diff --git a/SOURCES/samba-4.16-share-enum.patch b/SOURCES/samba-4.16-share-enum.patch new file mode 100644 index 0000000..d21ab77 --- /dev/null +++ b/SOURCES/samba-4.16-share-enum.patch @@ -0,0 +1,59 @@ +From 5c8e34cae96ee65d34da61801a0f04c562006369 Mon Sep 17 00:00:00 2001 +From: Andrew +Date: Fri, 16 Dec 2022 08:16:10 -0800 +Subject: [PATCH] rpc_server:srvsvc - retrieve share ACL via root context + +share_info.tdb has permissions of 0o600 and so we need +to become_root() prior to retrieving the security info. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15265 + +Signed-off-by: Andrew Walker +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Mon Dec 19 20:41:15 UTC 2022 on sn-devel-184 + +(cherry picked from commit 80c0b416892bfacc0d919fe032461748d7962f05) +--- + source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +index 233718ff310..fbc617c3ac1 100644 +--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c ++++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +@@ -540,6 +540,7 @@ static bool is_hidden_share(int snum) + static bool is_enumeration_allowed(struct pipes_struct *p, + int snum) + { ++ bool allowed; + struct dcesrv_call_state *dce_call = p->dce_call; + struct auth_session_info *session_info = + dcesrv_call_session_info(dce_call); +@@ -556,9 +557,19 @@ static bool is_enumeration_allowed(struct pipes_struct *p, + return false; + } + +- return share_access_check(session_info->security_token, +- lp_servicename(talloc_tos(), lp_sub, snum), +- FILE_READ_DATA, NULL); ++ ++ /* ++ * share_access_check() must be opened as root ++ * because it ultimately gets a R/W db handle on share_info.tdb ++ * which has 0o600 permissions ++ */ ++ become_root(); ++ allowed = share_access_check(session_info->security_token, ++ lp_servicename(talloc_tos(), lp_sub, snum), ++ FILE_READ_DATA, NULL); ++ unbecome_root(); ++ ++ return allowed; + } + + /**************************************************************************** +-- +2.34.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 4bbf480..87cfd3e 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -134,7 +134,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 4 +%global baserelease 6 %global samba_version 4.16.4 %global talloc_version 2.3.3 @@ -209,6 +209,7 @@ Patch0: samba-s4u.patch Patch1: samba-4.16-waf-crypto.patch Patch2: CVE-2022-38023-v4-16.patch Patch3: CVE-2022-38023-for-s3-v4-16.patch +Patch4: samba-4.16-share-enum.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -221,6 +222,7 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-dcerpc = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} @@ -490,7 +492,7 @@ SMB/CIFS clients. ### COMMON-TOOLS %package common-tools -Summary: Tools for Samba servers and clients +Summary: Tools for Samba clients Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} @@ -498,22 +500,41 @@ Requires: samba-libs = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +Provides: bundled(libreplace) + +%description common-tools +The samba-common-tools package contains tools for SMB/CIFS clients. + +### SAMBA-TOOLS +%package tools +Summary: Tools for Samba servers # samba-tool needs python3-samba Requires: python3-%{name} = %{samba_depver} # samba-tool needs tdbbackup Requires: tdb-tools -%if %{with dc} -# samba-tool needs python3-samba-dc on a full build +# samba-tool needs python3-samba-dc also on non-dc build Requires: python3-%{name}-dc = %{samba_depver} +%if %{with dc} # samba-tool needs mdb_copy for domain backup or upgrade provision Requires: lmdb %endif -Provides: bundled(libreplace) +%description tools +The samba-tools package contains tools for Samba servers +and for GPO management on domain members. -%description common-tools -The samba-common-tools package contains tools for Samba servers and -SMB/CIFS clients. +### RPC +%package dcerpc +Summary: DCE RPC binaries +Requires: samba-common-libs = %{samba_depver} +Requires: samba-client-libs = %{samba_depver} +Requires: samba-libs = %{samba_depver} +%if %{with libwbclient} +Requires: libwbclient = %{samba_depver} +%endif + +%description dcerpc +The samba-dcerpc package contains binaries that serve DCERPC over named pipes. ### DC %if %{with dc} || %{with testsuite} @@ -559,6 +580,9 @@ BuildArch: noarch %description dc-provision The samba-dc-provision package provides files to setup a domain controller +#endif with dc || with testsuite +%endif + ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries @@ -575,6 +599,7 @@ Provides: bundled(libreplace) The %{name}-dc-libs package contains the libraries needed by the DC to link against the SMB, RPC and other protocols. +%if %{with dc} || %{with testsuite} ### DC-BIND %package dc-bind-dlz Summary: Bind DLZ module for Samba AD @@ -751,9 +776,7 @@ Summary: Samba Python3 libraries Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} -%endif Requires: python3-talloc Requires: python3-tevent Requires: python3-tdb @@ -789,7 +812,6 @@ Requires: %{name}-libs = %{samba_depver} The python3-%{name}-test package contains the Python libraries used by the test suite of Samba. If you want to run full set of Samba tests, you need to install this package. -%if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD Requires: %{name}-client-libs = %{samba_depver} @@ -799,7 +821,6 @@ Requires: python3-%{name} = %{samba_depver} %description -n python3-samba-dc The python3-%{name}-dc package contains the Python libraries needed by programs to manage Samba AD. -%endif ### PIDL %package pidl @@ -881,11 +902,13 @@ Requires(post): %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} +Recommends: %{name}-tools = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +Requires: %{name}-dcerpc = %{samba_depver} Provides: samba4-winbind = %{samba_depver} Obsoletes: samba4-winbind < %{samba_depver} @@ -987,6 +1010,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB) Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-winbind-clients = %{samba_depver} Requires: coreutils # for ps and killall @@ -1292,62 +1316,18 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if %{without dc} && %{without testsuite} for i in \ - %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ - %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ %{_mandir}/man8/samba-gpupdate.8 \ %{_libdir}/samba/ldb/ildap.so \ %{_libdir}/samba/ldb/ldbsamba_extensions.so \ %{_unitdir}/samba.service \ - %{python3_sitearch}/samba/dcerpc/dnsserver.*.so \ - %{python3_sitearch}/samba/dnsserver.py \ - %{python3_sitearch}/samba/domain_update.py \ - %{python3_sitearch}/samba/forest_update.py \ - %{python3_sitearch}/samba/kcc/__init__.py \ - %{python3_sitearch}/samba/kcc/debug.py \ - %{python3_sitearch}/samba/kcc/graph.py \ - %{python3_sitearch}/samba/kcc/graph_utils.py \ - %{python3_sitearch}/samba/kcc/kcc_utils.py \ - %{python3_sitearch}/samba/kcc/ldif_import_export.py \ - %{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc \ - %{python3_sitearch}/samba/ms_forest_updates_markdown.py \ - %{python3_sitearch}/samba/ms_schema_markdown.py \ - %{python3_sitearch}/samba/provision/__init__.py \ - %{python3_sitearch}/samba/provision/backend.py \ - %{python3_sitearch}/samba/provision/common.py \ - %{python3_sitearch}/samba/provision/kerberos_implementation.py \ - %{python3_sitearch}/samba/provision/kerberos.py \ - %{python3_sitearch}/samba/provision/sambadns.py \ - %{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/common.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc \ - %{python3_sitearch}/samba/__pycache__/domain_update.*.pyc \ - %{python3_sitearch}/samba/__pycache__/forest_update.*.pyc \ - %{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc \ - %{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc \ - %{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc \ - %{python3_sitearch}/samba/__pycache__/schema.*.pyc \ - %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc \ - %{python3_sitearch}/samba/remove_dc.py \ - %{python3_sitearch}/samba/samdb.py \ - %{python3_sitearch}/samba/schema.py \ %{python3_sitearch}/samba/third_party/iso8601/__init__.py \ %{python3_sitearch}/samba/third_party/iso8601/__pycache__/__init__.