sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code
03a50d8f7d
samba-mirror/source3/auth
History
Jeremy Allison 8587734bf9 CVE-2021-20251 s3: ensure bad password count atomic updates 
The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts.  This is especially
bad on constrained or overcommitted hardware.

To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.

Discovered by Nathaniel W. Turner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:38 +00:00
..
auth_builtin.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
auth_generic.c source3: move lib/substitute.c functions out of proto.h 2021-11-11 13:49:32 +00:00
auth_ntlmssp.c source3: move lib/substitute.c functions out of proto.h 2021-11-11 13:49:32 +00:00
auth_sam.c CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09 19:45:33 +00:00
auth_samba4.c CVE-2020-25717: s3:auth: start with authoritative = 1 2021-11-09 19:45:32 +00:00
auth_unix.c auth: Fix a typo 2021-09-07 18:26:33 +00:00
auth_util.c s3:auth: make_user_info_map() should not set mapped_state 2022-03-10 03:16:35 +00:00
auth_winbind.c auth: Remove the "typedef auth_methods" 2020-01-06 01:47:30 +00:00
auth.c CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09 19:45:33 +00:00
check_samsec.c CVE-2021-20251 s3: ensure bad password count atomic updates 2022-09-12 23:07:38 +00:00
pampass.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pass_check.c auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c 2014-04-15 12:32:09 +02:00
proto.h CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments 2021-11-09 19:45:33 +00:00
server_info_sam.c s3: auth: Andrew noticed f585f01148 doesn't keep the same logic. 2021-09-08 06:38:21 +00:00
server_info.c auth3: Use talloc_move() instead of talloc_steal() 2021-04-19 18:18:31 +00:00
token_util.c auth3: Align integer types 2021-03-16 17:09:32 +00:00
user_info.c pdb: Reduce code duplication in make_user_info() 2018-10-09 01:22:53 +02:00
user_krb5.c CVE-2020-25717: s3-auth: fix MIT Realm regression 2021-12-03 12:05:42 +00:00
user_util.c lib/util/access: source3/auth/user_util: Check for INNETGR 2022-08-08 07:28:31 +00:00
wscript_build s3:smbd: Remove NIS support 2021-04-22 17:57:30 +00:00