[Pkg-samba-maint] [Git][samba-team/samba][debian_4.18] 96 commits: VERSION: Bump version up to Samba 4.18.8...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Wed Nov 29 15:20:56 GMT 2023



Michael Tokarev pushed to branch debian_4.18 at Debian Samba Team / samba


Commits:
ca1b7c18 by Jule Anger at 2023-09-27T10:09:45+02:00
VERSION: Bump version up to Samba 4.18.8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
1688b6d3 by Jeremy Allison at 2023-10-08T22:05:40+02:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
fbb9cf8d by Jeremy Allison at 2023-10-08T22:05:41+02:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
682a9a80 by Jeremy Allison at 2023-10-08T22:05:41+02:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
ae5c0e19 by Ralph Boehme at 2023-10-08T22:06:00+02:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
53c9e1c9 by Ralph Boehme at 2023-10-08T22:06:00+02:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
fbc27662 by Andrew Bartlett at 2023-10-08T22:06:17+02:00
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL

The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)

- - - - -
d1e0ee0b by Joseph Sutton at 2023-10-08T22:06:17+02:00
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test

Use more specific unittest methods, and remove unused code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)

- - - - -
13eac83b by Andreas Schneider at 2023-10-08T22:06:18+02:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)

- - - - -
563b7a56 by Joseph Sutton at 2023-10-08T22:06:18+02:00
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG

It's no longer used anywhere.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)

- - - - -
39707a06 by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper

This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)

- - - - -
f29255af by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers

They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.

In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)

- - - - -
b56849aa by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)

- - - - -
571d3bf4 by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper

This uses ndr_pack/unpack in order to create a deep copy
of the given object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)

- - - - -
c896afca by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)

- - - - -
939f2432 by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position

Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)

- - - - -
9dade2ab by Stefan Metzmacher at 2023-10-08T22:06:18+02:00
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)

- - - - -
2cff332e by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee3ac4fb by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
029c47f2 by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5dc5062b by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9499526b by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
84dcfc3b by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6925e6b6 by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
23c5300d by Andrew Bartlett at 2023-10-08T22:06:18+02:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
808a46b1 by Andrew Bartlett at 2023-10-08T22:06:40+02:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2e2a9fee by Andrew Bartlett at 2023-10-08T22:06:40+02:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
614d9c22 by Andrew Bartlett at 2023-10-08T22:07:05+02:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
85475a0c by Andrew Bartlett at 2023-10-08T22:07:05+02:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2576c027 by Jule Anger at 2023-10-09T22:15:18+02:00
VERSION: Bump version up to Samba 4.18.8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>
(cherry picked from commit ca1b7c185edf67b1ceb988a8015396351c5ac240)

- - - - -
84b5d364 by Jeremy Allison at 2023-10-09T22:15:18+02:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
d1a26b4f by Jeremy Allison at 2023-10-09T22:15:19+02:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
3e64edae by Jeremy Allison at 2023-10-09T22:15:19+02:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
bfe8e10b by Ralph Boehme at 2023-10-09T22:15:19+02:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
3c432b14 by Ralph Boehme at 2023-10-09T22:15:19+02:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
582f4f2e by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL

The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)

- - - - -
5ca0ee6f by Joseph Sutton at 2023-10-09T22:15:19+02:00
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test

Use more specific unittest methods, and remove unused code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)

- - - - -
e8df1a60 by Andreas Schneider at 2023-10-09T22:15:19+02:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)

- - - - -
704fadfb by Joseph Sutton at 2023-10-09T22:15:19+02:00
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG

It's no longer used anywhere.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)

- - - - -
b65b141e by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper

This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)

- - - - -
8ebcfe55 by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers

They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.

In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)

- - - - -
8a2b11fd by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)

- - - - -
217b30b0 by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper

This uses ndr_pack/unpack in order to create a deep copy
of the given object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)

- - - - -
da9bdf36 by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)

- - - - -
7ebf51dd by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position

Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)

- - - - -
570e892a by Stefan Metzmacher at 2023-10-09T22:15:19+02:00
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)

- - - - -
8ad21108 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
87ff4f57 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
23031057 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3e7bdcd0 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ebc2796a by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9d249db4 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e691257c by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4b3da3a9 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e652fbe8 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2ef55647 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4eba269b by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eb6f2d92 by Andrew Bartlett at 2023-10-09T22:15:19+02:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0bf0250e by Jule Anger at 2023-10-10T10:58:08+02:00
WHATSNEW: Add release notes for Samba 4.18.8.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
f1c0d4f1 by Jule Anger at 2023-10-10T10:58:39+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.18.8 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
3dc0412a by Jule Anger at 2023-10-10T17:04:24+02:00
Merge tag 'samba-4.18.8' into v4-18-stable

samba: tag release samba-4.18.8

- - - - -
d709251a by Jule Anger at 2023-10-10T17:23:50+02:00
Merge branch 'v4-18-stable' into v4-18-test

- - - - -
b9b0d8bc by Jule Anger at 2023-10-10T17:25:29+02:00
VERSION: Bump version up to Samba 4.18.9...

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
653984f4 by Martin Schwenke at 2023-10-11T10:57:21+00:00
ctdb-daemon: Call setproctitle_init()

Commit 19c82c19c009eefe975ae95c8b709fc93f5f4c39 changed the behaviour
of prctl_set_comment() so it now calls setproctitle(3bsd) by default.

In some Linux distributions (e.g. Rocky Linux 8.8), this results in
messages like this spamming the logs:

  ctdbd: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.

Most Samba daemons seem to call setproctitle_init(), so do it here.

