svn commit: samba-web r321 - in trunk: . download
Author: deryck Date: 2004-09-11 03:00:55 + (Sat, 11 Sep 2004) New Revision: 321 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-web&path=/trunk&rev=321&nolog=1 Log: Update link to VMS port. Also, fix several xhtml validation errors. --deryck Modified: trunk/download/index.html trunk/what_is_samba.html Changeset: Modified: trunk/download/index.html === --- trunk/download/index.html 2004-09-10 21:25:29 UTC (rev 320) +++ trunk/download/index.html 2004-09-11 03:00:55 UTC (rev 321) @@ -1,9 +1,9 @@ Download Samba -Download +Download - The Samba source code is distributed via ftp and http. For ftp + The Samba source code is distributed via ftp and http. For ftp sites look here. For the http site look here. The file you probably want is called samba-latest.tar.gz. @@ -16,24 +16,24 @@ and the Samba distribution public key. Then run - $ gpg --import samba-pubkey.asc - $ gunzip samba-version.tar.gz - $ gpg --verify samba-release.tar.asc - gpg: Signature made Tue 26 Nov 2002 07:12:04 PM CST using DSA key ID 2F87AF6F - gpg: Good signature from "Samba Distribution Verification Key <[EMAIL PROTECTED]>" +$ gpg --import samba-pubkey.asc +$ gunzip samba-version.tar.gz +$ gpg --verify samba-release.tar.asc +gpg: Signature made Tue 26 Nov 2002 07:12:04 PM CST using DSA key ID 2F87AF6F +gpg: Good signature from "Samba Distribution Verification Key‹samba-bugs@samba.org› For information on Samba security releases, please see our security page. - - - + + + Binaries Samba binaries are available for many popular platforms. You can download - them via http here or from one of - several mirror sites. Note that the latest + them via http here or from one of + several mirror sites. Note that the latest version may not always be available for every platform. @@ -42,26 +42,29 @@ Subversion and CVS Sources You can also fetch the sources using a source code control system. The advantage of fetching via a VCS is that you can update your - sources at any time using a single command. See the Subversion instructions and CVS instructions for information on + sources at any time using a single command. See the Subversion instructions and CVS instructions for information on fetching the sources using a version control system. - - - + Tools - + - Samba GUI managers - http://www.ethereal.com/";>Ethereal (decodes NetBIOS, SMB/CIFS, & MS-RPC) - http://www.tcpdump.org/";>tcpdump (command line packet sniffer) - http://www.tux.org/pub/security/secnet/tools/nat10/";>NetBIOS Auditing Tool (NAT) - http://nbfw.sourceforge.net";>nbfw, the NetBIOS forwarder + Samba GUI managers + http://www.ethereal.com/";>Ethereal (decodes NetBIOS, +SMB/CIFS, & MS-RPC) + http://www.tcpdump.org/";>tcpdump (command line +packet sniffer) + http://www.tux.org/pub/security/secnet/tools/nat10/";>NetBIOS Auditing + Tool (NAT) + http://nbfw.sourceforge.net";>nbfw, the NetBIOS +forwarder @@ -72,52 +75,57 @@ Ports - + - http://www.ifn.ing.tu-bs.de/ifn/sonst/samba-vms.html";>VMS - ftp://ftp.mks.com/pub/s390/gnu/";>MVS + http://www.pi-net.dyndns.org/anonymous/jyc/";>VMS + ftp://ftp.mks.com/pub/s390/gnu/";>MVS - ftp://ftp.stratus.com/pub/vos/tools/tools.html";>Stratus-VOS + ftp://ftp.stratus.com/pub/vos/tools/tools.html";>Stratus-VOS - http://www.amigasamba.org/";>Amiga - http://www.editcorp.com/sambaix/";>MPE/iX + http://www.amigasamba.org/";>Amiga + http://www.editcorp.com/sambaix/";>MPE/iX - SMB/CIFS Clients - + SMB/CIFS Clients + -http://samba.sernet.de/linux-lan/";>SMBFS (& Linux Lan Info) - Linux CIFS VFS -http://www.thursby.com/";>Dave (Macintosh) -http://www.tarantella.com/products/vision/family/#vfs";>VisionFS +http://samba.sernet.de/linux-lan/";>SMBFS (& Linux Lan Info) + + Linux CIFS VFS +http://www.thursby.com/";>Dave (Macintosh) +http://www.tarantella.com/products/vision/family/#vfs";>VisionFS -http://www.qnx.com/";>QNX (Samba Server/Client) -http://www.networking.ibm.com/trl/trlclnt.html";>IBM LAN Client 2.x -http://www.obdev.at/Products/Sharity.html";>Sharity +http://www.qnx.com/";>QNX (Samba Server/Client) +http://www.networking.ibm.com/trl/trlcln
svn commit: samba-web r320 - in trunk/docs: .
