The branch, v3-2-stable has been updated
via f8d4596ec2b8f35dd3cc05aa7ee356abb9c0920b (commit)
via afed4929f9c707fb72b0e8dd12b1a1e8dcab9a84 (commit)
via feb057d4503118e519b5dbd9d2c3ca2c1ee55380 (commit)
via 01fd94981e322da59ac2c00055220c89de135ebe (commit)
via f3b0e219f1a7660ff275db701935eecbe053fa25 (commit)
via 520dcfffe78bb079bbdad6de5a4cdc392527f4b8 (commit)
from ec9f180390852a9356df11412bc7478f48f52b43 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable
- Log -----------------------------------------------------------------
commit f8d4596ec2b8f35dd3cc05aa7ee356abb9c0920b
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Mon Oct 20 20:16:03 2008 +0200
s3-samr-server: be consistent when reporting we do password complexity.
Guenther
(cherry picked from commit 7c2831c5872ad26e1e0cd7df59d6c0b88d566760)
commit afed4929f9c707fb72b0e8dd12b1a1e8dcab9a84
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Fri Oct 17 15:25:58 2008 -0700
Unify access checks for lsa server functions.
Jeremy.
(cherry picked from commit ef15ff6abec34377ab7fa75201e2799c0bb72aeb)
commit feb057d4503118e519b5dbd9d2c3ca2c1ee55380
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Thu Oct 16 21:04:18 2008 -0700
Cope with bad trans2mkdir requests from System i QNTC IBM SMB client.
If total_data == 4 Windows doesn't care what values
are placed in that field, it just ignores them.
The System i QNTC IBM SMB client puts bad values here,
so ignore them.
Jeremy.
(cherry picked from commit 5b1d8588d01d11251541829c5a3dff211fe925fd)
commit 01fd94981e322da59ac2c00055220c89de135ebe
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Thu Oct 16 15:06:13 2008 -0700
Unify the logic in pull_ascii_base_talloc() and pull_ucs2_base_talloc().
Jeremy.
(cherry picked from commit 5109bd33719a4bb1534cb0e012c92ec778fb26df)
commit f3b0e219f1a7660ff275db701935eecbe053fa25
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Thu Oct 16 11:57:51 2008 -0700
Fix bug 5826 - Directory/Filenames get truncated when 3.2.0 client acesses
old server.
Karolin this is a show-stopper for 3.2.5.
There was some code in pull_ucs2_base_talloc() to cope with this case which
hadn't been added to pull_ascii_base_talloc(). The older Samba returns non
unicode names which is why you are seeing this codepath being executed.
Jeremy.
(cherry picked from commit 09fa53d927436310ae3c17096d42e2fa4de1dd2e)
commit 520dcfffe78bb079bbdad6de5a4cdc392527f4b8
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Wed Oct 15 18:08:07 2008 -0700
Don't use debug level 1 to log a trivial message.
Jeremy.
(cherry picked from commit 7c53cde257515e7bfffc8f3c0b54b7c99554d240)
-----------------------------------------------------------------------
Summary of changes:
source/include/rpc_lsa.h | 1 +
source/lib/charcnv.c | 50 ++++++++++++++++++++++++++++++++------
source/rpc_client/cli_pipe.c | 2 +-
source/rpc_server/srv_lsa_nt.c | 21 +++++++++++++---
source/rpc_server/srv_samr_nt.c | 4 +++
source/smbd/trans2.c | 7 +++--
6 files changed, 69 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/include/rpc_lsa.h b/source/include/rpc_lsa.h
index b4021af..1dc5ba4 100644
--- a/source/include/rpc_lsa.h
+++ b/source/include/rpc_lsa.h
@@ -39,6 +39,7 @@
#define LSA_POLICY_READ ( STANDARD_RIGHTS_READ_ACCESS |\
+ LSA_POLICY_VIEW_LOCAL_INFORMATION |\
LSA_POLICY_VIEW_AUDIT_INFORMATION |\
LSA_POLICY_GET_PRIVATE_INFORMATION)
diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index cea234f..f4efcb2 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -1183,6 +1183,10 @@ static size_t pull_ascii_base_talloc(TALLOC_CTX *ctx,
*ppdest = NULL;
+ if (!src_len) {
+ return 0;
+ }
+
if (flags & STR_TERMINATE) {
if (src_len == (size_t)-1) {
src_len = strlen((const char *)src) + 1;
@@ -1200,16 +1204,41 @@ static size_t pull_ascii_base_talloc(TALLOC_CTX *ctx,
(unsigned int)src_len);
smb_panic(msg);
}
+ } else {
+ /* Can't have an unlimited length
+ * non STR_TERMINATE'd.
