1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
samba-mirror/source3/rpc_server/rpcd_epmapper.c
Andrew Bartlett 11ece30afa CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:40 +00:00

88 lines
2.0 KiB
C

/*
* Unix SMB/CIFS implementation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "replace.h"
#include "rpc_worker.h"
#include "librpc/gen_ndr/ndr_epmapper.h"
#include "librpc/gen_ndr/ndr_epmapper_scompat.h"
#include "param/loadparm.h"
#include "libds/common/roles.h"
static size_t epmapper_interfaces(
const struct ndr_interface_table ***pifaces,
void *private_data)
{
static const struct ndr_interface_table *ifaces[] = {
&ndr_table_epmapper,
};
size_t num_ifaces = ARRAY_SIZE(ifaces);
switch(lp_server_role()) {
case ROLE_ACTIVE_DIRECTORY_DC:
/*
* On the AD DC epmapper is provided by the 'samba'
* binary from source4/
*/
num_ifaces = 0;
break;
default:
break;
}
*pifaces = ifaces;
return num_ifaces;
}
static size_t epmapper_servers(
struct dcesrv_context *dce_ctx,
const struct dcesrv_endpoint_server ***_ep_servers,
void *private_data)
{
static const struct dcesrv_endpoint_server *ep_servers[] = { NULL };
size_t num_servers = ARRAY_SIZE(ep_servers);
ep_servers[0] = epmapper_get_ep_server();
switch(lp_server_role()) {
case ROLE_ACTIVE_DIRECTORY_DC:
/*
* On the AD DC epmapper is provided by the 'samba'
* binary from source4/
*/
num_servers = 0;
break;
default:
break;
}
*_ep_servers = ep_servers;
return num_servers;
}
int main(int argc, const char *argv[])
{
return rpc_worker_main(
argc,
argv,
"rpcd_epmapper",
1,
10,
epmapper_interfaces,
epmapper_servers,
NULL);
}