Author: deryck Date: 2004-09-10 21:25:29 + (Fri, 10 Sep 2004) New Revision: 320 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-web&path=/trunk/docs&rev=320&nolog=1 Log: First pass at adding a permanent copy of the notes on "Protecting an unpatched Samba server" found in older release notes. --deryck Added: trunk/docs/server_security.html Changeset: Added: trunk/docs/server_security.html === --- trunk/docs/server_security.html 2004-09-09 13:49:54 UTC (rev 319) +++ trunk/docs/server_security.html 2004-09-10 21:25:29 UTC (rev 320) @@ -0,0 +1,144 @@ + +Samba Server Security + + + Protecting an unpatched Samba server + + + This following instructions will help provide your Samba server some + protection against security vulnerabilities if you are unable to (or until + you are able to) upgrade to the patched version. Even if you do upgrade + you might like to thinkabout the suggestions here to provide you with + additional levels of protection. + + + + Using host based protection + + In many installations of Samba the greatest threat comes for + outside your immediate network. By default Samba will accept + connections from any host, which means that if you run an + insecure version of Samba on a host that is directly + connected to the Internet you can be especially vulnerable. + + One of the simplest fixes in this case is to use the 'hosts + allow' and 'hosts deny' options in the Samba smb.conf + configuration file to only allow access to your server from a + specific range of hosts. An example might be: + + +hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 +hosts deny = 0.0.0.0/0 + + + The above will only allow SMB connections from 'localhost' + (your own computer) and from the two private networks + 192.168.2 and 192.168.3. All other connections will be + refused connections as soon as the client sends its first + packet. The refusal will be marked as a 'not listening on + called name' error. + + + + Using interface protection + + By default Samba will accept connections on any network + interface that it finds on your system. That means if you + have a ISDN line or a PPP connection to the Internet then + Samba will accept connections on those links. This may not be + what you want. + + You can change this behavior using options like the + following: + + +interfaces = eth* lo +bind interfaces only = yes + + + that tells Samba to only listen for connections on interfaces + with a name starting with 'eth' such as eth0, eth1, plus on + the loopback interface called 'lo'. The name you will need to + use depends on what OS you are using. In the above I used the + common name for ethernet adapters on Linux. + + If you use the above and someone tries to make a SMB + connection to your host over a PPP interface called 'ppp0', + they will get a TCP connection refused reply. In that + case no Samba code is run at all as the operating system has + been told not to pass connections from that interface to any + process. + + + + Using a firewall + + Many people use a firewall to deny access to services that + they don't want exposed outside their network. This can be a + very good idea, although I would recommend using it in + conjunction with the above methods so that you are protected + even if your firewall is not active for some reason. + + If you are setting up a firewall then you need to know what + TCP and UDP ports to allow and block. Samba uses the + following: + + +UDP/137- used by nmbd +UDP/138- used by nmbd +TCP/139- used by smbd +TCP/445- used by smbd + + + The last one is important as many older firewall setups may + not be aware of it, given that this port was only added to + the protocol in recent years. + + + + Using a IPC$ share deny + + If the above methods are not suitable, then you could also + place a more specific deny on the IPC$ share that is used in + the recently discovered security hole. This allows you to + offer access to other shares while denying access to IPC$ + from potentially untrustworthy hosts. + + To do that you could use: + + +[ipc$] +hosts allow = 192.168.115.0/24 127.0.0.1 +hosts deny = 0.0.0.0/0 + + + this would tell Samba that IPC$ connections are not allowed + from anywhere but the two listed places (localhost and a + local subnet). Connections to other shares would still be + allowed. As the IPC$ share is the only share that is always + accessible anonymously this provides some level of protection + against attackers that do not know a username/password for + your host. + + + If you use this method then clients will be given a 'access + denied' reply when they try to access the IPC$ share. That + means that those clients will not be able to browse shares, + and may also be unable to access some other resources. + + I
svn commit: samba r2279 - in branches/SAMBA_3_0: .
Author: jht Date: 2004-09-10 16:15:29 + (Fri, 10 Sep 2004) New Revision: 2279 WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_3_0&rev=2279&nolog=1 Log: Clarification changes only. Modified: branches/SAMBA_3_0/Roadmap Changeset: Modified: branches/SAMBA_3_0/Roadmap === --- branches/SAMBA_3_0/Roadmap 2004-09-10 12:20:25 UTC (rev 2278) +++ branches/SAMBA_3_0/Roadmap 2004-09-10 16:15:29 UTC (rev 2279) @@ -3,7 +3,7 @@ The Samba-Team are committed to an aggressive program to deliver quality controlled software to a well defined roadmap. -The current Samba Beta series of Samba 3.0.0 is called the "Domain Integration" +The current Samba series of Samba 3.0.0 is called the "Domain Integration" release. The following development objectives for future releases @@ -27,4 +27,4 @@ You may also note that the release numbers get fuzzier the further into the future the objectives get. This is intentional -as we cannot yet commit to exact timeframes. +as we cannot commit to exact timeframes.
svn commit: samba r2278 - in branches/SAMBA_4_0/source/scripting/swig: .
