From ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:45:11 +0200 Subject: [PATCH 117/266] CVE-2020-25717: s3:auth: Check minimum domain uid BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Samuel Cabrero Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett [abartlet@samba.org Removed knownfail on advice from metze] --- source3/auth/auth_util.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+) delete mode 100644 selftest/knownfail.d/min_domain_uid Conflict:delete a chunk which delete a file do not exist Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4686b29111e..4de4bc74374 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -2103,6 +2103,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } } goto out; + } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) && + !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) { + /* + * !is_myname(domain) because when smbd starts tries to setup + * the guest user info, calling this function with nobody + * username. Nobody is usually uid 65535 but it can be changed + * to a regular user with 'guest account' parameter + */ + nt_status = NT_STATUS_INVALID_TOKEN; + DBG_NOTICE("Username '%s%s%s' is invalid on this system, " + "it does not meet 'min domain uid' " + "restriction (%u < %u): %s\n", + nt_domain, lp_winbind_separator(), nt_username, + pwd->pw_uid, lp_min_domain_uid(), + nt_errstr(nt_status)); + goto out; } result = make_server_info(tmp_ctx); -- 2.23.0