sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code
c15a9af8e5
samba-mirror/source3/rpc_server/rpcd_lsad.c
Andrew Bartlett 11ece30afa CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC 
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:40 +00:00

124 lines
3.1 KiB
C
Raw Blame History

/*
* Unix SMB/CIFS implementation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "rpc_worker.h"
#include "librpc/gen_ndr/ndr_lsa.h"
#include "librpc/gen_ndr/ndr_lsa_scompat.h"
#include "librpc/gen_ndr/ndr_samr.h"
#include "librpc/gen_ndr/ndr_samr_scompat.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
#include "librpc/gen_ndr/ndr_netlogon_scompat.h"
#include "librpc/gen_ndr/ndr_dssetup.h"
#include "librpc/gen_ndr/ndr_dssetup_scompat.h"
#include "source3/include/auth.h"
#include "source3/include/secrets.h"
static size_t lsad_interfaces(
const struct ndr_interface_table ***pifaces,
void *private_data)
{
static const struct ndr_interface_table *ifaces[] = {
&ndr_table_lsarpc,
&ndr_table_samr,
&ndr_table_dssetup,
/*
* This last item is truncated from the list by the
* num_ifaces -= 1 below for the fileserver. Take
* care when adding new services.
*/
&ndr_table_netlogon,
};
size_t num_ifaces = ARRAY_SIZE(ifaces);
switch(lp_server_role()) {
case ROLE_STANDALONE:
case ROLE_DOMAIN_MEMBER:
/* no netlogon for non-dc */
num_ifaces -= 1;
break;
case ROLE_ACTIVE_DIRECTORY_DC:
/*
* All these services are provided by the 'samba'
* binary from source4, not this code which is the
* source3 / NT4-like "classic" DC implementation
*/
num_ifaces = 0;
break;
default:
break;
}
*pifaces = ifaces;
return num_ifaces;
}
static size_t lsad_servers(
struct dcesrv_context *dce_ctx,
const struct dcesrv_endpoint_server ***_ep_servers,
void *private_data)
{
static const struct dcesrv_endpoint_server *ep_servers[4] = { NULL, };
size_t num_servers = ARRAY_SIZE(ep_servers);
bool ok;
ep_servers[0] = lsarpc_get_ep_server();
ep_servers[1] = samr_get_ep_server();
ep_servers[2] = dssetup_get_ep_server();
ep_servers[3] = netlogon_get_ep_server();
ok = secrets_init();
if (!ok) {
DBG_ERR("secrets_init() failed\n");
exit(1);
}
switch(lp_server_role()) {
case ROLE_STANDALONE:
case ROLE_DOMAIN_MEMBER:
/* no netlogon for non-dc */
num_servers -= 1;
break;
case ROLE_ACTIVE_DIRECTORY_DC:
/*
* All these services are provided by the 'samba'
* binary from source4, not this code which is the
* source3 / NT4-like "classic" DC implementation
*/
num_servers = 0;
break;
default:
break;
}
*_ep_servers = ep_servers;
return num_servers;
}
int main(int argc, const char *argv[])
{
return rpc_worker_main(
argc,
argv,
"rpcd_lsad",
5,
60,
lsad_interfaces,
lsad_servers,
NULL);
}
View Git Blame Copy Permalink