svn commit: samba-web r321 - in trunk: . download
Author: deryck Date: 2004-09-11 03:00:55 + (Sat, 11 Sep 2004) New Revision: 321 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-web&path=/trunk&rev=321&nolog=1 Log: Update link to VMS port. Also, fix several xhtml validation errors. --deryck Modified: trunk/download/index.html trunk/what_is_samba.html Changeset: Modified: trunk/download/index.html === --- trunk/download/index.html 2004-09-10 21:25:29 UTC (rev 320) +++ trunk/download/index.html 2004-09-11 03:00:55 UTC (rev 321) @@ -1,9 +1,9 @@ Download Samba -Download +Download - The Samba source code is distributed via ftp and http. For ftp + The Samba source code is distributed via ftp and http. For ftp sites look here. For the http site look here. The file you probably want is called samba-latest.tar.gz. @@ -16,24 +16,24 @@ and the Samba distribution public key. Then run - $ gpg --import samba-pubkey.asc - $ gunzip samba-version.tar.gz - $ gpg --verify samba-release.tar.asc - gpg: Signature made Tue 26 Nov 2002 07:12:04 PM CST using DSA key ID 2F87AF6F - gpg: Good signature from "Samba Distribution Verification Key <[EMAIL PROTECTED]>" +$ gpg --import samba-pubkey.asc +$ gunzip samba-version.tar.gz +$ gpg --verify samba-release.tar.asc +gpg: Signature made Tue 26 Nov 2002 07:12:04 PM CST using DSA key ID 2F87AF6F +gpg: Good signature from "Samba Distribution Verification Key‹samba-bugs@samba.org› For information on Samba security releases, please see our security page. - - - + + + Binaries Samba binaries are available for many popular platforms. You can download - them via http here or from one of - several mirror sites. Note that the latest + them via http here or from one of + several mirror sites. Note that the latest version may not always be available for every platform. @@ -42,26 +42,29 @@ Subversion and CVS Sources You can also fetch the sources using a source code control system. The advantage of fetching via a VCS is that you can update your - sources at any time using a single command. See the Subversion instructions and CVS instructions for information on + sources at any time using a single command. See the Subversion instructions and CVS instructions for information on fetching the sources using a version control system. - - - + Tools - + - Samba GUI managers - http://www.ethereal.com/";>Ethereal (decodes NetBIOS, SMB/CIFS, & MS-RPC) - http://www.tcpdump.org/";>tcpdump (command line packet sniffer) - http://www.tux.org/pub/security/secnet/tools/nat10/";>NetBIOS Auditing Tool (NAT) - http://nbfw.sourceforge.net";>nbfw, the NetBIOS forwarder + Samba GUI managers + http://www.ethereal.com/";>Ethereal (decodes NetBIOS, +SMB/CIFS, & MS-RPC) + http://www.tcpdump.org/";>tcpdump (command line +packet sniffer) + http://www.tux.org/pub/security/secnet/tools/nat10/";>NetBIOS Auditing + Tool (NAT) + http://nbfw.sourceforge.net";>nbfw, the NetBIOS +forwarder @@ -72,52 +75,57 @@ Ports - + - http://www.ifn.ing.tu-bs.de/ifn/sonst/samba-vms.html";>VMS - ftp://ftp.mks.com/pub/s390/gnu/";>MVS + http://www.pi-net.dyndns.org/anonymous/jyc/";>VMS + ftp://ftp.mks.com/pub/s390/gnu/";>MVS - ftp://ftp.stratus.com/pub/vos/tools/tools.html";>Stratus-VOS + ftp://ftp.stratus.com/pub/vos/tools/tools.html";>Stratus-VOS - http://www.amigasamba.org/";>Amiga - http://www.editcorp.com/sambaix/";>MPE/iX + http://www.amigasamba.org/";>Amiga + http://www.editcorp.com/sambaix/";>MPE/iX - SMB/CIFS Clients - + SMB/CIFS Clients + -http://samba.sernet.de/linux-lan/";>SMBFS (& Linux Lan Info) - Linux CIFS VFS -http://www.thursby.com/";>Dave (Macintosh) -http://www.tarantella.com/products/vision/family/#vfs";>VisionFS +http://samba.sernet.de/linux-lan/";>SMBFS (& Linux Lan Info) + + Linux CIFS VFS +http://www.thursby.com/";>Dave (Macintosh) +http://www.tarantella.com/products/vision/family/#vfs";>VisionFS -http://www.qnx.com/";>QNX (Samba Server/Client) -http://www.networking.ibm.com/trl/trlclnt.html";>IBM LAN Client 2.x -http://www.obdev.at/Products/Sharity.html";>Sharity +http://www.qnx.com/";>QNX (Samba Server/Client) +http://www.networking.ibm.com/trl/trlcln
svn commit: samba-web r320 - in trunk/docs: .
