[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4f5b4bd9dfb ctdb-tests: Reformat remaining test stubs with "shfmt -w -p -i 0 -fn" via 0e388a1994e ctdb-tests: Include eventscript stub commands in shellcheck test via 4ee0abaece9 ctdb-tests: Avoid shellcheck warnings in remaining test stubs via a31fb7e5ab8 ctdb-scripts: Simplify determination of real interface via 5abaec49927 ctdb-tests: Implement "ip -brief link show" in ip stub via ef921bdbdba ctdb-tests: Avoid ShellCheck warnings via 67e0ca5e014 ctdb-tests: Reformat script with "shfmt -w -p -i 0 -fn" via 517f09eb6f3 ctdb-scripts: Drop assumption that there are VLANs with no '@' from cc64ea24daa CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4f5b4bd9dfb7690359dbae6b687f97946761dd22 Author: Martin Schwenke Date: Fri Aug 26 09:16:49 2022 +1000 ctdb-tests: Reformat remaining test stubs with "shfmt -w -p -i 0 -fn" Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Fri Sep 16 04:35:09 UTC 2022 on sn-devel-184 commit 0e388a1994e0f6715466eba1d3bdd765c36f956f Author: Martin Schwenke Date: Thu Aug 18 09:36:08 2022 +1000 ctdb-tests: Include eventscript stub commands in shellcheck test Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 4ee0abaece92efd28901801c020cfdf5b80fcadb Author: Martin Schwenke Date: Thu Aug 18 08:59:28 2022 +1000 ctdb-tests: Avoid shellcheck warnings in remaining test stubs A small amount of effort... Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit a31fb7e5ab8439349bc2670b3fde1020ba2c48b5 Author: Martin Schwenke Date: Wed Aug 17 11:38:44 2022 +1000 ctdb-scripts: Simplify determination of real interface This can now be made trivial. Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 5abaec499275bc47fb596e6bf2fa9fe98a891e79 Author: Martin Schwenke Date: Wed Aug 17 11:37:56 2022 +1000 ctdb-tests: Implement "ip -brief link show" in ip stub Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit ef921bdbdbacecf39ee2a1851f16dbba62175fcc Author: Martin Schwenke Date: Wed Aug 17 12:12:30 2022 +1000 ctdb-tests: Avoid ShellCheck warnings Although this is a test stub, it is complicated enough to encourage ShellCheck cleanliness. Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 67e0ca5e01439b9efe4611c5fcfd0bf2ac69423b Author: Martin Schwenke Date: Wed Aug 17 11:41:33 2022 +1000 ctdb-tests: Reformat script with "shfmt -w -p -i 0 -fn" As per current Samba convention. Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 517f09eb6f325af0d69b14d5b6b0e6b84616c6ce Author: Martin Schwenke Date: Wed Aug 17 11:04:10 2022 +1000 ctdb-scripts: Drop assumption that there are VLANs with no '@' VLAN configuration on Linux often uses a convention of naming a VLAN on with VLAN ID as .. To be able to monitor the underlying interface, the original 10.interface code naively simply stripped off the '.' and everything after (i.e. ".*", as a glob pattern). Some users do not use the above convention. A VLAN can be named without including the underlying interface, but still with a tag (e.g. vlan - the word "vlan" following by the tag) or, more generally, perhaps without a tag (e.g. - an arbitrary name). The ip(8) command lists a VLAN as @. The underlying interface can be found by stripping everything up to and including an '@' (i.e. "*@"). Commit bc71251433ce618c95c674d7cbe75b01a94adad9 added support for stripping "*@". However, on suspicion, it kept support for the case where there is no '@', falling back to stripping ".*". If ip(8) ever did this then it was a long time ago - it has been printing a format including '@' since at least 2004. Stripping ".*" interferes with interesting administrative decisions, like having '.' in interface names. So, drop the fallback to stripping ".*" because it appears to be unnecessary and can cause inconvenience. Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs --- Summary of changes: ctdb/config/functions | 29 +- ctdb/tests/UNIT/eventscripts/stubs/ctdb| 498 ctdb/tests/UNIT/eventscripts/stubs/ctdb_killtcp|5 +- ctdb/tests/UNIT/eventscripts/stubs/ctdb_lvs| 33 +- ctdb/tests/UNIT/eventscripts/stubs/ctdb_natgw | 38 +- ctdb/tests/UNIT/eventscripts/stubs/date