In the longer term CTDB should also switch to using lib/util's
process_set_title(), like the rest of Samba, for more flexible process
names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15479

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224

(cherry picked from commit 8b9f464420b66cebaf00654cf8b19165b301b8b6)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Wed Oct 11 10:57:21 UTC 2023 on atb-devel-224

- - - - -
acf4286f by Christof Schmitt at 2023-10-23T08:39:12+00:00
build: Add 'make printversion' to provide version string

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497

Signed-off-by: Christof Schmitt <christof.schmitt at us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e2ace2d613701f3d4a7c7c202f68d2f193c0a64a)

- - - - -
8e335329 by Michael Adam at 2023-10-23T08:39:12+00:00
gitignore: add WAF lockfile

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497

Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Christof Schmitt <christof.schmitt at us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224

(cherry picked from commit 310629508bfbedecfab9b653b7cba0282f5c0e8b)

- - - - -
e884fc79 by Stefan Metzmacher at 2023-10-23T08:39:12+00:00
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()

samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.

Only the auto inherited SACL is available via a ldap search.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8)

- - - - -
46a168c9 by Stefan Metzmacher at 2023-10-23T08:39:12+00:00
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c)

- - - - -
74a508b3 by Stefan Metzmacher at 2023-10-23T08:39:12+00:00
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container

This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47)

- - - - -
edac27f5 by Stefan Metzmacher at 2023-10-23T08:39:12+00:00
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()

This makes the next change easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371)

- - - - -
f967b91d by Stefan Metzmacher at 2023-10-23T08:39:12+00:00
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db)

- - - - -
cbbfc917 by Stefan Metzmacher at 2023-10-23T09:52:22+00:00
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Mon Oct 23 09:52:22 UTC 2023 on atb-devel-224

- - - - -
9a5b46d8 by Ralph Boehme at 2023-11-13T12:16:15+00:00
s3: smbd: Ignore fstat() error on deleted stream in fd_close().

In the fd_close() fsp->fsp_flags.fstat_before_close code path.

If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.

Remove knownfail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224

(cherry picked from commit 633a3ee6894cc1d05b44dbe47a278202803d9b21)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Mon Nov 13 12:16:15 UTC 2023 on atb-devel-224

- - - - -
a2ad66e4 by Björn Jacke at 2023-11-20T09:55:39+00:00
system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
(cherry picked from commit a1738e8265dd256c5a1064482a6dfccbf9ca44f1)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Mon Nov 20 09:55:39 UTC 2023 on atb-devel-224

- - - - -
d522d15c by Ralph Boehme at 2023-11-21T10:24:37+00:00
smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor()

VFS modules like streams_xattr use the function fsp_is_alternate_stream() on the
fsp to determine in an fsp is a stream, eg in streams_xattr_close(). If
fspo->base_fsp is arlready set to NULL, this won't work anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15521

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Nov 16 18:31:17 UTC 2023 on atb-devel-224

(cherry picked from commit 4481a67c1b20549a71d6c5132b637798a09f966d)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Tue Nov 21 10:24:37 UTC 2023 on atb-devel-224

- - - - -
71bf5969 by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE

Use O_PATH when available; this avoids the need for READ/LIST access on
that directory. Keep using O_RDONLY if the system does not have O_PATH.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b317622a8fed0ee195ffe40129eb5bcad28dd985)

- - - - -
ddef013d by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function

Allow reuse of this code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 95319351e37b8b968b798eee66c93852d9ad2d81)

- - - - -
fedb492e by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit cbdc16a7cfa225d1cf9109fafe85e9d14729700e)

- - - - -
619eb761 by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Nov  8 18:42:13 UTC 2023 on atb-devel-224

(cherry picked from commit 963fc353e70b940f4009ca2764e966682400e2dc)

- - - - -
f00db2a1 by Christof Schmitt at 2023-11-25T18:28:13+00:00
nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE

AT_EMTPY_PATH does not exist on AIX. Address this by implementing an
override for fstat.  Implement the new override function in nfs4_acls.c
since all stat functions with DAC_CAP_OVERRIDE will be moved there to
allow reuse by other filesystems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 05f1ee1ae2d8439af0ac9baf64ebba1a3374ea83)

- - - - -
53e4d90d by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c

All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse by other filesystem modules.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 316c96ea83a7b70d35879e4743193bb1e9cb566c)

- - - - -
776091ad by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function

All stat CAP_DAC_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other filesystem modules. Also rename the function to the slightly
more precise name stat_with_cap_dac_overide.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 6b1e066c4f354f297fbf99ad93acfaf44e3b89cb)

- - - - -
cf8f5bdf by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function

All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other file system modules. Also rename the function to the more
generic name nfs4_acl_stat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit f8a23d960e02f783119c2aef38a6e293ee548df3)

- - - - -
8ca3c483 by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function

All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse.
Move the vfs_gpfs_fstat function and rename to the more generic name
nfs4_acl_fstat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit f9301871c61b066c1ea464e6e9109bb2cde71598)

- - - - -
790363f0 by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function

All stat CAP_DAC_OVERRIDE code is being moved to nf4_acls.c to allow
reuse. Move the vfs_gpfs_lstat function and rename to the more generic
name nfs4_acl_lstat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 2c1195678d34516744ba4f8b1c5582f4046cba35)

- - - - -
32411274 by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function

All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse. Move the vfs_gpfs_fstatat function and rename it to the more
generic name nfs4_acl_fstat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 5fd73e93af9d015c9e65a6d4d16229476a541cfc)