Author: deryck Date: 2004-09-10 21:25:29 + (Fri, 10 Sep 2004) New Revision: 320 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-web&path=/trunk/docs&rev=320&nolog=1 Log: First pass at adding a permanent copy of the notes on "Protecting an unpatched Samba server" found in older release notes. --deryck Added: trunk/docs/server_security.html Changeset: Added: trunk/docs/server_security.html === --- trunk/docs/server_security.html 2004-09-09 13:49:54 UTC (rev 319) +++ trunk/docs/server_security.html 2004-09-10 21:25:29 UTC (rev 320) @@ -0,0 +1,144 @@ + +Samba Server Security + + + Protecting an unpatched Samba server + + + This following instructions will help provide your Samba server some + protection against security vulnerabilities if you are unable to (or until + you are able to) upgrade to the patched version. Even if you do upgrade + you might like to thinkabout the suggestions here to provide you with + additional levels of protection. + + + + Using host based protection + + In many installations of Samba the greatest threat comes for + outside your immediate network. By default Samba will accept + connections from any host, which means that if you run an + insecure version of Samba on a host that is directly + connected to the Internet you can be especially vulnerable. + + One of the simplest fixes in this case is to use the 'hosts + allow' and 'hosts deny' options in the Samba smb.conf + configuration file to only allow access to your server from a + specific range of hosts. An example might be: + + +hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 +hosts deny = 0.0.0.0/0 + + + The above will only allow SMB connections from 'localhost' + (your own computer) and from the two private networks + 192.168.2 and 192.168.3. All other connections will be + refused connections as soon as the client sends its first + packet. The refusal will be marked as a 'not listening on + called name' error. + + + + Using interface protection + + By default Samba will accept connections on any network + interface that it finds on your system. That means if you + have a ISDN line or a PPP connection to the Internet then + Samba will accept connections on those links. This may not be + what you want. + + You can change this behavior using options like the + following: + + +interfaces = eth* lo +bind interfaces only = yes + + + that tells Samba to only listen for connections on interfaces + with a name starting with 'eth' such as eth0, eth1, plus on + the loopback interface called 'lo'. The name you will need to + use depends on what OS you are using. In the above I used the + common name for ethernet adapters on Linux. + + If you use the above and someone tries to make a SMB + connection to your host over a PPP interface called 'ppp0', + they will get a TCP connection refused reply. In that + case no Samba code is run at all as the operating system has + been told not to pass connections from that interface to any + process. + + + + Using a firewall + + Many people use a firewall to deny access to services that + they don't want exposed outside their network. This can be a + very good idea, although I would recommend using it in + conjunction with the above methods so that you are protected + even if your firewall is not active for some reason. + + If you are setting up a firewall then you need to know what + TCP and UDP ports to allow and block. Samba uses the + following: + + +UDP/137- used by nmbd +UDP/138- used by nmbd +TCP/139- used by smbd +TCP/445- used by smbd + + + The last one is important as many older firewall setups may + not be aware of it, given that this port was only added to + the protocol in recent years. + + + + Using a IPC$ share deny + + If the above methods are not suitable, then you could also + place a more specific deny on the IPC$ share that is used in + the recently discovered security hole. This allows you to + offer access to other shares while denying access to IPC$ + from potentially untrustworthy hosts. + + To do that you could use: + + +[ipc$] +hosts allow = 192.168.115.0/24 127.0.0.1 +hosts deny = 0.0.0.0/0 + + + this would tell Samba that IPC$ connections are not allowed + from anywhere but the two listed places (localhost and a + local subnet). Connections to other shares would still be + allowed. As the IPC$ share is the only share that is always + accessible anonymously this provides some level of protection + against attackers that do not know a username/password for + your host. + + + If you use this method then clients will be given a 'access + denied' reply when they try to access the IPC$ share. That + means that those clients will not be able to browse shares, + and may also be unable to access some other resources. + + I
svn commit: samba r2279 - in branches/SAMBA_3_0: .
