IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The performance of these is minimal (these days) and they can return
invalid results when used as part of applications that do not use
sys_fork().
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
We only need one notify_ctx per smbd. The notify_array can become quite large.
It's based on absolute paths, so there's no point in having a copy of the
complete array in memory multiple times.
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Wed Mar 21 14:26:07 CET 2012 on sn-devel-104
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
the share security mask, take priviliges into account for the connecting
user.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Feb 28 20:21:26 CET 2012 on sn-devel-104
This matches the name used elsewhere in the code.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 25 05:24:19 CET 2012 on sn-devel-104
connection_struct as a parameter, fix the interface to allow
it to return an NTSTATUS.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Jan 19 07:25:49 CET 2012 on sn-devel-104
Ensure the cnum used to claim the connection for SMB2 is the
id that will be used for the SMB2 tcon. Based on code from
Ira Cooper <ira@wakeful.net>.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 18 23:14:32 CET 2012 on sn-devel-104
Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.
This will allow of our session handling to be accomplished with common code.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This makes auth3_session_info identical to auth_session_info
The logic to convert the info3 to a struct auth_user_info is
essentially moved up the stack from the named pipe proxy in
source3/rpc_server to create_local_token().
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This brings this structure one step closer to the struct auth_session_info.
A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.
NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL. This patch has not changed this behaviour however.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This has been a wrapper around server_event_context() for some time
now, and removing this from dummmysmbd.c assists with library
dependencies.
Andrew Bartlett
The dependency chain of find_service can't be satisfied sensibly
outside smbd, so don't include this in the main 'param' subsystem.
Also remove the duplicate find_service() and conn_snum_used() from
dummysmbd.c: The WAF build does not need these dummies any more, but
file.
Andrew Bartlett
Before a auth_serversupplied_info struct can be used for
authorization, the local groups and privileges must be calculated.
create_local_token() now copies the server_info, and then sets the
calulated token and unix groups.
Soon, it will also transform the result into an expanded struct
auth_session_info. Until then, the variable name (server_info vs
session_info provides a clue to the developer about what information
has been entered in the structure).
By moving the calls to create_local_token within the codebase, we
remove duplication, and ensure that the session key (where modified)
is consistently copied into the new structure.
Andrew Bartlett
Configuring force user/group settings for the print$ share currently has
unexpected results, this is explained by how the driver upload/add
process takes place. Consider the following example:
[print$]
path = /print-drv
write list = $DRIVER_UPLOAD_USER
force group = ntadmin
- the client connects to the [print$] share and uploads all driver
files to the /print-drv/W32X86 directory.
- This is permitted, as /print-drv/W32X86 is owned by group ntadmin, and
the "force group = ntadmin" takes effect for the [print$] session.
- Once all files are uploaded, the client connects to the [ipc$]
share and issues an AddPrinterDriverEx spoolss request.
- In handling this request move_driver_to_download_area() is called,
which attempts to create the directory /print-drv/W32X86/3
- The create directory fails, as it is done as the user connected to
the [ipc$] share which does not have permission to write to the driver
directory. The [print$] "force group = ntadmin" has no effect.
This is a regression from previous behaviour prior to the commit:
783ab04 Convert move_driver_to_download_area to use create_conn_struct.
https://bugzilla.samba.org/show_bug.cgi?id=7921
Signed-off-by: Andreas Schneider <asn@samba.org>
These variables, of type struct auth_serversupplied_info were poorly
named when added into 2001, and in good consistant practice, this has
extended all over the codebase in the years since.
The structure is also not ideal for it's current purpose. Originally
intended to convey the results of the authentication modules, it
really describes all the essential attributes of a session. This
rename will reduce the volume of a future patch to replaced these with
a struct auth_session_info, with auth_serversupplied_info confined to
the lower levels of the auth subsystem, and then eliminated.
(The new structure will be the output of create_local_token(), and the
change in struct definition will ensure that this is always run, populating
local groups and privileges).