- - - - -
6090ebfa by Christof Schmitt at 2023-11-25T18:28:13+00:00
nfs4_acls: Make fstatat_with_cap_dac_override static

No other module is calling this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 8831eeca1d70c909e15c86c8af6a7b1d7b0d3b5b)

- - - - -
f9d4855b by Christof Schmitt at 2023-11-25T18:28:13+00:00
nfs4_acls: Make stat_with_cap_dac_override static

No other module is calling this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 0f664f016207894e0a156b9e1f4db7677c264205)

- - - - -
11523b49 by Christof Schmitt at 2023-11-25T18:28:13+00:00
nfs4_acls: Make fstat_with_cap_dac_override static

No other module is calling this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit bffd8bd8c32fea738824b807eb9e5f97a609493e)

- - - - -
66259b50 by Christof Schmitt at 2023-11-25T18:28:13+00:00
vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
(cherry picked from commit 9cac91542128888bde79391ca99291a76752f334)

- - - - -
be0b6c4b by Christof Schmitt at 2023-11-25T19:34:32+00:00
vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>

Autobuild-User(master): Björn Jacke <bjacke at samba.org>
Autobuild-Date(master): Wed Nov 15 19:55:07 UTC 2023 on atb-devel-224

(cherry picked from commit 12e5c15a97b45aa01fc3f4274f8ba9cf7d1ddbe9)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Sat Nov 25 19:34:32 UTC 2023 on atb-devel-224

- - - - -
2e5bc965 by Jule Anger at 2023-11-29T15:26:25+01:00
WHATSNEW: Add release notes for Samba 4.18.9.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
2669b77d by Jule Anger at 2023-11-29T15:26:25+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
4a8dcbad by Michael Tokarev at 2023-11-29T17:49:28+03:00
New upstream version 4.18.9+dfsg
- - - - -
cacd86fa by Michael Tokarev at 2023-11-29T17:49:41+03:00
Update upstream source from tag 'upstream/4.18.9+dfsg'

Update to upstream version '4.18.9+dfsg'
with Debian dir 68748c8bf84b3339120211ca290a7c1f84de0cc6
- - - - -
addaaafd by Michael Tokarev at 2023-11-29T17:52:53+03:00
update changelog; upload version 4.18.9+dfsg-1 to unstable

- - - - -


24 changed files:

- Makefile
- VERSION
- WHATSNEW.txt
- ctdb/server/ctdbd.c
- debian/changelog
- python/samba/dbchecker.py
- python/samba/descriptor.py
- python/samba/provision/__init__.py
- python/samba/provision/sambadns.py
- + selftest/knownfail.d/samba4.ldap.confidential_attr
- source3/lib/system.c
- source3/modules/nfs4_acls.c
- source3/modules/nfs4_acls.h
- source3/modules/vfs_aixacl2.c
- source3/modules/vfs_gpfs.c
- source3/modules/vfs_zfsacl.c
- source3/smbd/files.c
- source3/smbd/open.c
- source4/dsdb/samdb/ldb_modules/dirsync.c
- source4/setup/provision.ldif
- source4/setup/provision_configuration.ldif
- source4/setup/provision_dnszones_add.ldif
- testprogs/blackbox/dbcheck-links.sh
- wscript


Changes:

=====================================
Makefile
=====================================
@@ -67,6 +67,10 @@ distcheck:
 	touch .tmplock
 	WAFLOCK=.tmplock $(WAF) distcheck
 
+printversion:
+	touch .tmplock
+	WAFLOCK=.tmplock $(WAF) printversion
+
 clean:
 	$(WAF) clean
 


=====================================
VERSION
=====================================
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 ########################################################
 # If a official release has a serious bug              #


=====================================
WHATSNEW.txt
=====================================
@@ -1,3 +1,124 @@
+                   ==============================
+                   Release Notes for Samba 4.18.9
+                         November 29, 2023
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.18 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+    allow read of object tombstones over LDAP
+    (Administrator action required!)
+    https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
+        Owner mismatch: SY (in ref) DA(in current)
+        Group mismatch: SY (in ref) DA(in current)
+        Part dacl is different between reference and current here is the detail:
+                (A;;LCRPLORC;;;AU) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
+                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
+                (A;;LCRP;;;BA) ACE is not present in the current
+   [y/N/all/none] y
+  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.18.8
+--------------------
+
+o  Michael Adam <obnox at samba.org>
+   * BUG 15497: Add make command for querying Samba version.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 15487: smbd crashes if asked to return full information on close of a
+     stream handle with delete on close disposition set.
+   * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+     smb_fname_fsp_destructor().
+
+o  Björn Jacke <bj at sernet.de>
+   * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
+     listed in directories.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+     AD LDAP to normal users.
+
+o  Christof Schmitt <cs at samba.org>
+   * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o  Christof Schmitt <christof.schmitt at us.ibm.com>
+   * BUG 15497: Add make command for querying Samba version.
+
+o  Martin Schwenke <mschwenke at ddn.com>
+   * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.18.8
                           October 10, 2023
@@ -74,8 +195,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.18.7
                          September 27, 2023


=====================================
ctdb/server/ctdbd.c
=====================================
@@ -170,6 +170,8 @@ int main(int argc, const char *argv[])
 	const char *test_mode;
 	bool ok;
 
+	setproctitle_init(argc, discard_const(argv), environ);
+
 	/*
 	 * Basic setup
 	 */


