diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2020-04-03 07:43:12 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2020-04-03 07:45:32 +0200 |
commit | 46ba7ec46d3cb4084489531ce10e71e17963495b (patch) | |
tree | 29e2dcba59c49704cc8c5ad3cf777503b33a40ad | |
parent | 63b8a5e4b9fad35855bfd733bf2f539cc223c6bc (diff) | |
download | alpine_aports-46ba7ec46d3cb4084489531ce10e71e17963495b.tar.bz2 alpine_aports-46ba7ec46d3cb4084489531ce10e71e17963495b.tar.xz alpine_aports-46ba7ec46d3cb4084489531ce10e71e17963495b.zip |
main/samba: fix CVE-2019-14902, CVE-2019-14907
fixes #11155
-rw-r--r-- | main/samba/APKBUILD | 7 | ||||
-rw-r--r-- | main/samba/samba-4.9.17-security-2020-01-21.patch | 1662 |
2 files changed, 1668 insertions, 1 deletions
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD index 1319269f8d..0904fb8147 100644 --- a/main/samba/APKBUILD +++ b/main/samba/APKBUILD | |||
@@ -1,7 +1,7 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
2 | pkgname=samba | 2 | pkgname=samba |
3 | pkgver=4.8.12 | 3 | pkgver=4.8.12 |
4 | pkgrel=1 | 4 | pkgrel=2 |
5 | pkgdesc="Tools to access a server's filespace and printers via SMB" | 5 | pkgdesc="Tools to access a server's filespace and printers via SMB" |
6 | url="https://www.samba.org/" | 6 | url="https://www.samba.org/" |
7 | arch="all" | 7 | arch="all" |
@@ -79,6 +79,7 @@ source=" | |||
79 | bind-9.12.patch | 79 | bind-9.12.patch |
80 | missing-headers.patch | 80 | missing-headers.patch |
81 | samba-4.9.14-security-2019-10-29.patch | 81 | samba-4.9.14-security-2019-10-29.patch |
82 | samba-4.9.17-security-2020-01-21.patch | ||
82 | $pkgname.initd | 83 | $pkgname.initd |
83 | $pkgname.confd | 84 | $pkgname.confd |
84 | $pkgname.logrotate | 85 | $pkgname.logrotate |
@@ -87,6 +88,9 @@ pkggroups="winbind" | |||
87 | builddir="$srcdir/$pkgname-$pkgver" | 88 | builddir="$srcdir/$pkgname-$pkgver" |
88 | 89 | ||
89 | # secfixes: | 90 | # secfixes: |
91 | # 4.8.12-r2: | ||
92 | # - CVE-2019-14902 | ||
93 | # - CVE-2019-14907 | ||
90 | # 4.8.12-r1: | 94 | # 4.8.12-r1: |
91 | # - CVE-2019-10218 | 95 | # - CVE-2019-10218 |
92 | # - CVE-2019-14833 | 96 | # - CVE-2019-14833 |
@@ -576,6 +580,7 @@ a99e771f28d787dc22e832b97aa48a1c5e13ddc0c030c501a3c12819ff6e62800ef084b62930abe8 | |||
576 | 27f12c8395be25d9806d232cc30334f2f7c7d175971d2d1944dd886d699e0381a6f222c17e3d7bc087cf7a29bfb3e98cf25ba98f414c4afe0297b9d134a28bd8 bind-9.12.patch | 580 | 27f12c8395be25d9806d232cc30334f2f7c7d175971d2d1944dd886d699e0381a6f222c17e3d7bc087cf7a29bfb3e98cf25ba98f414c4afe0297b9d134a28bd8 bind-9.12.patch |
577 | c0afe8b1dfddc5290c9aa611163d20adc3a546f54bba0081f739cda4255829f1a72bae422b6cb049aca82e58d4daf63ad5553f4c5c51671019bfbbc2781460f0 missing-headers.patch | 581 | c0afe8b1dfddc5290c9aa611163d20adc3a546f54bba0081f739cda4255829f1a72bae422b6cb049aca82e58d4daf63ad5553f4c5c51671019bfbbc2781460f0 missing-headers.patch |
578 | 8386db1209721fabb6acf52e498082ac3e70cd3a4454c54416b02aaa67b2906212383da7ddc06f77ca29cfbb9033407b1e958bcd9c7cdf369fe501f310a0f973 samba-4.9.14-security-2019-10-29.patch | 582 | 8386db1209721fabb6acf52e498082ac3e70cd3a4454c54416b02aaa67b2906212383da7ddc06f77ca29cfbb9033407b1e958bcd9c7cdf369fe501f310a0f973 samba-4.9.14-security-2019-10-29.patch |
583 | b00163634fb262777cc8992192150beb5dc2dc45ace823557f1a35fe2448ab3559b7503db96b07c6a9382ddb62a3bd6f4e68e1849f64ec472dbea8abc6b54572 samba-4.9.17-security-2020-01-21.patch | ||
579 | 96070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd | 584 | 96070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd |
580 | e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd | 585 | e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd |
581 | 3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate" | 586 | 3458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate" |
diff --git a/main/samba/samba-4.9.17-security-2020-01-21.patch b/main/samba/samba-4.9.17-security-2020-01-21.patch new file mode 100644 index 0000000000..4847a8660b --- /dev/null +++ b/main/samba/samba-4.9.17-security-2020-01-21.patch | |||
@@ -0,0 +1,1662 @@ | |||
1 | From 77d55b64af6acd38a08096b89ee051bc4ce72f43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrew Bartlett <abartlet@samba.org> | ||
3 | Date: Thu, 28 Nov 2019 17:16:16 +1300 | ||