Author: tpot
Date: 2004-09-10 12:20:25 + (Fri, 10 Sep 2004)
New Revision: 2278
WebSVN:
http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/scripting/swig&rev=2278&nolog=1
Log:
Add some more helper functions.
Modified:
branches/SAMBA_4_0/source/scripting/swig/dcerpc.i
Changeset:
Modified: branches/SAMBA_4_0/source/scripting/swig/dcerpc.i
===
--- branches/SAMBA_4_0/source/scripting/swig/dcerpc.i 2004-09-10 12:18:56 UTC (rev
2277)
+++ branches/SAMBA_4_0/source/scripting/swig/dcerpc.i 2004-09-10 12:20:25 UTC (rev
2278)
@@ -47,26 +47,56 @@
PyErr_SetObject(ntstatus_exception, obj);
}
-char *get_string_property(PyObject *dict, char *key)
+uint8 uint8_from_python(PyObject *obj)
{
- PyObject *item = PyDict_GetItem(dict, PyString_FromString(key));
+ return (uint8)PyInt_AsLong(obj);
+}
- if (!item)
- return 0; /* TODO: throw exception */
+uint16 uint16_from_python(PyObject *obj)
+{
+ return (uint16)PyInt_AsLong(obj);
+}
- return PyString_AsString(item);
+uint32 uint32_from_python(PyObject *obj)
+{
+ return (uint32)PyInt_AsLong(obj);
}
-uint32 get_uint32_property(PyObject *dict, char *key)
+int64 int64_from_python(PyObject *obj)
{
- PyObject *item = PyDict_GetItem(dict, PyString_FromString(key));
+ return (int64)PyLong_AsLong(obj);
+}
- if (!item)
- return 0; /* TODO: throw exception */
+uint64 uint64_from_python(PyObject *obj)
+{
+ return (uint64)PyLong_AsLong(obj);
+}
- return (uint32)PyInt_AsLong(item);
+NTTIME NTTIME_from_python(PyObject *obj)
+{
+ return (NTTIME)PyLong_AsLong(obj);
}
+HYPER_T HYPER_T_from_python(PyObject *obj)
+{
+ return (HYPER_T)PyLong_AsLong(obj);
+}
+
+struct policy_handle *policy_handle_from_python(PyObject *obj)
+{
+ return (struct policy_handle *)PyString_AsString(obj);
+}
+
+struct security_descriptor *security_descriptor_from_python(PyObject *obj)
+{
+ return NULL;
+}
+
+char *string_from_python(PyObject *obj)
+{
+ return NULL;
+}
+
%}
%include "samba.i"
svn commit: samba r2277 - in branches/SAMBA_4_0/source/build/pidl: .
Author: tpot
Date: 2004-09-10 12:18:56 + (Fri, 10 Sep 2004)
New Revision: 2277
WebSVN:
http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/build/pidl&rev=2277&nolog=1
Log:
Generate stubs for input and output typemaps.