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This will allow the auth_serversupplied_info struct to be migrated
to auth_session_info easier.
Adnrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
module, change the signature of VFS_REALPATH to always return a
malloc'ed string.
Needed to make some privileges work I plan on doing shortly
easier to code.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Nov 20 02:15:50 CET 2010 on sn-devel-104
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
Move to a consistent get_FileIndex() function for all inode returns,
that checks if st_dev on the file is identical to the top directory
dev_t of the exported share, and if so uses the raw 64-bit inode
number. If it isn't (we've traversed a mount point) - return what
we used to do for Windows which is the concatination of the bottom
32-bits of the inode with the 32-bit device number. We can get more
creative with this over time (hashing?) if we want as now all inode returns go
through this single function.
Jeremy.
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy.
Cause all exit paths to go through one place, where all cleanup is
done. change_to_root_user() for pathname operations that should succeed if
the path exists, even if the connecting user has no access.
For example, a share can now be defined with a path of /root/only/access
(where /root/only/access is a directory path with all components only
accessible to root e.g. root owned, permissions 700 on every component).
Non-root users will now correctly connect, but get ACCESS_DENIED on
all activities (which matches Windows behavior). Previously, non-root
users would get NT_STATUS_BAD_NETWORK_NAME on doing a TConX to this
share, even though it's a perfectly valid share path (just not accessible
to them).
This change was inspired by the research I did for bug #7126, which
was reported by bepi@adria.it.
As this is a change in a core function, I'm proposing to leave
this only in master for 3.6.0, not back-port to any existing releases.
This should give us enough time to decide if this is the way we want this to
behave (as Windows) or if we prefer the previous behavior.
Jeremy.
As tridge's comment says, we should be ignoring ACCESS_DENIED
on the share path in a TconX call, instead allowing the mount
and having individual SMB calls fail (as Windows does). The
original code erroneously caught SMB_VFS_STAT != 0 and errored
out on that.
Jeremy.
Volker pointed out that the preexec scripts get passed the conn->connectpath
as a parameter, so call canonicalize_connect_path() both *before* and after
the preexec scripts. Ignore errors on the call before the preexec scripts,
as the path may not exist until created by the preexec scripts.
Jeremy.
Bug reported by Ralf Zimmermann <r.zimmermann@siegnetz.de>. Reproduced by jra.
If the target directory of a share doesn't exist, but is designed to
be created by a "root preexec" script call, then the widelinks check
is done too early - thus preventing the user from connecting to the
share.
Fix is to re-arrange the order of checks in make_connection_snum()
to always do the following order of operations:
(1). Turn off wide links if unix extensions = yes.
(2). Call any root preexec scripts.
(3). Canonicalize the share path to remove any symlinks (ie. end
up with the realpath in the connection_struct).
Jeremy.
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Jeremy.
The destname malloc size was not taking into account the 1 extra byte
needed if a string without a leading '/' was passed in and that slash
was added.
This would cause the '\0' byte to be written past the end of the
malloced destname string and corrupt whatever heap memory was there.
This problem would be hit if a share name was given in smb.conf without
a leading '/' and if it was the exact size of the allocated STRDUP memory
which in some implementations of malloc is a power of 2.
I don't think we need to log the fact that a user gave a wrong sharename in Explorer with the highest log level.
The level of this was not very consistent:
service.c: DEBUG(3,("find_service() failed to find service %s\n", service));
service.c: DEBUG(0,("%s (%s) couldn't find service %s\n",
smb2_tcon.c: DEBUG(1,("smbd_smb2_tree_connect: couldn't find service %s\n",
This changes the last two to 3 as the first one.
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
On filesystems that can't store less than one second timestamps,
round the incoming timestamp set requests so the client can't discover
that a time set request has been truncated by the filesystem.
Needs backporting to 3.4, 3.3, 3.2 and (even) 3.0.
Jeremy
this changes the level of logs caused by users trying to access shares
or subdirectories for which they do not have access to in the ACL
this can fill up the samba log even with log level 0 and is more an
expected kind of logs that IMHO should not be logged with such a high
level.
