sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-15 23:24:37 +03:00
Code
samba-mirror/source3
History
Andrew Bartlett 0a546be052 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails 
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org moved the new logic into the fallback codepath only
 in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
2021-11-15 19:01:56 +00:00
..
auth
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
2021-11-15 19:01:56 +00:00
build
client
smbclient: Use cli_checkpath in "cd" command
2021-11-11 19:08:37 +00:00
exports
groupdb
lib: relicense smb_strtoul(l) under LGPLv3
2020-08-03 22:21:02 +00:00
include
vfs: Fix a few typos
2021-11-11 19:08:37 +00:00
intl
lib
lib: Use a direct struct initialization
2021-11-11 19:08:37 +00:00
libads
s3-libnet_join: return account rid in libnet_JoinCtx
2021-07-14 16:49:30 +00:00
libgpo/gpext
libnet
s3-libnet_join: always check config correctness while joining offline
2021-07-14 16:49:30 +00:00
librpc
s3:librpc: Improve calling of krb5_kt_end_seq_get()
2021-11-03 08:36:00 +00:00
libsmb
libsmb: Move cli_qfilename() to its only user in torture.c
2021-11-11 19:08:37 +00:00
locale
pam_winbind/ro.po: fix error from previous patch merge
2020-10-29 20:49:16 +00:00
locking
smbd: Simplify mark_share_mode_disconnected()
2021-08-06 18:09:06 +00:00
modules
vfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()
2021-11-11 19:08:37 +00:00
nmbd
source3: move lib/substitute.c functions out of proto.h
2021-11-11 13:49:32 +00:00
param
source3: move lib/substitute.c functions out of proto.h
2021-11-11 13:49:32 +00:00
passdb
source3: move lib/substitute.c functions out of proto.h
2021-11-11 13:49:32 +00:00
printing
samba-bgqd: fix startup and logging
2021-11-11 13:49:32 +00:00
profile
registry
CVE-2020-25717: Add FreeIPA domain controller role
2021-11-09 19:45:33 +00:00
rpc_client
rpc_client: Align cli_api_pipe_send() with tevent_req() conventions
2021-08-24 17:32:29 +00:00
rpc_server
IPA DC: add missing checks
2021-11-13 07:01:26 +00:00
rpcclient
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
2021-11-09 19:45:32 +00:00
script
CI: add a test for bug 14882
2021-11-04 19:04:31 +00:00
selftest
CI: add a test for bug 14882
2021-11-04 19:04:31 +00:00
services
smbd
smbd: Convert ret==false into !ret
2021-11-11 19:59:03 +00:00
torture
libsmb: Move cli_qfilename() to its only user in torture.c
2021-11-11 19:08:37 +00:00
utils
smbd: Remove unused "struct connections_key"
2021-11-11 19:08:37 +00:00
web
winbindd
CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
2021-11-15 18:10:28 +00:00
.clang_complete
.dmallocrc
.indent.pro
Doxyfile
mainpage.dox
smbadduser.in
wscript
Fix detection of rpc/xdr.h on macOS
2021-10-13 02:33:05 +00:00
wscript_build
libsmb: move reparse_symlink to libcli/smb/
2021-11-11 19:08:37 +00:00
wscript_configure_system_ncurses