=====================================
debian/changelog
=====================================
@@ -1,3 +1,31 @@
+samba (2:4.18.9+dfsg-1) unstable; urgency=medium
+
+  * new stable/security/bugfix release:
+   o https://bugzilla.samba.org/show_bug.cgi?id=13595
+     CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP
+     to normal users (Closes: #1034803).  Please see WHATSNEW.txt file for
+     more information about this issue: actual fix requires extra steps to
+     be performed against samba-based AD-DC
+   o https://bugzilla.samba.org/show_bug.cgi?id=15093
+     Files without "read attributes" NFS4 ACL permission are not listed
+     in directories
+   o https://bugzilla.samba.org/show_bug.cgi?id=15479
+     ctdbd: setproctitle not initialized messages flooding logs
+   o https://bugzilla.samba.org/show_bug.cgi?id=15487
+     smbd crashes if asked to return full information on close of
+     a stream handle with delete on close disposition set
+   o https://bugzilla.samba.org/show_bug.cgi?id=15497
+     Add make command for querying Samba version
+   o https://bugzilla.samba.org/show_bug.cgi?id=15497
+     Add make command for querying Samba version
+   o https://bugzilla.samba.org/show_bug.cgi?id=15507
+     vfs_gpfs stat calls fail due to file system permissions
+   o https://bugzilla.samba.org/show_bug.cgi?id=15521
+     smbd: fix close order of base_fsp and stream_fsp
+     in smb_fname_fsp_destructor()
+
+ -- Michael Tokarev <mjt at tls.msk.ru>  Wed, 29 Nov 2023 17:51:04 +0300
+
 samba (2:4.18.8+dfsg-1) unstable; urgency=medium
 
   * new stable security bugfix release:


=====================================
python/samba/dbchecker.py
=====================================
@@ -20,7 +20,7 @@
 import ldb
 import samba
 import time
-from base64 import b64decode
+from base64 import b64decode, b64encode
 from samba import dsdb
 from samba import common
 from samba.dcerpc import misc
@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack
 from samba.dcerpc import drsblobs
 from samba.samdb import dsdb_Dn
 from samba.dcerpc import security
-from samba.descriptor import get_wellknown_sds, get_diff_sds
+from samba.descriptor import (
+        get_wellknown_sds,
+        get_deletedobjects_descriptor,
+        get_diff_sds
+)
 from samba.auth import system_session, admin_session
 from samba.netcmd import CommandError
 from samba.netcmd.fsmo import get_fsmo_roleowner
@@ -351,6 +355,12 @@ class dbcheck(object):
                 listwko.append('%s:%s' % (wko_prefix, dn))
                 guid_suffix = ""
 
+
+            domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+            sec_desc = get_deletedobjects_descriptor(domain_sid,
+                                                     name_map=self.name_map)
+            sec_desc_b64 = b64encode(sec_desc).decode('utf8')
+
             # Insert a brand new Deleted Objects container
             self.samdb.add_ldif("""dn: %s
 objectClass: top
@@ -359,7 +369,8 @@ description: Container for deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: TRUE
-systemFlags: -1946157056%s""" % (dn, guid_suffix),
+nTSecurityDescriptor:: %s
+systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix),
                                 controls=["relax:0", "provision:0"])
 
             delta = ldb.Message()
@@ -2458,7 +2469,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                     error_count += 1
                     continue
 
-                if self.reset_well_known_acls:
+                if dn == deleted_objects_dn or self.reset_well_known_acls:
                     try:
                         well_known_sd = self.get_wellknown_sd(dn)
                     except KeyError:
@@ -2467,7 +2478,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                     current_sd = ndr_unpack(security.descriptor,
                                             obj[attrname][0])
 
-                    diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
+                    ignoreAdditionalACEs = False
+                    if not self.reset_well_known_acls:
+                        ignoreAdditionalACEs = True
+
+                    diff = get_diff_sds(well_known_sd, current_sd,
+                                        security.dom_sid(self.samdb.get_domain_sid()),
+                                        ignoreAdditionalACEs=ignoreAdditionalACEs)
                     if diff != "":
                         self.err_wrong_default_sd(dn, well_known_sd, diff)
                         error_count += 1


=====================================
python/samba/descriptor.py
=====================================
@@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}):
 # "get_schema_descriptor" is located in "schema.py"
 
 
+def get_deletedobjects_descriptor(domain_sid, name_map=None):
+    if name_map is None:
+        name_map = {}
+
+    sddl = "O:SYG:SYD:PAI" \
+        "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \
+        "(A;;RPLC;;;BA)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+
 def get_config_descriptor(domain_sid, name_map={}):
     sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
            "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
@@ -407,6 +417,7 @@ def get_wellknown_sds(samdb):
     # Then subcontainers
     subcontainers = [
         (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
+        (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor),
         (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
         (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
         (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
@@ -417,6 +428,7 @@ def get_wellknown_sds(samdb):
         (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
 
         (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
+        (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor),
         (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
         (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
         (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
@@ -441,6 +453,9 @@ def get_wellknown_sds(samdb):
         if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn:
             c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
             subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)),
+                 get_deletedobjects_descriptor)
+            subcontainers.append(c)
             c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
                  get_domain_delete_protected1_descriptor)
             subcontainers.append(c)
@@ -456,6 +471,9 @@ def get_wellknown_sds(samdb):
         if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn:
             c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
             subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)),
+                 get_deletedobjects_descriptor)
+            subcontainers.append(c)
             c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
                  get_domain_delete_protected1_descriptor)
             subcontainers.append(c)
@@ -548,7 +566,8 @@ def get_clean_sd(sd):
     return sd_clean
 
 
-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
+def get_diff_sds(refsd, cursd, domainsid, checkSacl=True,
+                 ignoreAdditionalACEs=False):
     """Get the difference between 2 sd
 
