The branch, v4-11-test has been updated via 96961348432 VERSION: Bump verison up to 4.11.0rc4... via c1d9e02d06a VERSION: Disable GIT_SNAPSHOT for the 4.11.0rc3 release. via f04985fe9b5 WHATSNEW: Add release notes for Samba 4.11.0rc3. via efd6d670997 CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal() via a6ff560aa13 CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem via 7b39df0f144 CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory via d690f6f3c4d CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root() via ae9bdef5c8a CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir via bcfb7749869 CVE-2019-10197: smbd: separate out impersonation debug info into a new function. from aa3ad5c451f WHATSNEW: BIND9_FLATFILE / rndc command deprecated
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test - Log ----------------------------------------------------------------- commit 96961348432cd1171b99ea2d8e64d4bc9d897f72 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Sep 3 13:13:47 2019 +0200 VERSION: Bump verison up to 4.11.0rc4... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit c1d9e02d06a158f637475ffeca7a6c3f2fb1d773 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Sep 3 13:12:53 2019 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.11.0rc3 release. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit f04985fe9b54824fb61683c67065da2fdb8f2e1a Author: Karolin Seeger <ksee...@samba.org> Date: Tue Sep 3 13:12:16 2019 +0200 WHATSNEW: Add release notes for Samba 4.11.0rc3. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit efd6d670997eff81c94b1ece3814b1da2c3705cb Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 11 17:02:15 2019 +0200 CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal() This makes sure we always call chdir_current_service() even when we still impersonated the user. Which is important in order to run the SMB* request within the correct working directory and only if the user has permissions to enter that directory. It makes sure we always update conn->lastused_count in chdir_current_service() for each request. Note that vfs_ChDir() (called from chdir_current_service()) maintains its own cache and avoids calling SMB_VFS_CHDIR() if possible. It means we still avoid syscalls if we get a multiple requests for the same session/tcon tuple. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit a6ff560aa134fb4fa5ceaba83d29aae0bc398f4d Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jul 16 15:40:38 2019 +0200 CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 7b39df0f1449024c8b9f2954a63f0b265c4269e8 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jul 30 17:16:59 2019 +0200 CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory The next patch will otherwise break the fsrvp related tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit d690f6f3c4d82a5ff887df40e2a60a1828eb87eb Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jun 18 14:04:08 2019 +0200 CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit ae9bdef5c8a2dea2efca6295799a42ba01c3b98d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 11 17:01:29 2019 +0200 CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir We should not leave current_user.done_chdir as true if we didn't call chdir_current_service() with success. This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when chdir_current_service() worked once on one share but later failed on another share. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit bcfb7749869241a6a85fedca551ae6a4a4dec4fc Author: Jeremy Allison <j...@samba.org> Date: Fri Jul 12 12:10:35 2019 -0700 CVE-2019-10197: smbd: separate out impersonation debug info into a new function. Will be called on elsewhere on successful impersonation. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 47 ++++++++++++++++++++++- selftest/target/Samba3.pm | 19 +++++++++- source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++ source3/smbd/uid.c | 62 ++++++++++++++++++++++--------- 5 files changed, 138 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 67ae2000ebf..ae98c26560f 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=3 +SAMBA_VERSION_RC_RELEASE=4 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c273117c72f..eece43fcd9e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the second release candidate of Samba 4.11. This is *not* +This is the third release candidate of Samba 4.11. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -359,6 +359,51 @@ smb.conf changes rndc command Deprecated +CHANGES SINCE 4.11.0rc2 +======================= + +o Michael Adam <ob...@samba.org> + * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data + loss in CTDB cluster. + +o Jeremy Allison <j...@samba.org> + * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape + from the share. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14059: ldb: Release ldb 2.0.6 (log database repack so users know what + is happening). + * BUG 14092: docs: Deprecate "rndc command" for Samba 4.11. + +o Tim Beale <timbe...@catalyst.net.nz> + * BUG 14059: ldb: Free memory when repacking database. + +o Ralph Boehme <s...@samba.org> + * BUG 14089: vfs_default: Use correct flag in vfswrap_fs_file_id. + * BUG 14090: vfs_glusterfs: Initialize st_ex_file_id, st_ex_itime and + st_ex_iflags. + +o Anoop C S <anoo...@redhat.com> + * BUG 14093: vfs_glusterfs: Enable profiling for file system operations. + +o Aaron Haslett <aaronhasl...@catalyst.net.nz> + * BUG 14059: Backport sambadowngradedatabase for v4.11. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape + from the share. + +o Christof Schmitt <c...@samba.org> + * BUG 14032: vfs_gpfs: Implement special case for denying owner access to + ACL. + +o Martin Schwenke <mar...