Author: jht Date: 2004-09-10 16:15:29 + (Fri, 10 Sep 2004) New Revision: 2279 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_3_0&rev=2279&nolog=1 Log: Clarification changes only. Modified: branches/SAMBA_3_0/Roadmap Changeset: Modified: branches/SAMBA_3_0/Roadmap === --- branches/SAMBA_3_0/Roadmap 2004-09-10 12:20:25 UTC (rev 2278) +++ branches/SAMBA_3_0/Roadmap 2004-09-10 16:15:29 UTC (rev 2279) @@ -3,7 +3,7 @@ The Samba-Team are committed to an aggressive program to deliver quality controlled software to a well defined roadmap. -The current Samba Beta series of Samba 3.0.0 is called the "Domain Integration" +The current Samba series of Samba 3.0.0 is called the "Domain Integration" release. The following development objectives for future releases @@ -27,4 +27,4 @@ You may also note that the release numbers get fuzzier the further into the future the objectives get. This is intentional -as we cannot yet commit to exact timeframes. +as we cannot commit to exact timeframes.
svn commit: samba r2278 - in branches/SAMBA_4_0/source/scripting/swig: .
Author: tpot Date: 2004-09-10 12:20:25 + (Fri, 10 Sep 2004) New Revision: 2278 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/scripting/swig&rev=2278&nolog=1 Log: Add some more helper functions. Modified: branches/SAMBA_4_0/source/scripting/swig/dcerpc.i Changeset: Modified: branches/SAMBA_4_0/source/scripting/swig/dcerpc.i === --- branches/SAMBA_4_0/source/scripting/swig/dcerpc.i 2004-09-10 12:18:56 UTC (rev 2277) +++ branches/SAMBA_4_0/source/scripting/swig/dcerpc.i 2004-09-10 12:20:25 UTC (rev 2278) @@ -47,26 +47,56 @@ PyErr_SetObject(ntstatus_exception, obj); } -char *get_string_property(PyObject *dict, char *key) +uint8 uint8_from_python(PyObject *obj) { - PyObject *item = PyDict_GetItem(dict, PyString_FromString(key)); + return (uint8)PyInt_AsLong(obj); +} - if (!item) - return 0; /* TODO: throw exception */ +uint16 uint16_from_python(PyObject *obj) +{ + return (uint16)PyInt_AsLong(obj); +} - return PyString_AsString(item); +uint32 uint32_from_python(PyObject *obj) +{ + return (uint32)PyInt_AsLong(obj); } -uint32 get_uint32_property(PyObject *dict, char *key) +int64 int64_from_python(PyObject *obj) { - PyObject *item = PyDict_GetItem(dict, PyString_FromString(key)); + return (int64)PyLong_AsLong(obj); +} - if (!item) - return 0; /* TODO: throw exception */ +uint64 uint64_from_python(PyObject *obj) +{ + return (uint64)PyLong_AsLong(obj); +} - return (uint32)PyInt_AsLong(item); +NTTIME NTTIME_from_python(PyObject *obj) +{ + return (NTTIME)PyLong_AsLong(obj); } +HYPER_T HYPER_T_from_python(PyObject *obj) +{ + return (HYPER_T)PyLong_AsLong(obj); +} + +struct policy_handle *policy_handle_from_python(PyObject *obj) +{ + return (struct policy_handle *)PyString_AsString(obj); +} + +struct security_descriptor *security_descriptor_from_python(PyObject *obj) +{ + return NULL; +} + +char *string_from_python(PyObject *obj) +{ + return NULL; +} + %} %include "samba.i"
svn commit: samba r2277 - in branches/SAMBA_4_0/source/build/pidl: .