     This function split the textual representation of ACL into smaller
@@ -603,6 +622,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
                     h_ref.remove(k)
 
             if len(h_cur) + len(h_ref) > 0:
+                if txt == "" and len(h_ref) == 0:
+                    if ignoreAdditionalACEs:
+                        return ""
+
                 txt = "%s\tPart %s is different between reference" \
                       " and current here is the detail:\n" % (txt, part)
 


=====================================
python/samba/provision/__init__.py
=====================================
@@ -78,6 +78,7 @@ from samba.provision.backend import (
     LDBBackend,
 )
 from samba.descriptor import (
+    get_deletedobjects_descriptor,
     get_empty_descriptor,
     get_config_descriptor,
     get_config_partitions_descriptor,
@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
     msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
                                         "subRefs")
 
+    deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
+
     samdb.invocation_id = invocationid
 
     # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
                 "FOREST_FUNCTIONALITY": str(forestFunctionality),
                 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
                 "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+                "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
                 "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
                 "SERVICES_DESCRIPTOR": protected1_descr,
                 "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         "RIDAVAILABLESTART": str(next_rid + 600),
         "POLICYGUID_DC": policyguid_dc,
         "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+        "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
         "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
         "SYSTEM_DESCRIPTOR": system_desc,
         "BUILTIN_DESCRIPTOR": builtin_desc,


=====================================
python/samba/provision/sambadns.py
=====================================
@@ -42,6 +42,7 @@ from samba.dsdb import (
     DS_GUID_USERS_CONTAINER
 )
 from samba.descriptor import (
+    get_deletedobjects_descriptor,
     get_domain_descriptor,
     get_domain_delete_protected1_descriptor,
     get_domain_delete_protected2_descriptor,
@@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
     domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
     forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
     descriptor = get_dns_partition_descriptor(domainsid)
+    deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
 
     setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
         "ZONE_DN": domainzone_dn,
@@ -278,6 +280,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
         "ZONE_DNS": domainzone_dns,
         "CONFIGDN": configdn,
         "SERVERDN": serverdn,
+        "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
         "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
         "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
     })
@@ -297,6 +300,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
             "ZONE_DNS": forestzone_dns,
             "CONFIGDN": configdn,
             "SERVERDN": serverdn,
+            "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
             "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
             "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
         })


=====================================
selftest/knownfail.d/samba4.ldap.confidential_attr
=====================================
@@ -0,0 +1 @@
+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects


=====================================
source3/lib/system.c
=====================================
@@ -643,18 +643,45 @@ static bool set_process_capability(enum smbd_capability capability,
  Gain the oplock capability from the kernel if possible.
 ****************************************************************************/
 
+#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
+static bool have_cap_dac_override = true;
+#else
+static bool have_cap_dac_override = false;
+#endif
+
 void set_effective_capability(enum smbd_capability capability)
 {
+	bool ret = false;
+
+	if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-	set_process_capability(capability, True);
+		ret = set_process_capability(capability, True);
 #endif /* HAVE_POSIX_CAPABILITIES */
+	}
+
+	/*
+	 * Fallback to become_root() if CAP_DAC_OVERRIDE is not
+	 * available.
+	 */
+	if (capability == DAC_OVERRIDE_CAPABILITY) {
+		if (!ret) {
+			have_cap_dac_override = false;
+		}
+		if (!have_cap_dac_override) {
+			become_root();
+		}
+	}
 }
 
 void drop_effective_capability(enum smbd_capability capability)
 {
+	if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
 #if defined(HAVE_POSIX_CAPABILITIES)
-	set_process_capability(capability, False);
+		set_process_capability(capability, False);
 #endif /* HAVE_POSIX_CAPABILITIES */
+	} else {
+		unbecome_root();
+	}
 }
 
 /**************************************************************************


=====================================
source3/modules/nfs4_acls.c
=====================================
@@ -116,6 +116,155 @@ int smbacl4_get_vfs_params(struct connection_struct *conn,
 	return 0;
 }
 
