Bug 4927 - Winbind IDMAP RFC2307 sets default GID to 0
Summary: Winbind IDMAP RFC2307 sets default GID to 0
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.25c
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-29 10:11 UTC by Rick King
Modified: 2007-09-11 12:43 UTC (History)
0 users

See Also:


Attachments
Tested patch to reject users with no gidNumber when using rfc2307/sfu mapping (333 bytes, patch)
2007-08-29 16:43 UTC, Rick King
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Rick King 2007-08-29 10:11:07 UTC
When setting:

winbind nss info = template rfc2307

If a user has no gidNumber attribute set then the GID will default to 0(root). This is a security issue. If the attribute is not set the GID should either be set from the a default in the template (would require adding this option) or should refuse to map the user at all.

It would be ideal if the rfc mapping in general could be used only when needed to override a templated default and if there was no default then login disallowed.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2007-08-29 10:20:04 UTC
Please attach level 10 debug logs for winbindd.  

Also, in the future, all potential security issues should be 
reported directly to security@samba.org and not logged here 
(as per the instructions at https://bugzilla.samba.org/

   "This is NOT for reporting any security issues. If you have 
    found what you believe to be a security hole in Samba, 
    please send mail directly to security@samba.org."
Comment 2 Rick King 2007-08-29 10:53:43 UTC
(In reply to comment #1)
> Please attach level 10 debug logs for winbindd.  
I do not have these to hand. I will be able to get them if necessary. However, they might not be needed if I point to the code responsible:

in source/nsswitch/idmap_ad.c from line 754:

if ( gid ) {
    if ( !ads_pull_uint32(ads, msg, ad_schema->posix_gidnumber_attr, gid ) )
        *gid = 0;
    }

Setting to NUL is insufficient to fix this. The calling code needs to be changed in some way.

If you still need logs let me know.

> Also, in the future, all potential security issues should be 
> reported directly to security@samba.org and not logged here 
> (as per the instructions at https://bugzilla.samba.org/

My apologies, will do.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2007-08-29 11:12:34 UTC
Yup.  You're right.  The fix is to set "*gid = (uint32)-1" if the 
ads_pull_int fails to find the attribute.  Would you test this fix?
Thanks.
Comment 4 Rick King 2007-08-29 16:43:30 UTC
Created attachment 2903 [details]
Tested patch to reject users with no gidNumber when using rfc2307/sfu mapping

Looking at various other places I wonder whether this should be gid_t rather than uint32??
Comment 5 Rick King 2007-08-29 16:46:03 UTC
Not sure whether to close this or not given that it would be better to allow templating of this option similar to 'template shell', etc.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2007-08-29 17:00:11 UTC
We're giong to do a security advisory regarding this so please don't 
make any public statement until we issue the announcement.

wrt to the template option, it has been suggested in the past.  But 
the current behavior is to default to the Windows primary group
which appears to please most people.
Comment 7 Rick King 2007-08-29 17:07:57 UTC
(In reply to comment #6)
> We're giong to do a security advisory regarding this so please don't 
> make any public statement until we issue the announcement.
Sure.

> wrt to the template option, it has been suggested in the past.  But 
> the current behavior is to default to the Windows primary group
> which appears to please most people.
Ok.
Comment 8 Gerald (Jerry) Carter (dead mail address) 2007-09-11 12:43:05 UTC
Fixed in the 3.0.36 release.