1361,1368 ****
>  			      const struct netr_SamInfo3 *info3,
>  			      DOM_SID **user_sids,
>  			      size_t *num_user_sids,
>! 			      bool include_user_group_rid,
>! 			      bool skip_ressource_groups);
>  
>  /* The following definitions come from lib/util_sock.c  */
>  
>--- 1361,1367 ----
>  			      const struct netr_SamInfo3 *info3,
>  			      DOM_SID **user_sids,
>  			      size_t *num_user_sids,
>! 			      bool include_user_group_rid);
>  
>  /* The following definitions come from lib/util_sock.c  */
>  
>diff -c -r samba-3.5.17/source3/lib/util_sid.c samba-3.5.17-patch/source3/lib/util_sid.c
>*** samba-3.5.17/source3/lib/util_sid.c	2012-08-02 13:27:59.000000000 -0400
>--- samba-3.5.17-patch/source3/lib/util_sid.c	2012-08-16 22:45:20.000000000 -0400
>***************
>*** 684,691 ****
>  			      const struct netr_SamInfo3 *info3,
>  			      DOM_SID **user_sids,
>  			      size_t *num_user_sids,
>! 			      bool include_user_group_rid,
>! 			      bool skip_ressource_groups)
>  {
>  	NTSTATUS status;
>  	DOM_SID sid;
>--- 684,690 ----
>  			      const struct netr_SamInfo3 *info3,
>  			      DOM_SID **user_sids,
>  			      size_t *num_user_sids,
>! 			      bool include_user_group_rid)
>  {
>  	NTSTATUS status;
>  	DOM_SID sid;
>***************
>*** 738,756 ****
>  		}
>  	}
>  
>! 	/* Copy 'other' sids.  We need to do sid filtering here to
>!  	   prevent possible elevation of privileges.  See:
>! 
>!            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
>!          */
>! 
>  	for (i = 0; i < info3->sidcount; i++) {
>- 
>- 		if (skip_ressource_groups &&
>- 		    (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
>- 			continue;
>- 		}
>- 
>  		status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
>  				      &sid_array, &num_sids);
>  		if (!NT_STATUS_IS_OK(status)) {
>--- 737,750 ----
>  		}
>  	}
>  
>! 	/* SID filtering should only be handled by the domain controller on a
>! 	   trust by trust basis, and is counter-indicated for forests. Since
>! 	   native AD return all Domain Local groups as other SIDs, then this
>! 	   must not filter them when parsing INFO3 responses such that the
>! 	   list is identical to the tokenGroups LDAP query. 
>! 	 */	   
>! 	   
>  	for (i = 0; i < info3->sidcount; i++) {
>  		status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
>  				      &sid_array, &num_sids);
>  		if (!NT_STATUS_IS_OK(status)) {
>diff -c -r samba-3.5.17/source3/winbindd/winbindd_pam.c samba-3.5.17-patch/source3/winbindd/winbindd_pam.c
>*** samba-3.5.17/source3/winbindd/winbindd_pam.c	2012-08-02 13:27:59.000000000 -0400
>--- samba-3.5.17-patch/source3/winbindd/winbindd_pam.c	2012-08-16 22:45:20.000000000 -0400
>***************
>*** 298,304 ****
>  	status = sid_array_from_info3(talloc_tos(), info3,
>  				      &token->user_sids,
>  				      &token->num_sids,
>! 				      true, false);
>  	if (!NT_STATUS_IS_OK(status)) {
>  		TALLOC_FREE(frame);
>  		return status;
>--- 298,304 ----
>  	status = sid_array_from_info3(talloc_tos(), info3,
>  				      &token->user_sids,
>  				      &token->num_sids,
>! 				      true);
>  	if (!NT_STATUS_IS_OK(status)) {
>  		TALLOC_FREE(frame);
>  		return status;

Actions: View

Attachments on bug 9100: 7787 | 7793