102 lines
3.5 KiB
Diff
102 lines
3.5 KiB
Diff
From b9d8f8025b7122cab64c37e5042866c66b556016 Mon Sep 17 00:00:00 2001
|
|
From: Samuel Cabrero <scabrero@samba.org>
|
|
Date: Tue, 28 Sep 2021 10:43:40 +0200
|
|
Subject: [PATCH 113/266] CVE-2020-25717: loadparm: Add new parameter "min
|
|
domain uid"
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
|
|
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
[abartlet@samba.org Backported from master/4.15 due to
|
|
conflicts with other new parameters]
|
|
---
|
|
docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++
|
|
docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++
|
|
lib/param/loadparm.c | 4 ++++
|
|
source3/param/loadparm.c | 2 ++
|
|
4 files changed, 27 insertions(+)
|
|
create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
|
|
|
|
Conflict:NA
|
|
Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=b9d8f8025b7122cab64c37e5042866c66b556016
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
|
|
new file mode 100644
|
|
index 00000000000..46ae795d730
|
|
--- /dev/null
|
|
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
|
|
@@ -0,0 +1,17 @@
|
|
+<samba:parameter name="min domain uid"
|
|
+ type="integer"
|
|
+ context="G"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+<description>
|
|
+ <para>
|
|
+ The integer parameter specifies the minimum uid allowed when mapping a
|
|
+ local account to a domain account.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
|
|
+ </para>
|
|
+</description>
|
|
+
|
|
+<value type="default">1000</value>
|
|
+</samba:parameter>
|
|
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
|
|
index 1374040fb29..f70f11df757 100644
|
|
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
|
|
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
|
|
@@ -80,6 +80,9 @@
|
|
authoritative for a unix ID to SID mapping, so it must be set
|
|
for each individually configured domain and for the default
|
|
configuration. The configured ranges must be mutually disjoint.
|
|
+ </para>
|
|
+ <para>
|
|
+ Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
@@ -115,4 +118,5 @@
|
|
</programlisting>
|
|
|
|
</description>
|
|
+<related>min domain uid</related>
|
|
</samba:parameter>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 006caabc092..d2f6e6241ad 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -3079,6 +3079,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
lpcfg_do_global_parameter(
|
|
lp_ctx, "ldap max search request size", "256000");
|
|
|
|
+ lpcfg_do_global_parameter(lp_ctx,
|
|
+ "min domain uid",
|
|
+ "1000");
|
|
+
|
|
for (i = 0; parm_table[i].label; i++) {
|
|
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
|
|
lp_ctx->flags[i] |= FLAG_DEFAULT;
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index a3abaa2ec67..301e3622ed4 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -960,6 +960,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
Globals.ldap_max_authenticated_request_size = 16777216;
|
|
Globals.ldap_max_search_request_size = 256000;
|
|
|
|
+ Globals.min_domain_uid = 1000;
|
|
+
|
|
/* Now put back the settings that were set with lp_set_cmdline() */
|
|
apply_lp_set_cmdline();
|
|
}
|
|
--
|
|
2.23.0
|
|
|