[Pkg-samba-maint] r1549 - in trunk/samba: . debian debian/patches

Mon Nov 12 21:58:05 UTC 2007

Author: vorlon
Date: 2007-11-12 21:58:04 +0000 (Mon, 12 Nov 2007)
New Revision: 1549

Added:
   trunk/samba/debian/patches/get_global_sam_sid-non-root.patch
   trunk/samba/debian/patches/usershare.patch
Modified:
   trunk/samba/
   trunk/samba/debian/changelog
   trunk/samba/debian/patches/series
   trunk/samba/debian/samba.postinst
   trunk/samba/debian/smb.conf
Log:
merge locally committed changes (yay, bzr-svn?)



Property changes on: trunk/samba
___________________________________________________________________
Name: bzr:revision-info
   + timestamp: 2007-11-12 13:56:56.803999901 -0800
committer: Steve Langasek <steve.langasek at canonical.com>
properties: 
	branch-nick: samba.deb

Name: bzr:file-ids
   + debian/patches/usershare.patch	usershare.patch-20071111022404-m4t5puq5wxrkqa1p-1
debian/patches/get_global_sam_sid-non-root.patch	get_global_sam_sidno-20071111002251-yyz8h314qolu25gg-1

Name: bzr:ancestry:v3-single-trunk/samba
   + steve.langasek at canonical.com-20071112215434-sokj606u77gydqrn

Name: bzr:revision-id:v3-single-trunk/samba
   + 200 steve.langasek at canonical.com-20071112215656-njamfcu7ysajgohs


Modified: trunk/samba/debian/changelog
===================================================================

--- trunk/samba/debian/changelog	2007-11-11 09:53:28 UTC (rev 1548)
+++ trunk/samba/debian/changelog	2007-11-12 21:58:04 UTC (rev 1549)
@@ -4,6 +4,13 @@
   * fhs.patch: net usershares should also be stored under /var/lib, not under
     /var/run.  No transition handling in maintainer scripts, since this
     feature is not activated by default.
+  * get_global_sam_sid-non-root.patch: avoid calling get_global_sam_sid()
+    from smbpasswd -L or pam_smbpass when running as non-root, to avoid a
+    foreseeable panic.  Closes: #346547, #450738.
+  * usershare.patch: enable "user shares" by default in the server with a
+    default limit of 100, to support user shares on both upgrades and new
+    installs with no need to munge config files.  Thanks to Mathias Gug
+    <mathiaz at ubuntu.com> for the patch.  Closes: #443230.
 
   [ Debconf translations ]
   * Hebrew added. Closes: #444054
@@ -15,7 +22,7 @@
     - fhs-filespaths.patch: assign files to new paths
     - fhs-assignpaths.patch: assign paths to FHS-compatible locations
 
- -- Christian Perrier <bubulle at debian.org>  Sun, 30 Sep 2007 14:32:27 +0200
+ -- Steve Langasek <vorlon at debian.org>  Sat, 10 Nov 2007 18:18:48 -0800
 
 samba (3.0.26a-1) unstable; urgency=low
 

Added: trunk/samba/debian/patches/get_global_sam_sid-non-root.patch
===================================================================
--- trunk/samba/debian/patches/get_global_sam_sid-non-root.patch	                        (rev 0)
+++ trunk/samba/debian/patches/get_global_sam_sid-non-root.patch	2007-11-12 21:58:04 UTC (rev 1549)
@@ -0,0 +1,73 @@
+Goal: client programs should short-circuit before calling
+get_global_sam_sid() as not-root, because the SAM SID can't be read without
+root privileges and get_global_sam_sid() panics when it can't be accessed --
+reasonable for the server, not reasonable for the client.
+
+Author: Steve Langasek <vorlon at debian.org>
+
+Upstream status: not yet submitted
+
+Index: samba-3.0.26a/source/utils/smbpasswd.c
+===================================================================
+--- samba-3.0.26a.orig/source/utils/smbpasswd.c
++++ samba-3.0.26a/source/utils/smbpasswd.c
+@@ -96,6 +96,10 @@
+ 	while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
+ 		switch(ch) {
+ 		case 'L':
++			if (getuid() != 0) {
++				fprintf(stderr, "smbpasswd -L can only be used by root.\n");
++				exit(1);
++			}
+ 			local_flags |= LOCAL_AM_ROOT;
+ 			break;
+ 		case 'c':
+Index: samba-3.0.26a/source/pam_smbpass/pam_smb_auth.c
+===================================================================
+--- samba-3.0.26a.orig/source/pam_smbpass/pam_smb_auth.c
++++ samba-3.0.26a/source/pam_smbpass/pam_smb_auth.c
+@@ -100,6 +100,12 @@
+ 		_log_err(pamh, LOG_DEBUG, "username [%s] obtained", name);
+ 	}
+ 
++	if (geteuid() != 0) {
++		_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
++		retval = PAM_AUTHINFO_UNAVAIL;
++		AUTH_RETURN;
++	}
++
+ 	if (!initialize_password_db(True)) {
+ 		_log_err(pamh, LOG_ALERT, "Cannot access samba password database");
+ 		retval = PAM_AUTHINFO_UNAVAIL;
+Index: samba-3.0.26a/source/pam_smbpass/pam_smb_acct.c
+===================================================================
+--- samba-3.0.26a.orig/source/pam_smbpass/pam_smb_acct.c
++++ samba-3.0.26a/source/pam_smbpass/pam_smb_acct.c
+@@ -69,6 +69,11 @@
+ 		_log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name);
+ 	}
+ 
++	if (geteuid() != 0) {
++		_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
++		return PAM_AUTHINFO_UNAVAIL;
++	}
++
+ 	/* Getting into places that might use LDAP -- protect the app
+ 		from a SIGPIPE it's not expecting */
+ 	oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
+Index: samba-3.0.26a/source/pam_smbpass/pam_smb_passwd.c
+===================================================================
+--- samba-3.0.26a.orig/source/pam_smbpass/pam_smb_passwd.c
++++ samba-3.0.26a/source/pam_smbpass/pam_smb_passwd.c
+@@ -124,6 +124,11 @@
+         _log_err(pamh, LOG_DEBUG, "username [%s] obtained", user);
+     }
+ 
++    if (geteuid() != 0) {
++	_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
++	return PAM_AUTHINFO_UNAVAIL;
++    }
++
+     /* Getting into places that might use LDAP -- protect the app
+        from a SIGPIPE it's not expecting */
+     oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);

Modified: trunk/samba/debian/patches/series
===================================================================
--- trunk/samba/debian/patches/series	2007-11-11 09:53:28 UTC (rev 1548)
+++ trunk/samba/debian/patches/series	2007-11-12 21:58:04 UTC (rev 1549)
@@ -22,3 +22,5 @@
 cifs-umount-trailing-slashes.patch
 cifs-umount-same-user.patch
 smbpasswd-syslog.patch
+get_global_sam_sid-non-root.patch
+usershare.patch

Added: trunk/samba/debian/patches/usershare.patch
===================================================================
--- trunk/samba/debian/patches/usershare.patch	                        (rev 0)
+++ trunk/samba/debian/patches/usershare.patch	2007-11-12 21:58:04 UTC (rev 1549)
@@ -0,0 +1,205 @@
+Goal: enable net usershares by default at build time, with a limit of
+100, and update the corresponding documentation
+
+Fixes: Debian bug #443230
+
+Authors: Mathias Gug <mathiaz at ubuntu.com>,
+	Steve Langasek <vorlon at debian.org>
+
+Status wrt upstream: Debian-specific
+
+Index: samba-3.0.26a/docs/manpages/smb.conf.5
+===================================================================
+--- samba-3.0.26a.orig/docs/manpages/smb.conf.5
++++ samba-3.0.26a/docs/manpages/smb.conf.5
+@@ -253,7 +253,7 @@
+ .PP
+ usershare path
+ .RS 3n
+-Points to the directory containing the user defined share definitions. The filesystem permissions on this directory control who can create user defined shares.
++Points to the directory containing the user-defined share definitions. The filesystem permissions on this directory control who can create user-defined shares.
+ .RE
+ .PP
+ usershare prefix allow list
+@@ -271,32 +271,7 @@
+ Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share.
+ .RE
+ .PP
+-To allow members of the UNIX group
+-foo
+-to create user defined shares, create the directory to contain the share definitions as follows:
+-.PP
+-Become root:
+-
+-.nf
+-
+-mkdir /usr/local/samba/lib/usershares
+-chgrp foo /usr/local/samba/lib/usershares
+-chmod 1770 /usr/local/samba/lib/usershares
+-
+-.fi
+-.PP
+-Then add the parameters
+-
+-.sp
+-
+-.nf
+-
+-	usershare path = /usr/local/samba/lib/usershares
+-	usershare max shares = 10 # (or the desired number of shares)
+-
+-.fi
+-to the global section of your
+-\fIsmb.conf\fR. Members of the group foo may then manipulate the user defined shares using the following commands.
++Members of the \fBsambashare\fR group can manipulate the user-defined shares using the following commands:
+ .PP
+ net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
+ .RS 3n
+@@ -6964,9 +6939,9 @@
+ .PP
+ usershare path (G)
+ .RS 3n
+-This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured). Members of the group owner of this directory are the users allowed to create usershares. If this parameter is undefined then no user defined shares are allowed.
++This parameter specifies the absolute path of the directory on the filesystem used to store the user-defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured). Members of the group owner of this directory are the users allowed to create usershares. If this parameter is undefined then no user-defined shares are allowed.
+ .sp
+-For example, a valid usershare directory might be /usr/local/samba/lib/usershares, set up as follows.
++For example, on Debian the default usershare directory of /var/lib/samba/usershares is set up as follows.
+ .sp
+ 
+ 
+@@ -6974,16 +6949,16 @@
+ 
+ .nf
+ 
+-	ls -ld /usr/local/samba/lib/usershares/
+-	drwxrwx--T  2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
++	ls -ld /var/lib/samba/usershares/
++	drwxrwx--T  2 root sambashare 4096 2006-05-05 12:27 /var/lib/samba/usershares/
+ 	
+ .fi
+ 
+ .sp
+-In this case, only members of the group "power_users" can create user defined shares.
++In this case, only members of the group "sambashare" can create user defined shares.
+ .sp
+ Default:
+-\fB\fIusershare path\fR = NULL \fR
++\fB\fIusershare path\fR = /var/lib/samba/usershares \fR
+ .RE
+ .PP
+ usershare prefix allow list (G)
+Index: samba-3.0.26a/docs/manpages/net.8
+===================================================================
+--- samba-3.0.26a.orig/docs/manpages/net.8
++++ samba-3.0.26a/docs/manpages/net.8
+@@ -675,9 +675,9 @@
+ Store a secret for the sepcified domain, used primarily for domains that use idmap_ldap as a backend. In this case the secret is used as the password for the user DN used to bind to the ldap server.
+ .SS "USERSHARE"
+ .PP
+-Starting with version 3.0.23, a Samba server now supports the ability for non-root users to add user define shares to be exported using the "net usershare" commands.
++Starting with version 3.0.23, a Samba server now supports the ability for non-root users to add user-defined shares to be exported using the "net usershare" commands.
+ .PP
+-To set this up, first set up your smb.conf by adding to the [global] section : usershare path = /usr/local/samba/lib/usershares Next create the directory /usr/local/samba/lib/usershares, change the owner to root and set the group owner to the UNIX group who should have the ability to create usershares, for example a group called "serverops". Set the permissions on /usr/local/samba/lib/usershares to 01770. (Owner and group all access, no access for others, plus the sticky bit, which means that a file in that directory can be renamed or deleted only by the owner of the file). Finally, tell smbd how many usershares you will allow by adding to the [global] section of smb.conf a line such as : usershare max shares = 100. To allow 100 usershare definitions. Now, members of the UNIX group "serverops" can create user defined shares on demand using the commands below.
++Members of the UNIX group "sambashare" can create user-defined shares on demand using the commands below.
+ .PP
+ The usershare commands are:
+ .IP "" 3n
+Index: samba-3.0.26a/source/param/loadparm.c
+===================================================================
+--- samba-3.0.26a.orig/source/param/loadparm.c
++++ samba-3.0.26a/source/param/loadparm.c
+@@ -1676,7 +1676,7 @@
+ 	pstrcat(s, "/usershares");
+ 	string_set(&Globals.szUsersharePath, s);
+ 	string_set(&Globals.szUsershareTemplateShare, "");
+-	Globals.iUsershareMaxShares = 0;
++	Globals.iUsershareMaxShares = 100;
+ 	/* By default disallow sharing of directories not owned by the sharer. */
+ 	Globals.bUsershareOwnerOnly = True;
+ 	/* By default disallow guest access to usershares. */
+Index: samba-3.0.26a/docs/htmldocs/manpages/smb.conf.5.html
+===================================================================
+--- samba-3.0.26a.orig/docs/htmldocs/manpages/smb.conf.5.html
++++ samba-3.0.26a/docs/htmldocs/manpages/smb.conf.5.html
+@@ -164,8 +164,8 @@
+ 	their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and
+ 	is controlled by a set of parameters in the [global] section of the smb.conf.
+ 	The relevant parameters are :
+-	</p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user defined share definitions.
+-		The filesystem permissions on this directory control who can create user defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories
++	</p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user-defined share definitions.
++		The filesystem permissions on this directory control who can create user-defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories
+ 		can be shared. Only directories below the pathnames in this list are permitted.</p></dd><dt><span class="term">usershare prefix deny list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories
+ 		can be shared. Directories below the pathnames in this list are prohibited.</p></dd><dt><span class="term">usershare template share</span></dt><dd><p>Names a pre-existing share used as a template for creating new usershares.
+ 		All other share parameters not specified in the user defined share definition
+@@ -4509,25 +4509,25 @@
+ 	</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare owner only</code></em> = <code class="literal">True</code>
+ </em></span>
+ </p></dd><dt><span class="term"><a name="USERSHAREPATH"></a>usershare path (G)</span></dt><dd><p>This parameter specifies the absolute path of the directory on the
+-	filesystem used to store the user defined share definition files.
++	filesystem used to store the user-defined share definition files.
+ 	This directory must be owned by root, and have no access for
+ 	other, and be writable only by the group owner. In addition the
+ 	"sticky" bit must also be set, restricting rename and delete to
+ 	owners of a file (in the same way the /tmp directory is usually configured).
+ 	Members of the group owner of this directory are the users allowed to create
+-	usershares. If this parameter is undefined then no user defined
++	usershares. If this parameter is undefined then no user-defined
+ 	shares are allowed.
+ 	</p><p>
+-	For example, a valid usershare directory might be /usr/local/samba/lib/usershares,
+-	set up as follows.
++	For example, on Debian the default usershare directory of
++	/var/lib/samba/usershares is set up as follows.
+ 	</p><p>
+ 	</p><pre class="programlisting">
+-	ls -ld /usr/local/samba/lib/usershares/
+-	drwxrwx--T  2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
++	ls -ld /var/lib/samba/usershares/
++	drwxrwx--T  2 root sambashare 4096 2006-05-05 12:27 /var/lib/samba/usershares/
+ 	</pre><p>
+ 	</p><p>
+-	In this case, only members of the group "power_users" can create user defined shares.
+-	</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">NULL</code>
++	In this case, only members of the group "sambashare" can create user defined shares.
++	</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">/var/lib/samba/usershares</code>
+ </em></span>
+ </p></dd><dt><span class="term"><a name="USERSHAREPREFIXALLOWLIST"></a>usershare prefix allow list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames
+ 	the root of which are allowed to be exported by user defined share definitions.
+Index: samba-3.0.26a/docs/htmldocs/manpages/net.8.html
+===================================================================
+--- samba-3.0.26a.orig/docs/htmldocs/manpages/net.8.html
++++ samba-3.0.26a/docs/htmldocs/manpages/net.8.html
+@@ -249,30 +249,10 @@
+ that use idmap_ldap as a backend. In this case the secret is used
+ as the password for the user DN used to bind to the ldap server.
+ </p></div><div class="refsect2" lang="en"><a name="id302073"></a><h3>USERSHARE</h3><p>Starting with version 3.0.23, a Samba server now supports the ability for
+-non-root users to add user define shares to be exported using the "net usershare"
++non-root users to add user-defined shares to be exported using the "net usershare"
+ commands.
+ </p><p>
+-To set this up, first set up your smb.conf by adding to the [global] section :
+-
+-usershare path = /usr/local/samba/lib/usershares
+-
+-Next create the directory /usr/local/samba/lib/usershares, change the owner to root and
+-set the group owner to the UNIX group who should have the ability to create usershares,
+-for example a group called "serverops".
+-
+-Set the permissions on /usr/local/samba/lib/usershares to 01770.
+-
+-(Owner and group all access, no access for others, plus the sticky bit,
+-which means that a file in that directory can be renamed or deleted only
+-by the owner of the file).
+-
+-Finally, tell smbd how many usershares you will allow by adding to the [global]
+-section of smb.conf a line such as :
+-
+-usershare max shares = 100.
+-
+-To allow 100 usershare definitions. Now, members of the UNIX group "serverops"
+-can create user defined shares on demand using the commands below.
++Members of the UNIX group "sambashare" can create user-defined shares on demand using the commands below.
+ </p><p>The usershare commands are:
+ 
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td>net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] - to add or change a user defined share.</td></tr><tr><td>net usershare delete sharename - to delete a user defined share.</td></tr><tr><td>net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.</td></tr><tr><td>net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.</td></tr></table><p>