*.pyc \ %{python3_sitearch}/samba/third_party/iso8601/__pycache__/iso8601.*.pyc \ %{python3_sitearch}/samba/third_party/iso8601/__pycache__/test_iso8601.*.pyc \ %{python3_sitearch}/samba/third_party/iso8601/iso8601.py \ %{python3_sitearch}/samba/third_party/iso8601/test_iso8601.py \ - %{python3_sitearch}/samba/uptodateness.py \ %{_sbindir}/samba-gpupdate \ ; do rm -f %{buildroot}$i @@ -1649,15 +1629,6 @@ fi %dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd -%{_libexecdir}/samba/samba-dcerpcd -%{_libexecdir}/samba/rpcd_classic -%{_libexecdir}/samba/rpcd_epmapper -%{_libexecdir}/samba/rpcd_fsrvp -%{_libexecdir}/samba/rpcd_lsad -%{_libexecdir}/samba/rpcd_mdssvc -%{_libexecdir}/samba/rpcd_rpcecho -%{_libexecdir}/samba/rpcd_spoolss -%{_libexecdir}/samba/rpcd_winreg %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc @@ -1671,7 +1642,6 @@ fi %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/samba-bgqd.8* -%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1962,11 +1932,11 @@ fi %{_libdir}/samba/pdb/smbpasswd.so %{_libdir}/samba/pdb/tdbsam.so +### COMMON-TOOLS %files common-tools %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles -%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1975,9 +1945,27 @@ fi %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* -%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/smbpasswd.8* +### TOOLS +%files tools +%{_bindir}/samba-tool +%{_mandir}/man8/samba-tool.8* + +### RPC +%files dcerpc +%dir %{_libexecdir}/samba +%{_libexecdir}/samba/samba-dcerpcd +%{_libexecdir}/samba/rpcd_classic +%{_libexecdir}/samba/rpcd_epmapper +%{_libexecdir}/samba/rpcd_fsrvp +%{_libexecdir}/samba/rpcd_lsad +%{_libexecdir}/samba/rpcd_mdssvc +%{_libexecdir}/samba/rpcd_rpcecho +%{_libexecdir}/samba/rpcd_spoolss +%{_libexecdir}/samba/rpcd_winreg +%{_mandir}/man8/samba-dcerpcd.8* + ### DC %if %{with dc} || %{with testsuite} %files dc @@ -1993,7 +1981,6 @@ fi %{_libdir}/krb5/plugins/kdb/samba.so %{_libdir}/samba/auth/samba4.so -%{_libdir}/samba/libpac-samba4.so %dir %{_libdir}/samba/gensec %{_libdir}/samba/gensec/krb5.so %{_libdir}/samba/ldb/acl.so @@ -2058,9 +2045,15 @@ fi %license source4/setup/ad-schema/licence.txt %{_datadir}/samba/setup +#endif with dc || with testsuite +%endif ### DC-LIBS %files dc-libs +%{_libdir}/samba/libauth4-samba4.so + +%if %{with dc} || %{with testsuite} %{_libdir}/samba/libdb-glue-samba4.so +%{_libdir}/samba/libpac-samba4.so %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so @@ -2270,7 +2263,6 @@ fi %{_libdir}/libdcerpc-samr.so.* %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so -%{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so %{_libdir}/samba/libdnsserver-common-samba4.so @@ -2642,7 +2634,6 @@ fi %{_libdir}/libsamba-policy.*.so %{_libdir}/pkgconfig/samba-policy.*.pc -%if %{with dc} || %{with testsuite} %files -n python3-%{name}-dc %{python3_sitearch}/samba/samdb.py %{python3_sitearch}/samba/schema.py @@ -2658,7 +2649,9 @@ fi %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc %{python3_sitearch}/samba/dcerpc/dnsserver.*.so +%if %{with dc} || %{with testsuite} %{python3_sitearch}/samba/dckeytab.*.so +%endif %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -2699,7 +2692,6 @@ fi %{python3_sitearch}/samba/remove_dc.py %{python3_sitearch}/samba/uptodateness.py -%endif %files -n python3-%{name}-test %dir %{python3_sitearch}/samba/tests @@ -4165,6 +4157,15 @@ fi %endif %changelog +* Thu Feb 16 2023 Pavel Filipenský - 4.16.4-6 +- resolves: rhbz#2170468 - Remove libnetapi dependency from dcerpc + +* Thu Feb 16 2023 Pavel Filipenský - 4.16.4-5 +- resolves: rhbz#2170394 - Fix share enum +- resolves: rhbz#2170467 - Add to package ctdb dependency for package samba-winbind-clients +- resolves: rhbz#2170468 - Add package dcerpc - fix winbind to retrieve user groups from AD +- resolves: rhbz#2170469 - Create package samba-tools + * Mon Jan 16 2023 Andreas Schneider - 4.16.4-4 - related: rhbz#2154369 - Add additional patch for CVE-2022-38023