Author: tpot Date: 2004-09-10 12:18:56 + (Fri, 10 Sep 2004) New Revision: 2277 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/build/pidl&rev=2277&nolog=1 Log: Generate stubs for input and output typemaps. Modified: branches/SAMBA_4_0/source/build/pidl/swig.pm Changeset: Modified: branches/SAMBA_4_0/source/build/pidl/swig.pm === --- branches/SAMBA_4_0/source/build/pidl/swig.pm2004-09-10 12:16:42 UTC (rev 2276) +++ branches/SAMBA_4_0/source/build/pidl/swig.pm2004-09-10 12:18:56 UTC (rev 2277) @@ -15,17 +15,21 @@ { my($fn) = shift; -#print Dumper($fn); - # Input typemap $res .= "%typemap(in) struct $fn->{NAME} * (struct $fn->{NAME} temp) {\n"; -$res .= "\tif (!PyDict_Check(\$input)) {\n"; -$res .= "\t\tPyErr_SetString(PyExc_TypeError, \"dict arg expected\");\n"; -$res .= "\t\treturn NULL;\n"; -$res .= "\t}\n\n"; -$res .= "\tmemset(&temp, 0, sizeof(temp));\n\n"; -$res .= "\t/* store input params in dict */\n\n"; +#$res .= "\tif (!PyDict_Check(\$input)) {\n"; +#$res .= "\t\tPyErr_SetString(PyExc_TypeError, \"dict arg expected\");\n"; +#$res .= "\t\treturn NULL;\n"; +#$res .= "\t}\n\n"; +$res .= "\tmemset(&temp, 0, sizeof(temp));\n"; +#foreach my $e (@{$fn->{DATA}}) { +# if (util::has_property($e, "in")) { +# $res .= "\ttemp.in.$e->{NAME} = $e->{TYPE}_from_python(PyDict_GetItem(\$input, PyString_FromString(\"$e->{NAME}\")));\n"; +# } +#} + +#$res .= "\n"; $res .= "\t\$1 = &temp;\n"; $res .= "}\n\n"; @@ -40,8 +44,16 @@ $res .= "\t\treturn NULL;\n"; $res .= "\t}\n"; $res .= "\n"; -$res .= "\tdict = PyDict_New();\n\n"; -$res .= "\t/* store output params in dict */\n\n"; +$res .= "\tdict = PyDict_New();\n"; + +#foreach my $e (@{$fn->{DATA}}) { +# if (util::has_property($e, "out")) { +# $res .= "\t// PyDict_SetItem(dict, PyString_FromString(\"$e->{NAME}\"),\n"; +# $res .= "\t//\t$e->{TYPE}_to_python(\$1->out.$e->{NAME}));\n"; +# } +#} + +$res .= "\n"; $res .= "\tresultobj = dict;\n"; $res .= "}\n\n"; @@ -51,12 +63,35 @@ $res .= "$fn->{RETURN_TYPE} dcerpc_$fn->{NAME}(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct $fn->{NAME} *r);\n\n"; } +sub ParseStruct($) +{ +my($s) = shift; + +$res .= "%{\n\n"; +$res .= "\t/* $s->{NAME} */\n\n"; + +foreach my $e (@{$s->{DATA}{ELEMENTS}}) { +} + +$res .= "\n%}\n\n"; +} + +sub ParseTypedef($) +{ +my($t) = shift; + +foreach my $e ($t) { + ($e->{DATA}{TYPE} eq "STRUCT") && ParseStruct($e); +} +} + sub ParseInheritedData($) { my($data) = shift; foreach my $e (@{$data}) { ($e->{TYPE} eq "FUNCTION") && ParseFunction($e); + ($e->{TYPE} eq "TYPEDEF") && ParseTypedef($e); } }
svn commit: samba r2276 - in branches/SAMBA_4_0/source/scripting/swig: .
Author: tpot Date: 2004-09-10 12:16:42 + (Fri, 10 Sep 2004) New Revision: 2276 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/scripting/swig&rev=2276&nolog=1 Log: Remove garbage collection debugs. Modified: branches/SAMBA_4_0/source/scripting/swig/test Changeset: Modified: branches/SAMBA_4_0/source/scripting/swig/test === --- branches/SAMBA_4_0/source/scripting/swig/test 2004-09-10 07:14:02 UTC (rev 2275) +++ branches/SAMBA_4_0/source/scripting/swig/test 2004-09-10 12:16:42 UTC (rev 2276) @@ -1,8 +1,6 @@ #!/usr/bin/python import dcerpc -import gc -gc.set_debug(gc.DEBUG_LEAK) handle = dcerpc.pipe_connect("ncacn_np:win2k3dc", dcerpc.DCERPC_SAMR_UUID, dcerpc.DCERPC_SAMR_VERSION,
svn commit: samba r2275 - in branches/SAMBA_4_0/source/librpc/rpc: .
Author: tridge Date: 2004-09-10 07:14:02 + (Fri, 10 Sep 2004) New Revision: 2275 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/librpc/rpc&rev=2275&nolog=1 Log: don't crash on a rpc BIND_NAK response ... Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c Changeset: Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c === --- branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c 2004-09-10 03:39:11 UTC (rev 2274) +++ branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c 2004-09-10 07:14:02 UTC (rev 2275) @@ -465,10 +465,15 @@ return status; } + if (pkt.ptype == DCERPC_PKT_BIND_NAK) { + DEBUG(2,("dcerpc: bind_nak reason %d\n", pkt.u.bind_nak.reject_reason)); + return NT_STATUS_ACCESS_DENIED; + } + if ((pkt.ptype != DCERPC_PKT_BIND_ACK) || pkt.u.bind_ack.num_results == 0 || pkt.u.bind_ack.ctx_list[0].result != 0) { - status = NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_UNSUCCESSFUL; } if (pkt.ptype == DCERPC_PKT_BIND_ACK) {