Modified:
branches/SAMBA_4_0/source/build/pidl/swig.pm
Changeset:
Modified: branches/SAMBA_4_0/source/build/pidl/swig.pm
===
--- branches/SAMBA_4_0/source/build/pidl/swig.pm2004-09-10 12:16:42 UTC (rev
2276)
+++ branches/SAMBA_4_0/source/build/pidl/swig.pm2004-09-10 12:18:56 UTC (rev
2277)
@@ -15,17 +15,21 @@
{
my($fn) = shift;
-#print Dumper($fn);
-
# Input typemap
$res .= "%typemap(in) struct $fn->{NAME} * (struct $fn->{NAME} temp) {\n";
-$res .= "\tif (!PyDict_Check(\$input)) {\n";
-$res .= "\t\tPyErr_SetString(PyExc_TypeError, \"dict arg expected\");\n";
-$res .= "\t\treturn NULL;\n";
-$res .= "\t}\n\n";
-$res .= "\tmemset(&temp, 0, sizeof(temp));\n\n";
-$res .= "\t/* store input params in dict */\n\n";
+#$res .= "\tif (!PyDict_Check(\$input)) {\n";
+#$res .= "\t\tPyErr_SetString(PyExc_TypeError, \"dict arg expected\");\n";
+#$res .= "\t\treturn NULL;\n";
+#$res .= "\t}\n\n";
+$res .= "\tmemset(&temp, 0, sizeof(temp));\n";
+#foreach my $e (@{$fn->{DATA}}) {
+# if (util::has_property($e, "in")) {
+# $res .= "\ttemp.in.$e->{NAME} =
$e->{TYPE}_from_python(PyDict_GetItem(\$input,
PyString_FromString(\"$e->{NAME}\")));\n";
+# }
+#}
+
+#$res .= "\n";
$res .= "\t\$1 = &temp;\n";
$res .= "}\n\n";
@@ -40,8 +44,16 @@
$res .= "\t\treturn NULL;\n";
$res .= "\t}\n";
$res .= "\n";
-$res .= "\tdict = PyDict_New();\n\n";
-$res .= "\t/* store output params in dict */\n\n";
+$res .= "\tdict = PyDict_New();\n";
+
+#foreach my $e (@{$fn->{DATA}}) {
+# if (util::has_property($e, "out")) {
+# $res .= "\t// PyDict_SetItem(dict, PyString_FromString(\"$e->{NAME}\"),\n";
+# $res .= "\t//\t$e->{TYPE}_to_python(\$1->out.$e->{NAME}));\n";
+# }
+#}
+
+$res .= "\n";
$res .= "\tresultobj = dict;\n";
$res .= "}\n\n";
@@ -51,12 +63,35 @@
$res .= "$fn->{RETURN_TYPE} dcerpc_$fn->{NAME}(struct dcerpc_pipe *p, TALLOC_CTX
*mem_ctx, struct $fn->{NAME} *r);\n\n";
}
+sub ParseStruct($)
+{
+my($s) = shift;
+
+$res .= "%{\n\n";
+$res .= "\t/* $s->{NAME} */\n\n";
+
+foreach my $e (@{$s->{DATA}{ELEMENTS}}) {
+}
+
+$res .= "\n%}\n\n";
+}
+
+sub ParseTypedef($)
+{
+my($t) = shift;
+
+foreach my $e ($t) {
+ ($e->{DATA}{TYPE} eq "STRUCT") && ParseStruct($e);
+}
+}
+
sub ParseInheritedData($)
{
my($data) = shift;
foreach my $e (@{$data}) {
($e->{TYPE} eq "FUNCTION") && ParseFunction($e);
+ ($e->{TYPE} eq "TYPEDEF") && ParseTypedef($e);
}
}
svn commit: samba r2276 - in branches/SAMBA_4_0/source/scripting/swig: .
Author: tpot
Date: 2004-09-10 12:16:42 + (Fri, 10 Sep 2004)
New Revision: 2276
WebSVN:
http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/scripting/swig&rev=2276&nolog=1
Log:
Remove garbage collection debugs.
Modified:
branches/SAMBA_4_0/source/scripting/swig/test
Changeset:
Modified: branches/SAMBA_4_0/source/scripting/swig/test
===
--- branches/SAMBA_4_0/source/scripting/swig/test 2004-09-10 07:14:02 UTC (rev
2275)
+++ branches/SAMBA_4_0/source/scripting/swig/test 2004-09-10 12:16:42 UTC (rev
2276)
@@ -1,8 +1,6 @@
#!/usr/bin/python
import dcerpc
-import gc
-gc.set_debug(gc.DEBUG_LEAK)
handle = dcerpc.pipe_connect("ncacn_np:win2k3dc",
dcerpc.DCERPC_SAMR_UUID, dcerpc.DCERPC_SAMR_VERSION,
svn commit: samba r2275 - in branches/SAMBA_4_0/source/librpc/rpc: .
Author: tridge
Date: 2004-09-10 07:14:02 + (Fri, 10 Sep 2004)
New Revision: 2275
WebSVN:
http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source/librpc/rpc&rev=2275&nolog=1
Log:
don't crash on a rpc BIND_NAK response ...
Modified:
branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c
Changeset:
Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c
===
--- branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c 2004-09-10 03:39:11 UTC (rev
2274)
+++ branches/SAMBA_4_0/source/librpc/rpc/dcerpc.c 2004-09-10 07:14:02 UTC (rev
2275)
@@ -465,10 +465,15 @@
return status;
}
+ if (pkt.ptype == DCERPC_PKT_BIND_NAK) {
+ DEBUG(2,("dcerpc: bind_nak reason %d\n",
pkt.u.bind_nak.reject_reason));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if ((pkt.ptype != DCERPC_PKT_BIND_ACK) ||
pkt.u.bind_ack.num_results == 0 ||
pkt.u.bind_ack.ctx_list[0].result != 0) {
- status = NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_UNSUCCESSFUL;
}
if (pkt.ptype == DCERPC_PKT_BIND_ACK) {
