mirror of
https://github.com/samba-team/samba.git
synced 2025-01-13 13:18:06 +03:00
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and always did a fallback to getpwnam("account") completely ignoring the domain part, this just causes problems as we mix "DOMAIN1\account", "DOMAIN2\account", and "account"! As we require a running winbindd for domain member setups we should no longer do a fallback to just "account" for users served by winbindd! For users of the local SAM don't use this code path, as check_sam_security() doesn't call check_account(). The only case where smb_getpwnam("account") happens is when map_username() via ("username map [script]") mapped "DOMAIN\account" to something without '\', but that is explicitly desired by the admin. Note: use 'git show -w' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
dd0423bfbb
commit
8f79ee99a6
26
selftest/knownfail.d/ktest
Normal file
26
selftest/knownfail.d/ktest
Normal file
@ -0,0 +1,26 @@
|
||||
^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest
|
||||
^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5...rpcclient.ktest:local
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5...rpcclient.ktest:local
|
||||
^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest
|
||||
^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest
|
||||
^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest
|
||||
^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,packet...rpcclient.ktest:local
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,packet...rpcclient.ktest:local
|
||||
^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest
|
||||
^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,sign...rpcclient.ktest:local
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,sign...rpcclient.ktest:local
|
||||
^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest
|
||||
^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,seal...rpcclient.ktest:local
|
||||
^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,seal...rpcclient.ktest:local
|
||||
^samba3.blackbox.smbclient_krb5.old.ccache..smbclient.ktest:local
|
||||
^samba3.blackbox.smbclient_krb5.new.ccache..smbclient.ktest:local
|
||||
^samba3.blackbox.smbclient_large_file..krb5.smbclient.large.posix.write.read.ktest:local
|
||||
^samba3.blackbox.smbclient_large_file..krb5.cmp.of.read.and.written.files.ktest:local
|
||||
^samba3.blackbox.smbclient_krb5.old.ccache.--client-protection=encrypt.smbclient.ktest:local
|
||||
^samba3.blackbox.smbclient_krb5.new.ccache.--client-protection=encrypt.smbclient.ktest:local
|
||||
^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.smbclient.large.posix.write.read.ktest:local
|
||||
^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.cmp.of.read.and.written.files.ktest:local
|
@ -1947,7 +1947,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
|
||||
{
|
||||
struct passwd *pw = NULL;
|
||||
char *p = NULL;
|
||||
char *username = NULL;
|
||||
const char *username = NULL;
|
||||
|
||||
/* we only save a copy of the username it has been mangled
|
||||
by winbindd use default domain */
|
||||
@ -1966,48 +1966,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
|
||||
/* code for a DOMAIN\user string */
|
||||
|
||||
if ( p ) {
|
||||
pw = Get_Pwnam_alloc( mem_ctx, domuser );
|
||||
if ( pw ) {
|
||||
/* make sure we get the case of the username correct */
|
||||
/* work around 'winbind use default domain = yes' */
|
||||
const char *domain = NULL;
|
||||
|
||||
if ( lp_winbind_use_default_domain() &&
|
||||
!strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
|
||||
char *domain;
|
||||
/* split the domain and username into 2 strings */
|
||||
*p = '\0';
|
||||
domain = username;
|
||||
p++;
|
||||
username = p;
|
||||
|
||||
/* split the domain and username into 2 strings */
|
||||
*p = '\0';
|
||||
domain = username;
|
||||
|
||||
*p_save_username = talloc_asprintf(mem_ctx,
|
||||
"%s%c%s",
|
||||
domain,
|
||||
*lp_winbind_separator(),
|
||||
pw->pw_name);
|
||||
if (!*p_save_username) {
|
||||
TALLOC_FREE(pw);
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
|
||||
}
|
||||
|
||||
/* whew -- done! */
|
||||
return pw;
|
||||
if (strequal(domain, get_global_sam_name())) {
|
||||
/*
|
||||
* This typically don't happen
|
||||
* as check_sam_Security()
|
||||
* don't call make_server_info_info3()
|
||||
* and thus check_account().
|
||||
*
|
||||
* But we better keep this.
|
||||
*/
|
||||
goto username_only;
|
||||
}
|
||||
|
||||
/* setup for lookup of just the username */
|
||||
/* remember that p and username are overlapping memory */
|
||||
|
||||
p++;
|
||||
username = talloc_strdup(mem_ctx, p);
|
||||
if (!username) {
|
||||
pw = Get_Pwnam_alloc( mem_ctx, domuser );
|
||||
if (pw == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
/* make sure we get the case of the username correct */
|
||||
/* work around 'winbind use default domain = yes' */
|
||||
|
||||
if ( lp_winbind_use_default_domain() &&
|
||||
!strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
|
||||
*p_save_username = talloc_asprintf(mem_ctx,
|
||||
"%s%c%s",
|
||||
domain,
|
||||
*lp_winbind_separator(),
|
||||
pw->pw_name);
|
||||
if (!*p_save_username) {
|
||||
TALLOC_FREE(pw);
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
|
||||
}
|
||||
|
||||
/* whew -- done! */
|
||||
return pw;
|
||||
|
||||
}
|
||||
|
||||
/* just lookup a plain username */
|
||||
|
||||
username_only:
|
||||
pw = Get_Pwnam_alloc(mem_ctx, username);
|
||||
|
||||
/* Create local user if requested but only if winbindd
|
||||
|
Loading…
Reference in New Issue
Block a user