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cc64ea24daa CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check via 95fe9659574 CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors via acca08f CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless all rights are granted via 5073d5997cb CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL via 72b8e98252b CVE-2020-25720 s4:ntvfs: Use se_file_access_check() to check file access rights via 6dc6ca56bd5 CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior via 08187833fee CVE-2020-25720: s4-acl: Change behavior of Create Children check via 0e1d8929f87 CVE-2020-25720: s4-acl: Move definition of acl_check_self_membership() via c2761a47fd1 CVE-2020-25720 s4-acl: Test Create Child permission should not allow full write to all attributes via 2563f85237b CVE-2020-25720 pydsdb: Add AD schema GUID constants via cc709077822 CVE-2020-25720 pydsdb: Add dsHeuristics constant definitions via 0af5706b559 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29 via 890d2c5cf5d CVE-2020-25720 python:tests: Ensure that access checks don't succeed via cbbf3fd7412 CVE-2020-25720 s4:tests/sec_descriptor: Add missing security descriptor modify from b4455f04879 s3: libsmb: In cli_posix_open_internal_send() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cc64ea24daa649dc8de4a212c7abfbe111095655 Author: Andrew Bartlett Date: Fri Sep 16 14:18:37 2022 +1200 CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check It is strange that sDRightsEffective pays no attention to the dSHeuristics flags. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Reviewed-by: Joseph Sutton Signed-off-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 16 03:31:42 UTC 2022 on sn-devel-184 commit 95fe9659574337234616625fc32d5f00035ae7c9 Author: Joseph Sutton Date: Thu May 5 17:21:42 2022 +1200 CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit acca08f12d5bff6edb631a9515fe7e5087c3 Author: Joseph Sutton Date: Thu May 5 19:30:13 2022 +1200 CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless all rights are granted BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5073d5997cb1d7f654423655e0d1eeb117bdab38 Author: Nadezhda Ivanova Date: Fri Oct 22 21:33:03 2021 +0300 CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL The implicit right of an object's owner to modify its security descriptor no longer exists, according to the new access rules. However, we continue to grant this implicit right for fileserver access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova Reviewed-by: Andrew Bartlett commit 72b8e98252b0231868f04d40456459057126980c Author: Joseph Sutton Date: Mon Sep 5 14:53:26 2022 +1200 CVE-2020-25720 s4:ntvfs: Use se_file_access_check() to check file access rights se_access_check() will be changed in a following commit to remove the implicit WRITE_DAC right that comes with being the owner of an object. We want to keep this implicit right for file access, and by using se_file_access_check() we can preserve the existing behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8 Author: Nadezhda Ivanova Date: Fri Oct 22 21:10:35 2021 +0300 CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova Reviewed-by: Andrew Bartlett commit 08187833fee57a8dba6c67546dfca516cd1f9d7a Author: Nadezhda Ivanova Date: Mon Oct 25 13:10:56 2021 +0300 CVE-2020-25720: s4-acl: Change behavior of Create Children check Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b4455f04879 s3: libsmb: In cli_posix_open_internal_send() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname. via fa7e6899b3b s3: libsmb: In cli_qpathinfo_send() (SMBtrans2:TRANSACT2_QPATHINFO) check for DFS pathname. via adc4a1b290a s3: libsmb: In cli_set_ea_path() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname. via 5c083e8bc3a s3: libsmb: In cli_ctemp_send() (SMBctemp) check for DFS pathname. via 6a82167f11f s3: libsmb: In cli_chkpath_send() (SMBcheckpath) check for DFS pathname. via a53c049c4de s3: libsmb: In cli_setatr_send() (SMBsetatr) check for DFS pathname. via 75339aec0ee s3: libsmb: In cli_getatr_send() (SMBgetatr) check for DFS pathname. via b58cee42512 s3: libsmb: In cli_openx_create() (SMBopenX) check for DFS pathname. via ab125722642 s3: libsmb: In cli_nttrans_create_send() (SMBnttrans:NT_TRANSACT_CREATE) check for DFS pathname. via 198869afecd s3: libsmb: In cli_ntcreate1_send() (SMBntcreateX) check for DFS pathname. via 8561eaa02d9 s3: libsmb: In cli_rmdir_send() (SMBrmdir) check for DFS pathname. via 47cf519e98f s3: libsmb: In cli_mkdir_send() (SMBmkdir) check for DFS pathname. via e2efea7d1f2 s3: libsmb: In cli_unlink_send() (SMBunlink) check for DFS pathname. via 73a6e2b14a1 s3: libsmb: In cli_ntrename_internal_send() (SMBntrename) check for DFS dst pathname. via f1765c9c7be s3: libsmb: In cli_ntrename_internal_send() (SMBntrename) check for DFS source pathname. via 44bf2bc89a4 s3: libsmb: In cli_cifs_rename_send() (SMBmv) check for DFS dst pathname. via 4da3c724d5b s3: libsmb: In cli_cifs_rename_send() (SMBmv) check for DFS source pathname. via 2d28696efe6 s3: libsmb: Make cli_setpathinfo_send() (SMBtrans2: TRANSACT2_SETPATHINFO) DFS path aware. via f34fad61fdc s3: smbcacls: Now cli_resolve_path() and cli_list() can handle DFS names we no longer need local_cli_resolve_path(). via 3c2a31b4384 s3: libsmb: Fix cli_resolve_path() to cope with DFS paths passed in as well as local paths. via d9f0d924795 s3: libsmb: Fix SMB1 cli_list_old_send() to cope with DFS paths. via 4a9458d03dd s3: libsmb: Fix SMB1 cli_list_trans_send() (SMBtrans2:TRANSACT2_FINDFIRST) to cope with DFS paths. via c98d165e517 s3: libsmb: Add smb1_dfs_share_path() to convert a name into a DFS path if needed. via dd9cdfb3b14 s3: libsmb: For SMB2 opens on a DFS share, convert to a DFS path if not already done. via 26b4a6951b6 s3: libsmb: Add cli_dfs_is_already_full_path() function. via 070b73e3f96 s3: libsmb: In cli_list_old_send(), push state->mask into the packet, not just mask. via ad97a97bd80 s3: libsmb: Make cli_state_save_tcon()/cli_state_restore_tcon() static. via 4e3ea1b2e72 s3: smbcacls: In cli_lsa_lookup_domain_sid(), replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via fddade459f2 s3: utils: In show_userlist() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via d116a079e99 s3: torture: In run_tcon_test() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via cf02ed2f605 s3: torture: In run_smb2_basic(), replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via fcf090279e2 s3: libsmb: In cli_check_msdfs_proxy() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via 83dab4238cd s3: libsmb: In cli_lsa_lookup_name() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via 73fde1fbbf0 s3: libsmb: In cli_lsa_lookup_sid() replace cli_state_save_tcon()/cli_state_restore_tcon() with cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via c3c71649850 s3: libsmb: Add pair cli_state_save_tcon_share()/cli_state_restore_tcon_share(). via dfd7c6ca784 s3: libsmb: Cleanup - remove unused fname_src parameter from cli_dfs_target_check(). via c7749103b22 s3: libsmb: Add missing memory allocation fail check in cli_openx_create(). via a213a371aeb s3: libsmb: Add missing memory allocation fail checks in cli_ntcreate1_send(). from 95bd776d2a3 s3: smbtorture3: Add test_smb1_qpathinfo() DFS test to run_smb1_dfs_operations(). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b4455f04879d39aefc4d4e39e6611c54be00e62d Author: Jeremy Allison Date: Fri Sep 9 10:29:30 2022 -0700 s3: libsmb: In cli_posix_open_internal_send()