+static int fstatat_with_cap_dac_override(int fd,
+					 const char *pathname,
+					 SMB_STRUCT_STAT *sbuf,
+					 int flags,
+					 bool fake_dir_create_times)
+{
+	int ret;
+
+	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	ret = sys_fstatat(fd,
+			  pathname,
+			  sbuf,
+			  flags,
+			  fake_dir_create_times);
+	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+
+	return ret;
+}
+
+static int stat_with_cap_dac_override(struct vfs_handle_struct *handle,
+				      struct smb_filename *smb_fname, int flag)
+{
+	bool fake_dctime = lp_fake_directory_create_times(SNUM(handle->conn));
+	int fd = -1;
+	NTSTATUS status;
+	struct smb_filename *dir_name = NULL;
+	struct smb_filename *rel_name = NULL;
+	int ret = -1;
+#ifdef O_PATH
+	int open_flags = O_PATH;
+#else
+	int open_flags = O_RDONLY;
+#endif
+
+	status = SMB_VFS_PARENT_PATHNAME(handle->conn,
+					 talloc_tos(),
+					 smb_fname,
+					 &dir_name,
+					 &rel_name);
+	if (!NT_STATUS_IS_OK(status)) {
+		errno = map_errno_from_nt_status(status);
+		return -1;
+	}
+
+	fd = open(dir_name->base_name, open_flags, 0);
+	if (fd == -1) {
+		TALLOC_FREE(dir_name);
+		return -1;
+	}
+
+	ret = fstatat_with_cap_dac_override(fd,
+					    rel_name->base_name,
+					    &smb_fname->st,
+					    flag,
+					    fake_dctime);
+
+	TALLOC_FREE(dir_name);
+	close(fd);
+
+	return ret;
+}
+
+int nfs4_acl_stat(struct vfs_handle_struct *handle,
+		  struct smb_filename *smb_fname)
+{
+	int ret;
+
+	ret = SMB_VFS_NEXT_STAT(handle, smb_fname);
+	if (ret == -1 && errno == EACCES) {
+		DEBUG(10, ("Trying stat with capability for %s\n",
+			   smb_fname->base_name));
+		ret = stat_with_cap_dac_override(handle, smb_fname, 0);
+	}
+	return ret;
+}
+
+static int fstat_with_cap_dac_override(int fd, SMB_STRUCT_STAT *sbuf,
+				       bool fake_dir_create_times)
+{
+	int ret;
+
+	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	ret = sys_fstat(fd, sbuf, fake_dir_create_times);
+	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+
+	return ret;
+}
+
+int nfs4_acl_fstat(struct vfs_handle_struct *handle,
+		   struct files_struct *fsp,
+		   SMB_STRUCT_STAT *sbuf)
+{
+	int ret;
+
+	ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf);
+	if (ret == -1 && errno == EACCES) {
+		bool fake_dctime =
+			lp_fake_directory_create_times(SNUM(handle->conn));
+
+		DBG_DEBUG("fstat for %s failed with EACCES. Trying with "
+			  "CAP_DAC_OVERRIDE.\n", fsp->fsp_name->base_name);
+		ret = fstat_with_cap_dac_override(fsp_get_pathref_fd(fsp),
+						  sbuf,
+						  fake_dctime);
+	}
+
+	return ret;
+}
+
+int nfs4_acl_lstat(struct vfs_handle_struct *handle,
+		   struct smb_filename *smb_fname)
+{
+	int ret;
+
+	ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname);
+	if (ret == -1 && errno == EACCES) {
+		DEBUG(10, ("Trying lstat with capability for %s\n",
+			   smb_fname->base_name));
+		ret = stat_with_cap_dac_override(handle, smb_fname,
+						 AT_SYMLINK_NOFOLLOW);
+	}
+	return ret;
+}
+
+int nfs4_acl_fstatat(struct vfs_handle_struct *handle,
+		     const struct files_struct *dirfsp,
+		     const struct smb_filename *smb_fname,
+		     SMB_STRUCT_STAT *sbuf,
+		     int flags)
+{
+	int ret;
+
+	ret = SMB_VFS_NEXT_FSTATAT(handle, dirfsp, smb_fname, sbuf, flags);
+	if (ret == -1 && errno == EACCES) {
+		bool fake_dctime =
+			lp_fake_directory_create_times(SNUM(handle->conn));
+
+		DBG_DEBUG("fstatat for %s failed with EACCES. Trying with "
+			  "CAP_DAC_OVERRIDE.\n", dirfsp->fsp_name->base_name);
+		ret = fstatat_with_cap_dac_override(fsp_get_pathref_fd(dirfsp),
+						    smb_fname->base_name,
+						    sbuf,
+						    flags,
+						    fake_dctime);
+	}
+
+	return ret;
+}
+
 /************************************************
  Split the ACE flag mapping between nfs4 and Windows
  into two separate functions rather than trying to do


=====================================
source3/modules/nfs4_acls.h
=====================================
@@ -118,6 +118,22 @@ struct smbacl4_vfs_params {
 int smbacl4_get_vfs_params(struct connection_struct *conn,
 			   struct smbacl4_vfs_params *params);
 
+int nfs4_acl_stat(struct vfs_handle_struct *handle,
+		  struct smb_filename *smb_fname);
+
+int nfs4_acl_fstat(struct vfs_handle_struct *handle,
+		   struct files_struct *fsp,
+		   SMB_STRUCT_STAT *sbuf);
+
+int nfs4_acl_lstat(struct vfs_handle_struct *handle,
+		   struct smb_filename *smb_fname);
+
+int nfs4_acl_fstatat(struct vfs_handle_struct *handle,
+		     const struct files_struct *dirfsp,
+		     const struct smb_filename *smb_fname,
+		     SMB_STRUCT_STAT *sbuf,
+		     int flags);
+
 struct SMB4ACL_T *smb_create_smb4acl(TALLOC_CTX *mem_ctx);
 
 /* prop's contents are copied */


=====================================
source3/modules/vfs_aixacl2.c
=====================================
@@ -460,6 +460,10 @@ int aixjfs2_sys_acl_delete_def_fd(vfs_handle_struct *handle,
 }
 
 static struct vfs_fn_pointers vfs_aixacl2_fns = {
+	.stat_fn = nfs4_acl_stat,
+	.fstat_fn = nfs4_acl_fstat,
+	.lstat_fn = nfs4_acl_lstat,
+	.fstatat_fn = nfs4_acl_fstatat,
 	.fget_nt_acl_fn = aixjfs2_fget_nt_acl,
 	.fset_nt_acl_fn = aixjfs2_fset_nt_acl,
 	.sys_acl_get_fd_fn = aixjfs2_sys_acl_get_fd,


=====================================
source3/modules/vfs_gpfs.c
=====================================
@@ -1594,76 +1594,6 @@ static NTSTATUS vfs_gpfs_fset_dos_attributes(struct vfs_handle_struct *handle,
 	return NT_STATUS_OK;
 }
 