+ */
+ if (src_len == (size_t)-1) {
+ errno = EINVAL;
+ return 0;
+ }
}
+ /* src_len != -1 here. */
+
if (!convert_string_allocate(ctx, CH_DOS, CH_UNIX, src, src_len, &dest,
- &dest_len, True))
+ &dest_len, True)) {
dest_len = 0;
+ }
if (dest_len && dest) {
/* Did we already process the terminating zero ? */
if (dest[dest_len-1] != 0) {
- dest[dest_len-1] = 0;
+ size_t size = talloc_get_size(dest);
+ /* Have we got space to append the '\0' ? */
+ if (size <= dest_len) {
+ /* No, realloc. */
+ dest = TALLOC_REALLOC_ARRAY(ctx, dest, char,
+ dest_len+1);
+ if (!dest) {
+ /* talloc fail. */
+ dest_len = (size_t)-1;
+ return 0;
+ }
+ }
+ /* Yay - space ! */
+ dest[dest_len] = '\0';
+ dest_len++;
}
} else if (dest) {
dest[0] = 0;
@@ -1557,12 +1586,20 @@ size_t pull_ucs2_base_talloc(TALLOC_CTX *ctx,
if (src_len >= 1024*1024) {
smb_panic("Bad src length in pull_ucs2_base_talloc\n");
}
+ } else {
+ /* Can't have an unlimited length
+ * non STR_TERMINATE'd.
+ */
+ if (src_len == (size_t)-1) {
+ errno = EINVAL;
+ return 0;
+ }
}
+ /* src_len != -1 here. */
+
/* ucs2 is always a multiple of 2 bytes */
- if (src_len != (size_t)-1) {
- src_len &= ~1;
- }
+ src_len &= ~1;
dest_len = convert_string_talloc(ctx,
CH_UTF16LE,
@@ -1575,9 +1612,6 @@ size_t pull_ucs2_base_talloc(TALLOC_CTX *ctx,
dest_len = 0;
}
- if (src_len == (size_t)-1)
- src_len = dest_len*2;
-
if (dest_len) {
/* Did we already process the terminating zero ? */
if (dest[dest_len-1] != 0) {
diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 35256d7..35b5a8d 100644
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -2221,7 +2221,7 @@ static struct rpc_pipe_client *cli_rpc_pipe_open(struct
cli_state *cli, int pipe
fnum = cli_nt_create(cli, result->pipe_name, DESIRED_ACCESS_PIPE);
if (fnum == -1) {
- DEBUG(1,("cli_rpc_pipe_open: cli_nt_create failed on pipe %s "
+ DEBUG(3,("cli_rpc_pipe_open: cli_nt_create failed on pipe %s "
"to machine %s. Error was %s\n",
result->pipe_name, cli->desthost,
cli_errstr(cli)));
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 79b6d46..9ce992c 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -434,7 +434,7 @@ NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access,
&acc_granted, &status)) {
- if (geteuid() != 0) {
+ if (p->pipe_user.ut.uid != sec_initial_uid()) {
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required:
%#010x)\n",
@@ -1530,7 +1530,8 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token,
DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->pipe_user.ut.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token,
DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if ( is_privileged_sid( r->in.sid ) )
@@ -1616,6 +1617,9 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -1676,6 +1680,9 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
return NT_STATUS_ACCESS_DENIED;
@@ -1710,7 +1717,8 @@ NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token,
DOMAIN_GROUP_RID_ADMINS ) )
+ if ( p->pipe_user.ut.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token,
DOMAIN_GROUP_RID_ADMINS ) )
return NT_STATUS_ACCESS_DENIED;
if (!pdb_getgrsid(&map, info->sid))
@@ -1820,7 +1828,6 @@ NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
-
switch (r->in.sec_info) {
case 1:
/* SD contains only the owner */
@@ -2078,6 +2085,9 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID.
*/
@@ -2120,6 +2130,9 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
return NT_STATUS_INVALID_HANDLE;
+ if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
name = r->in.name->string;
DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index a89e00f..c59a46c 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -2910,6 +2910,10 @@ static NTSTATUS samr_QueryDomainInfo_internal(const char
*fn_name,
unix_to_nt_time_abs(&nt_expire, u_expire);
unix_to_nt_time_abs(&nt_min_age, u_min_age);
+ if (lp_check_password_script() &&
*lp_check_password_script()) {
+ password_properties |= DOMAIN_PASSWORD_COMPLEX;
+ }
+
init_samr_DomInfo1(&dom_info->info1,
(uint16)min_pass_len,
(uint16)pass_hist,
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index f3b45ad..acc424f 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -7048,10 +7048,11 @@ static void call_trans2mkdir(connection_struct *conn,
struct smb_request *req,
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
return;
}
- } else if (IVAL(pdata,0) != 4) {
- reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
- return;
}
+ /* If total_data == 4 Windows doesn't care what values
+ * are placed in that field, it just ignores them.
+ * The System i QNTC IBM SMB client puts bad values here,
+ * so ignore them. */
status = create_directory(conn, req, directory);
--
Samba Shared Repository