4 | Subject: [PATCH 01/13] CVE-2019-14902 selftest: Add test for replication of | ||
5 | inherited security descriptors | ||
6 | |||
7 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
8 | |||
9 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
10 | --- | ||
11 | selftest/knownfail.d/repl_secdesc | 2 + | ||
12 | source4/selftest/tests.py | 5 + | ||
13 | source4/torture/drs/python/repl_secdesc.py | 258 +++++++++++++++++++++ | ||
14 | 3 files changed, 265 insertions(+) | ||
15 | create mode 100644 selftest/knownfail.d/repl_secdesc | ||
16 | create mode 100644 source4/torture/drs/python/repl_secdesc.py | ||
17 | |||
18 | diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc | ||
19 | new file mode 100644 | ||
20 | index 00000000000..2aa24c61375 | ||
21 | --- /dev/null | ||
22 | +++ b/selftest/knownfail.d/repl_secdesc | ||
23 | @@ -0,0 +1,2 @@ | ||
24 | +^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict | ||
25 | +^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object | ||
26 | diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py | ||
27 | index 2ec0bee923b..7244535791d 100755 | ||
28 | --- a/source4/selftest/tests.py | ||
29 | +++ b/source4/selftest/tests.py | ||
30 | @@ -1004,6 +1004,11 @@ for env in ['vampire_dc', 'promoted_dc']: | ||
31 | extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')], | ||
32 | environ={'DC1': "$DC_SERVER", 'DC2': '$%s_SERVER' % env.upper()}, | ||
33 | extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD']) | ||
34 | + planoldpythontestsuite(env, "repl_secdesc", | ||
35 | + name="samba4.drs.repl_secdesc.python(%s)" % env, | ||
36 | + extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')], | ||
37 | + environ={'DC1': "$DC_SERVER", 'DC2': '$SERVER'}, | ||
38 | + extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD']) | ||
39 | planoldpythontestsuite(env, "repl_move", | ||
40 | extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')], | ||
41 | name="samba4.drs.repl_move.python(%s)" % env, | ||
42 | diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py | ||
43 | new file mode 100644 | ||
44 | index 00000000000..4ed449a8a18 | ||
45 | --- /dev/null | ||
46 | +++ b/source4/torture/drs/python/repl_secdesc.py | ||
47 | @@ -0,0 +1,258 @@ | ||
48 | +#!/usr/bin/env python3 | ||
49 | +# -*- coding: utf-8 -*- | ||
50 | +# | ||
51 | +# Unix SMB/CIFS implementation. | ||
52 | +# Copyright (C) Catalyst.Net Ltd. 2017 | ||
53 | +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019 | ||
54 | +# | ||
55 | +# This program is free software; you can redistribute it and/or modify | ||
56 | +# it under the terms of the GNU General Public License as published by | ||
57 | +# the Free Software Foundation; either version 3 of the License, or | ||
58 | +# (at your option) any later version. | ||
59 | +# | ||
60 | +# This program is distributed in the hope that it will be useful, | ||
61 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
62 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
63 | +# GNU General Public License for more details. | ||
64 | +# | ||
65 | +# You should have received a copy of the GNU General Public License | ||
66 | +# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
67 | +# | ||
68 | +import drs_base | ||
69 | +import ldb | ||
70 | +import samba | ||
71 | +from samba import sd_utils | ||
72 | +from ldb import LdbError | ||
73 | + | ||
74 | +class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
75 | + | ||
76 | + def setUp(self): | ||
77 | + super(ReplAclTestCase, self).setUp() | ||
78 | + self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1) | ||
79 | + self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2) | ||
80 | + | ||
81 | + self.ou = samba.tests.create_test_ou(self.ldb_dc1, | ||
82 | + "test_acl_inherit") | ||
83 | + | ||
84 | + # disable replication for the tests so we can control at what point | ||
85 | + # the DCs try to replicate | ||
86 | + self._disable_all_repl(self.dnsname_dc1) | ||
87 | + self._disable_all_repl(self.dnsname_dc2) | ||
88 | + | ||
89 | + # make sure DCs are synchronized before the test | ||
90 | + self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True) | ||
91 | + self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, forced=True) | ||