Modified: trunk/samba/debian/samba.postinst
===================================================================
--- trunk/samba/debian/samba.postinst	2007-11-11 09:53:28 UTC (rev 1548)
+++ trunk/samba/debian/samba.postinst	2007-11-12 21:58:04 UTC (rev 1549)
@@ -124,6 +124,17 @@
 mv -f /var/log/nmb* /var/log/samba/ 2> /dev/null || true
 mv -f /var/log/smb* /var/log/samba/ 2> /dev/null || true
 
+# add the sambashare group
+if ! getent group sambashare > /dev/null 2>&1
+then
+	addgroup --system sambashare
+fi
+
+if [ ! -e /var/lib/samba/usershares ]
+then
+	install -d -m 1770 -g sambashare /var/lib/samba/usershares
+fi
+
 #DEBHELPER#
 
 exit 0

Modified: trunk/samba/debian/smb.conf
===================================================================
--- trunk/samba/debian/smb.conf	2007-11-11 09:53:28 UTC (rev 1548)
+++ trunk/samba/debian/smb.conf	2007-11-12 21:58:04 UTC (rev 1549)
@@ -214,6 +214,12 @@
 ;   winbind enum groups = yes
 ;   winbind enum users = yes
 
+# Setup usershare options to enable non-root users to share folders
+# with the net usershare command.
+
+# Maximum number of usershare. 0 (default) means that usershare is disabled.
+;   usershare max shares = 100
+
 #======================= Share Definitions =======================
 
 [homes]