All other errors while chdir() will still be logged with level 0
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
s3: Make smbd aware of permission change of usershare. Since usershare are relatively volatile and
non-previledge users must disconnect from smbd and reconnect to it to make share permission in effect.
For now. This is a feature request and I think we need
to design it a little differently so as not to touch
core change_to_user() code.
Jeremy.
This patch introduces two new temporary helper functions
vfs_stat_smb_fname and vfs_lstat_smb_fname. They basically allowed me
to call the new smb_filename version of stat, while avoiding plumbing
it through callers that are still too inconvenient. As the conversion
moves along, I will be able to remove callers of this, with the goal
being to remove all callers.
There was also a bug in create_synthetic_smb_fname_split (also a
temporary utility function) that caused it to incorrectly handle
filenames with ':'s in them when in posix mode. This is now fixed.
This patch introduces
struct stat_ex {
dev_t st_ex_dev;
ino_t st_ex_ino;
mode_t st_ex_mode;
nlink_t st_ex_nlink;
uid_t st_ex_uid;
gid_t st_ex_gid;
dev_t st_ex_rdev;
off_t st_ex_size;
struct timespec st_ex_atime;
struct timespec st_ex_mtime;
struct timespec st_ex_ctime;
struct timespec st_ex_btime; /* birthtime */
blksize_t st_ex_blksize;
blkcnt_t st_ex_blocks;
};
typedef struct stat_ex SMB_STRUCT_STAT;
It is really large because due to the friendly libc headers playing macro
tricks with fields like st_ino, so I renamed them to st_ex_xxx.
Why this change? To support birthtime, we already have quite a few #ifdef's at
places where it does not really belong. With a stat struct that we control, we
can consolidate the nanosecond timestamps and the birthtime deep in the VFS
stat calls.
At this moment it is triggered by a request to support the birthtime field for
GPFS. GPFS does not extend the system level struct stat, but instead has a
separate call that gets us the additional information beyond posix. Without
being able to do that within the VFS stat calls, that support would have to be
scattered around the main smbd code.
It will very likely break all the onefs modules, but I think the changes will
be reasonably easy to do.
instead of reading the registry directly with tdb and activating the
configure options by hand.
This eliminates the need for repeating checks done in loadparm.
For instance it disables registry shares without path in the server
as is the case with text based shares.
Michael
We need to store the "force group" uid separately from the
conn->server_info token as we need to apply it separately also.
Volker PLEASE CHECK !
Jeremy.
Now that we have a token that is correctly set up with gids already, this saves
manual translation of the SIDs to GIDs.
(This used to be commit 6136a6d9d7)
This will replace all the user identity stuff in connection_struct, for now it
is just a source where the other fields in connection_struct are filled from.
(This used to be commit 0f53f9e7db)
It turns out that this is a necessary operation, separate from statvfs. statvfs
can fail during tcon, so conn->fs_capabilities would never see that we support
streams on a particular share.
James, can you check that I got the darwin variant right? Thanks!
(This used to be commit 3ad798d803)
Now homes and printers shares can be accessed through the
registry meachanism on demand in pure registry configurations
with "config backend = registry" without the need to
have a special handler for these two.
Michael
(This used to be commit eec3248ef9)
on a share (or global) and have the server reply with
ACCESS_DENIED for all non-encrypted traffic (except
that used to query encryption requirements and set
encryption state).
Jeremy.
(This used to be commit d241bfa577)
This change alters the Samba connection code to cache the filesystem
capabilities when a new client connects. This can be used to enable
filesystem specific optimisations is a general manner.
(This used to be commit de3c5b808a)
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
the main server code paths. We should now be able to cope with
paths up to PATH_MAX length now.
Final job will be to add the TALLOC_CTX * parameter to
unix_convert to make it explicit (for Volker).
Jeremy.
(This used to be commit 7f0db75fb0)