-static int stat_with_capability(struct vfs_handle_struct *handle,
-				struct smb_filename *smb_fname, int flag)
-{
-	bool fake_dctime = lp_fake_directory_create_times(SNUM(handle->conn));
-	int fd = -1;
-	NTSTATUS status;
-	struct smb_filename *dir_name = NULL;
-	struct smb_filename *rel_name = NULL;
-	int ret = -1;
-
-	status = SMB_VFS_PARENT_PATHNAME(handle->conn,
-					 talloc_tos(),
-					 smb_fname,
-					 &dir_name,
-					 &rel_name);
-	if (!NT_STATUS_IS_OK(status)) {
-		errno = map_errno_from_nt_status(status);
-		return -1;
-	}
-
-	fd = open(dir_name->base_name, O_RDONLY, 0);
-	if (fd == -1) {
-		TALLOC_FREE(dir_name);
-		return -1;
-	}
-
-	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
-	ret = sys_fstatat(fd,
-				rel_name->base_name,
-				&smb_fname->st,
-				flag,
-				fake_dctime);
-
-	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
-
-	TALLOC_FREE(dir_name);
-	close(fd);
-
-	return ret;
-}
-
-static int vfs_gpfs_stat(struct vfs_handle_struct *handle,
-			 struct smb_filename *smb_fname)
-{
-	int ret;
-
-	ret = SMB_VFS_NEXT_STAT(handle, smb_fname);
-	if (ret == -1 && errno == EACCES) {
-		DEBUG(10, ("Trying stat with capability for %s\n",
-			   smb_fname->base_name));
-		ret = stat_with_capability(handle, smb_fname, 0);
-	}
-	return ret;
-}
-
-static int vfs_gpfs_lstat(struct vfs_handle_struct *handle,
-			  struct smb_filename *smb_fname)
-{
-	int ret;
-
-	ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname);
-	if (ret == -1 && errno == EACCES) {
-		DEBUG(10, ("Trying lstat with capability for %s\n",
-			   smb_fname->base_name));
-		ret = stat_with_capability(handle, smb_fname,
-					   AT_SYMLINK_NOFOLLOW);
-	}
-	return ret;
-}
-
 static int timespec_to_gpfs_time(
 	struct timespec ts, gpfs_timestruc_t *gt, int idx, int *flags)
 {
@@ -2592,8 +2522,10 @@ static struct vfs_fn_pointers vfs_gpfs_fns = {
 	.sys_acl_delete_def_fd_fn = gpfsacl_sys_acl_delete_def_fd,
 	.fchmod_fn = vfs_gpfs_fchmod,
 	.close_fn = vfs_gpfs_close,
-	.stat_fn = vfs_gpfs_stat,
-	.lstat_fn = vfs_gpfs_lstat,
+	.stat_fn = nfs4_acl_stat,
+	.fstat_fn = nfs4_acl_fstat,
+	.lstat_fn = nfs4_acl_lstat,
+	.fstatat_fn = nfs4_acl_fstatat,
 	.fntimes_fn = vfs_gpfs_fntimes,
 	.aio_force_fn = vfs_gpfs_aio_force,
 	.sendfile_fn = vfs_gpfs_sendfile,


=====================================
source3/modules/vfs_zfsacl.c
=====================================
@@ -487,6 +487,10 @@ static int zfsacl_connect(struct vfs_handle_struct *handle,
 
 static struct vfs_fn_pointers zfsacl_fns = {
 	.connect_fn = zfsacl_connect,
+	.stat_fn = nfs4_acl_stat,
+	.fstat_fn = nfs4_acl_fstat,
+	.lstat_fn = nfs4_acl_lstat,
+	.fstatat_fn = nfs4_acl_fstatat,
 	.sys_acl_get_fd_fn = zfsacl_fail__sys_acl_get_fd,
 	.sys_acl_blob_get_fd_fn = zfsacl_fail__sys_acl_blob_get_fd,
 	.sys_acl_set_fd_fn = zfsacl_fail__sys_acl_set_fd,


=====================================
source3/smbd/files.c
=====================================
@@ -406,6 +406,7 @@ static void destroy_fsp_smb_fname_link(struct fsp_smb_fname_link **_link)
 static int smb_fname_fsp_destructor(struct smb_filename *smb_fname)
 {
 	struct files_struct *fsp = smb_fname->fsp;
+	struct files_struct *base_fsp = NULL;
 	NTSTATUS status;
 	int saved_errno = errno;
 
@@ -417,17 +418,7 @@ static int smb_fname_fsp_destructor(struct smb_filename *smb_fname)
 	}
 
 	if (fsp_is_alternate_stream(fsp)) {
-		struct files_struct *tmp_base_fsp = fsp->base_fsp;
-
-		fsp_set_base_fsp(fsp, NULL);
-
-		status = fd_close(tmp_base_fsp);
-		if (!NT_STATUS_IS_OK(status)) {
-			DBG_ERR("Closing fd for fsp [%s] failed: %s. "
-				"Please check your filesystem!!!\n",
-				fsp_str_dbg(fsp), nt_errstr(status));
-		}
-		file_free(NULL, tmp_base_fsp);
+		base_fsp = fsp->base_fsp;
 	}
 
 	status = fd_close(fsp);
@@ -439,6 +430,17 @@ static int smb_fname_fsp_destructor(struct smb_filename *smb_fname)
 	file_free(NULL, fsp);
 	smb_fname->fsp = NULL;
 
+	if (base_fsp != NULL) {
+		base_fsp->stream_fsp = NULL;
+		status = fd_close(base_fsp);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_ERR("Closing fd for base_fsp [%s] failed: %s. "
+				"Please check your filesystem!!!\n",
+				fsp_str_dbg(base_fsp), nt_errstr(status));
+		}
+		file_free(NULL, base_fsp);
+	}
+
 	errno = saved_errno;
 	return 0;
 }


=====================================
source3/smbd/open.c
=====================================
@@ -997,7 +997,20 @@ NTSTATUS fd_close(files_struct *fsp)
 	if (fsp->fsp_flags.fstat_before_close) {
 		status = vfs_stat_fsp(fsp);
 		if (!NT_STATUS_IS_OK(status)) {
-			return status;
+			/*
+			 * If this is a stream and delete-on-close was set, the
+			 * backing object (an xattr from streams_xattr) might
+			 * already be deleted so fstat() fails with
+			 * NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
+			 * ignore the error and only bail for normal files where
+			 * an fstat() should still work. NB. We cannot use
+			 * fsp_is_alternate_stream(fsp) for this as the base_fsp
+			 * has already been closed at this point and so the value
+			 * fsp_is_alternate_stream() checks for is already NULL.
+			 */
+			if (fsp->fsp_name->stream_name == NULL) {
+				return status;
+			}
 		}
 	}
 


=====================================
source4/dsdb/samdb/ldb_modules/dirsync.c
=====================================
@@ -151,10 +151,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
 	 * list only the attribute that have been modified since last interogation
 	 *
 	 */
-	newmsg = ldb_msg_new(dsc->req);
-	if (newmsg == NULL) {
-		return ldb_oom(ldb);
-	}
 	for (i = msg->num_elements - 1; i >= 0; i--) {
 		if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) {
 			int error = 0;
@@ -201,11 +197,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
 			 */
 			return LDB_SUCCESS;
 		}
-		newmsg->dn = ldb_dn_new(newmsg, ldb, "");
-		if (newmsg->dn == NULL) {
-			return ldb_oom(ldb);
-		}
-
 		el = ldb_msg_find_element(msg, "objectGUID");
 		if ( el != NULL) {
 			guidfound = true;
@@ -216,48 +207,14 @@ static int dirsync_filter_entry(struct ldb_request *req,
 		 * well will uncomment the code bellow
 		 */
 		SMB_ASSERT(guidfound == true);
-		/*
-		if (guidfound == false) {
-			struct GUID guid;
-			struct ldb_val *new_val;
-			DATA_BLOB guid_blob;
-
-			tmp[0] = '\0';
-			txt = strrchr(txt, ':');
-			if (txt == NULL) {
-				return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
-			}
-			txt++;
-
-			status = GUID_from_string(txt, &guid);
-			if (!NT_STATUS_IS_OK(status)) {
-				return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
-			}
-
-			status = GUID_to_ndr_blob(&guid, msg, &guid_blob);
-			if (!NT_STATUS_IS_OK(status)) {
-				return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
-			}
-
-			new_val = talloc(msg, struct ldb_val);
-			if (new_val == NULL) {
-				return ldb_oom(ldb);
-			}
-			new_val->data = talloc_steal(new_val, guid_blob.data);
-			new_val->length = guid_blob.length;
-			if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) {
-				return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
-			}
-		}
-		*/
-		ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD);
-		talloc_steal(newmsg->elements, el->name);
-		talloc_steal(newmsg->elements, el->values);
-
-		talloc_steal(newmsg->elements, msg);
 		return ldb_module_send_entry(dsc->req, msg, controls);
 	}
 
+	newmsg = ldb_msg_new(dsc->req);
+	if (newmsg == NULL) {
+		return ldb_oom(ldb);
+	}
+
 	ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd,
 		(ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {


=====================================
source4/setup/provision.ldif
=====================================
@@ -34,6 +34,7 @@ isDeleted: TRUE
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 # Computers located in "provision_computers*.ldif"
 # Users/Groups located in "provision_users*.ldif"


=====================================
source4/setup/provision_configuration.ldif
=====================================
@@ -14,6 +14,7 @@ description: Container for deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 # Extended rights
 


=====================================
source4/setup/provision_dnszones_add.ldif
=====================================
@@ -8,6 +8,7 @@ description: Deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 dn: CN=LostAndFound,${ZONE_DN}
 objectClass: top


=====================================
testprogs/blackbox/dbcheck-links.sh
=====================================
@@ -59,6 +59,16 @@ dbcheck()
 	fi
 }
 
+dbcheck_acl_reset()
+{
+	$PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor
+}
+
+dbcheck_acl_clean()
+{
+	$PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor
+}
+
 dbcheck_dangling()
 {
 	dbcheck "" "1" "--selftest-check-expired-tombstones"
@@ -925,6 +935,8 @@ EOF
 remove_directory $PREFIX_ABS/${RELEASE}
 
 testit $RELEASE undump || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1)
+testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1)
 testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1)
 testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1)
 testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1)


=====================================
wscript
=====================================
@@ -542,6 +542,11 @@ def distcheck():
     '''test that distribution tarball builds and installs'''
     samba_version.load_version(env=None)
 
+def printversion(ctx):
+    '''print version'''
+    ver = samba_version.load_version(env=None)
+    print('Samba Version: ' + ver.STRING_WITH_NICKNAME)
+
 def wildcard_cmd(cmd):
     '''called on a unknown command'''
     from samba_wildcard import run_named_build_task



View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/2c91a5eff4387915581f92305b3a203ced29b907...addaaafd6f1ffe7d2ffe9a6b283118fe16dec1cc

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/2c91a5eff4387915581f92305b3a203ced29b907...addaaafd6f1ffe7d2ffe9a6b283118fe16dec1cc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20231129/bdcf5934/attachment-0001.htm>


More information about the Pkg-samba-maint mailing list