packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0007-CVE-2022-38023.patch
xinghe 78769b5f0b fix CVE-2022-38023
2023-01-18 07:54:39 +00:00

105 lines
3.7 KiB
Diff
Raw Blame History

From f1cb8950583c12eaa5cbe907d0b16923f7187541 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:59:36 +0100
Subject: [PATCH 06/29] CVE-2022-38023 s3:winbindd: also allow per domain
"winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
Conflict: context applocation
Reference: https://attachments.samba.org/attachment.cgi?id=17698
---
source3/winbindd/winbindd_cm.c | 41 +-
1 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 0e671ca..c052dfe 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2725,6 +2725,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context *p_creds;
struct cli_credentials *creds = NULL;
bool retry = false; /* allow one retry attempt for expired session */
+ bool sealed_pipes = true;
+ bool strong_key = true;
if (sid_check_is_our_sam(&domain->sid)) {
if (domain->rodc == false || need_rw_dc == false) {
@@ -2898,14 +2900,24 @@ retry:
anonymous:
+ sealed_pipes = lp_winbind_sealed_pipes();
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ sealed_pipes);
+ strong_key = lp_require_strong_key();
+ strong_key = lp_parm_bool(-1, "require strong key",
+ domain->name,
+ strong_key);
+
/* Finally fall back to anonymous. */
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if (sealed_pipes || strong_key) {
status = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
"without connection level security, "
- "must set 'winbind sealed pipes = false' and "
- "'require strong key = false' to proceed: %s\n",
- domain->name, nt_errstr(status)));
+ "must set 'winbind sealed pipes:%s = false' and "
+ "'require strong key:%s = false' to proceed: %s\n",
+ domain->name, domain->name, domain->name,
+ nt_errstr(status)));
goto done;
}
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
@@ -3052,6 +3064,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context *p_creds;
struct cli_credentials *creds = NULL;
bool retry = false; /* allow one retry attempt for expired session */
+ bool sealed_pipes = true;
+ bool strong_key = true;
retry:
result = init_dc_connection_rpc(domain, false);
@@ -3207,13 +3221,24 @@ retry:
goto done;
}
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ sealed_pipes = lp_winbind_sealed_pipes();
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ sealed_pipes);
+ strong_key = lp_require_strong_key();
+ strong_key = lp_parm_bool(-1, "require strong key",
+ domain->name,
+ strong_key);
+
+ /* Finally fall back to anonymous. */
+ if (sealed_pipes || strong_key) {
result = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make LSA connection to domain %s "
"without connection level security, "
- "must set 'winbind sealed pipes = false' and "
- "'require strong key = false' to proceed: %s\n",
- domain->name, nt_errstr(result)));
+ "must set 'winbind sealed pipes:%s = false' and "
+ "'require strong key:%s = false' to proceed: %s\n",
+ domain->name, domain->name, domain->name,
+ nt_errstr(result)));
goto done;
}
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink