packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0006-CVE-2020-25717-winbindd-allow-idmap-backends-to-mark.patch
haochenstar 8378df4821 fix CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2016-2124,CVE-2021-3738 
(cherry picked from commit aee849c6c0708056f62f6445e3b5274d1cec6408)
2022-01-19 11:41:35 +08:00

84 lines
2.7 KiB
Diff
Raw Blame History

From 04e10a843187810e97bf565731ddc5d70b0f4245 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Sep 2020 17:26:11 +0200
Subject: [PATCH 027/266] CVE-2020-25717 winbindd: allow idmap backends to mark
entries with ID_[TYPE_WB_]REQUIRE_TYPE
This must only be used between winbindd parent and child!
It must not leak into outside world.
Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.
This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
(cherry picked from commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87)
---
librpc/idl/idmap.idl | 23 +++++++++++++++++--
source3/passdb/lookup_sid.c | 7 ++++++
source3/winbindd/idmap_autorid.c | 6 ++---
source3/winbindd/idmap_ldap.c | 29 ++++++++++++++++++++++++
source3/winbindd/idmap_rw.c | 32 +++++++++++++++++++++++++--
source3/winbindd/idmap_tdb_common.c | 22 +++++++++++++++++-
source3/winbindd/wb_sids2xids.c | 11 +++++++++
source3/winbindd/winbindd_dual_srv.c | 6 +++++
source3/winbindd/winbindd_getgroups.c | 7 ++++++
9 files changed, 135 insertions(+), 8 deletions(-)
Conflict:only remain the first chunk
Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=04e10a843187810e97bf565731ddc5d70b0f4245
diff --git a/librpc/idl/idmap.idl b/librpc/idl/idmap.idl
index 54fd888dcab..e58e39210c7 100644
--- a/librpc/idl/idmap.idl
+++ b/librpc/idl/idmap.idl
@@ -11,7 +11,18 @@ interface idmap
ID_TYPE_NOT_SPECIFIED,
ID_TYPE_UID,
ID_TYPE_GID,
- ID_TYPE_BOTH
+ ID_TYPE_BOTH,
+ /*
+ * This are internal between winbindd
+ * parent and child.
+ *
+ * It means the idmap backend/child requires a valid type_hint
+ * for wbint_Sids2UnixIDs():
+ *
+ * - ID_TYPE_UID or ID_TYPE_GID means the user/group exists
+ * - ID_TYPE_BOTH means that only the domain exist
+ */
+ ID_TYPE_WB_REQUIRE_TYPE
} id_type;
typedef [public] struct {
@@ -23,7 +34,15 @@ interface idmap
ID_UNKNOWN,
ID_MAPPED,
ID_UNMAPPED,
- ID_EXPIRED
+ ID_EXPIRED,
+ /*
+ * This means the idmap backend requires a valid type_hint
+ * in order to map a sid to a unix id.
+ *
+ * - ID_TYPE_UID or ID_TYPE_GID means the user/group exists
+ * - ID_TYPE_BOTH means that only the domain exist
+ */
+ ID_REQUIRE_TYPE
} id_mapping;
typedef [public] struct {
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink