1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()

This warns the admin about insecure options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

(similar to commit 7e7adf86e5)
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
 getpid()]
This commit is contained in:
Stefan Metzmacher 2022-11-30 14:47:33 +01:00
parent b0dbc39551
commit 1fe8857b4d
2 changed files with 68 additions and 0 deletions

View File

@ -205,6 +205,8 @@ static struct db_context *netlogon_creds_cli_global_db;
NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
struct db_context **db)
{
netlogon_creds_cli_warn_options(lp_ctx);
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
@ -219,6 +221,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
struct db_context *global_db;
int hash_size, tdb_flags;
netlogon_creds_cli_warn_options(lp_ctx);
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_OK;
}
@ -259,6 +263,68 @@ void netlogon_creds_cli_close_global_db(void)
TALLOC_FREE(netlogon_creds_cli_global_db);
}
void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
{
bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
int global_client_schannel = lpcfg_client_schannel(lp_ctx);
bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
static bool warned_global_reject_md5_servers = false;
static bool warned_global_require_strong_key = false;
static bool warned_global_client_schannel = false;
static bool warned_global_seal_secure_channel = false;
static int warned_global_pid = 0;
int current_pid = getpid();
if (warned_global_pid != current_pid) {
warned_global_reject_md5_servers = false;
warned_global_require_strong_key = false;
warned_global_client_schannel = false;
warned_global_seal_secure_channel = false;
warned_global_pid = current_pid;
}
if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
/*
* We want admins to notice their misconfiguration!
*/
DBG_ERR("CVE-2022-38023 (and others): "
"Please configure 'reject md5 servers = yes' (the default), "
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
warned_global_reject_md5_servers = true;
}
if (!global_require_strong_key && !warned_global_require_strong_key) {
/*
* We want admins to notice their misconfiguration!
*/
DBG_ERR("CVE-2022-38023 (and others): "
"Please configure 'require strong key = yes' (the default), "
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
warned_global_require_strong_key = true;
}
if (global_client_schannel != true && !warned_global_client_schannel) {
/*
* We want admins to notice their misconfiguration!
*/
DBG_ERR("CVE-2022-38023 (and others): "
"Please configure 'client schannel = yes' (the default), "
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
warned_global_client_schannel = true;
}
if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
/*
* We want admins to notice their misconfiguration!
*/
DBG_ERR("CVE-2022-38023 (and others): "
"Please configure 'winbind sealed pipes = yes' (the default), "
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
warned_global_seal_secure_channel = true;
}
}
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
struct messaging_context *msg_ctx,
const char *client_account,

View File

@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
void netlogon_creds_cli_close_global_db(void);
void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
struct messaging_context *msg_ctx,
const char *client_account,