@meltin.net> + * BUG 14084: Avoid marking a node as connected before it can receive packets. + * BUG 14086: Fix onnode test failure with ShellCheck >= 0.4.7. + * BUG 14087: ctdb-daemon: Stop "ctdb stop" from completing before freezing + databases. + + KNOWN ISSUES ============ diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 5c327cab543..9638bb44f08 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1425,6 +1425,9 @@ sub provision($$$$$$$$$) my $ro_shrdir="$shrdir/root-tmp"; push(@dirs,$ro_shrdir); + my $noperm_shrdir="$shrdir/noperm-tmp"; + push(@dirs,$noperm_shrdir); + my $msdfs_shrdir="$shrdir/msdfsshare"; push(@dirs,$msdfs_shrdir); @@ -1449,6 +1452,9 @@ sub provision($$$$$$$$$) my $widelinks_linkdir="$shrdir/widelinks_foo"; push(@dirs,$widelinks_linkdir); + my $fsrvp_shrdir="$shrdir/fsrvp"; + push(@dirs,$fsrvp_shrdir); + my $shadow_tstdir="$shrdir/shadow"; push(@dirs,$shadow_tstdir); my $shadow_mntdir="$shadow_tstdir/mount"; @@ -1492,6 +1498,11 @@ sub provision($$$$$$$$$) chmod 0755, $piddir; + ## + ## Create a directory without permissions to enter + ## + chmod 0000, $noperm_shrdir; + ## ## create ro and msdfs share layout ## @@ -1815,6 +1826,10 @@ sub provision($$$$$$$$$) [ro-tmp] path = $ro_shrdir guest ok = yes +[noperm] + path = $noperm_shrdir + wide links = yes + guest ok = yes [write-list-tmp] path = $shrdir read only = yes @@ -2024,14 +2039,14 @@ sub provision($$$$$$$$$) guest ok = yes [fsrvp_share] - path = $shrdir + path = $fsrvp_shrdir comment = fake shapshots using rsync vfs objects = shell_snap shadow_copy2 shell_snap:check path command = $fake_snap_pl --check shell_snap:create command = $fake_snap_pl --create shell_snap:delete command = $fake_snap_pl --delete # a relative path here fails, the snapshot dir is no longer found - shadow:snapdir = $shrdir/.snapshots + shadow:snapdir = $fsrvp_shrdir/.snapshots [shadow1] path = $shadow_shrdir diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index bf033ccd2fb..0bae1d78fac 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -1329,6 +1329,32 @@ EOF fi } +# +# Regression test for CVE-2019-10197 +# we should always get ACCESS_DENIED +# +test_noperm_share_regression() +{ + cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1' + eval echo "$cmd" + out=`eval $cmd` + ret=$? + if [ $ret -eq 0 ] ; then + echo "$out" + echo "failed accessing no perm share should not work" + return 1 + fi + + num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l` + if [ "$num" -ne "2" ] ; then + echo "$out" + echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected" + return 1 + fi + + return 0 +} + # Test smbclient deltree command test_deltree() { @@ -1857,6 +1883,10 @@ testit "follow local symlinks" \ test_local_symlinks || \ failed=`expr $failed + 1` +testit "noperm share regression" \ + test_noperm_share_regression || \ + failed=`expr $failed + 1` + testit "smbclient deltree command" \ test_deltree || \ failed=`expr $failed + 1` diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index a4bcb747d37..5c39baade5c 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -279,14 +279,36 @@ static bool check_user_ok(connection_struct *conn, return(True); } +static void print_impersonation_info(connection_struct *conn) +{ + struct smb_filename *cwdfname = NULL; + + if (!CHECK_DEBUGLVL(DBGLVL_INFO)) { + return; + } + + cwdfname = vfs_GetWd(talloc_tos(), conn); + if (cwdfname == NULL) { + return; + } + + DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", + (int)getuid(), + (int)geteuid(), + (int)getgid(), + (int)getegid(), + cwdfname->base_name); + TALLOC_FREE(cwdfname); +} + /**************************************************************************** Become the user of a connection number without changing the security context stack, but modify the current_user entries. ****************************************************************************/ -static bool change_to_user_internal(connection_struct *conn, - const struct auth_session_info *session_info, - uint64_t vuid) +static bool change_to_user_impersonate(connection_struct *conn, + const struct auth_session_info *session_info, + uint64_t vuid) { int snum; gid_t gid; @@ -299,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn, if ((current_user.conn == conn) && (current_user.vuid == vuid) && - (current_user.need_chdir == conn->tcon_done) && (current_user.ut.uid == session_info->unix_token->uid)) { DBG_INFO("Skipping user change - already user\n"); @@ -404,7 +425,22 @@ static bool change_to_user_internal(connection_struct *conn, current_user.conn = conn; current_user.vuid = vuid; + return true; +} + +static bool change_to_user_internal(connection_struct *conn, + const struct auth_session_info *session_info, + uint64_t vuid) +{ + bool ok; + + ok = change_to_user_impersonate(conn, session_info, vuid); + if (!ok) { + return false; + } + current_user.need_chdir = conn->tcon_done; + current_user.done_chdir = false; if (current_user.need_chdir) { ok = chdir_current_service(conn); @@ -415,20 +451,7 @@ static bool change_to_user_internal(connection_struct *conn, current_user.done_chdir = true; } - if (CHECK_DEBUGLVL(DBGLVL_INFO)) { - struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn); - if (cwdfname == NULL) { - return false; - } - DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", - (int)getuid(), - (int)geteuid(), - (int)getgid(), - (int)getegid(), - cwdfname->base_name); - TALLOC_FREE(cwdfname); - } - + print_impersonation_info(conn); return true; } @@ -614,6 +637,9 @@ void smbd_become_root(void) } push_conn_ctx(); set_root_sec_ctx(); + + current_user.need_chdir = false; + current_user.done_chdir = false; } /* Unbecome the root user */ -- Samba Shared Repository