92 | + | ||
93 | + def tearDown(self): | ||
94 | + self.ldb_dc1.delete(self.ou, ["tree_delete:1"]) | ||
95 | + | ||
96 | + # re-enable replication | ||
97 | + self._enable_all_repl(self.dnsname_dc1) | ||
98 | + self._enable_all_repl(self.dnsname_dc2) | ||
99 | + | ||
100 | + super(ReplAclTestCase, self).tearDown() | ||
101 | + | ||
102 | + def test_acl_inheirt_new_object_1_pass(self): | ||
103 | + # Set the inherited ACL on the parent OU | ||
104 | + mod = "(A;CIOI;GA;;;SY)" | ||
105 | + self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
106 | + | ||
107 | + # Make a new object | ||
108 | + dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
109 | + self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"}) | ||
110 | + | ||
111 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
112 | + fromDC=self.dnsname_dc1, | ||
113 | + forced=True) | ||
114 | + | ||
115 | + # Confirm inherited ACLs are identical | ||
116 | + | ||
117 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
118 | + self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
119 | + | ||
120 | + def test_acl_inheirt_new_object(self): | ||
121 | + # Set the inherited ACL on the parent OU | ||
122 | + mod = "(A;CIOI;GA;;;SY)" | ||
123 | + self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
124 | + | ||
125 | + # Replicate to DC2 | ||
126 | + | ||
127 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
128 | + fromDC=self.dnsname_dc1, | ||
129 | + forced=True) | ||
130 | + | ||
131 | + # Make a new object | ||
132 | + dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
133 | + self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"}) | ||
134 | + | ||
135 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
136 | + fromDC=self.dnsname_dc1, | ||
137 | + forced=True) | ||
138 | + | ||
139 | + # Confirm inherited ACLs are identical | ||
140 | + | ||
141 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
142 | + self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
143 | + | ||
144 | + def test_acl_inherit_existing_object(self): | ||
145 | + # Make a new object | ||
146 | + dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
147 | + self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"}) | ||
148 | + | ||
149 | + try: | ||
150 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
151 | + base=dn, | ||
152 | + attrs=[]) | ||
153 | + self.fail() | ||
154 | + except LdbError as err: | ||
155 | + enum = err.args[0] | ||
156 | + self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT) | ||
157 | + | ||
158 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
159 | + fromDC=self.dnsname_dc1, | ||
160 | + forced=True) | ||
161 | + | ||
162 | + # Confirm it is now replicated | ||
163 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
164 | + base=dn, | ||
165 | + attrs=[]) | ||
166 | + | ||
167 | + # Set the inherited ACL on the parent OU | ||
168 | + mod = "(A;CIOI;GA;;;SY)" | ||
169 | + self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
170 | + | ||
171 | + # Replicate to DC2 | ||
172 | + | ||
173 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
174 | + fromDC=self.dnsname_dc1, | ||
175 | + forced=True) | ||
176 | + | ||
177 | + # Confirm inherited ACLs are identical | ||
178 | + | ||
179 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
180 | + self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
181 | + | ||
182 | + def test_acl_inheirt_existing_object_1_pass(self): | ||
183 | + # Make a new object | ||
184 | + dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
185 | + self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"}) | ||
186 | + | ||
187 | + try: | ||
188 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
189 | + base=dn, | ||
190 | + attrs=[]) | ||
191 | + self.fail() | ||
192 | + except LdbError as err: | ||
193 | + enum = err.args[0] | ||
194 | + self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT) | ||
195 | + | ||
196 | + # Set the inherited ACL on the parent OU | ||
197 | + mod = "(A;CIOI;GA;;;SY)" | ||
198 | + self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
199 | + | ||
200 | + # Replicate to DC2 | ||
201 | + | ||
202 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
203 | + fromDC=self.dnsname_dc1, | ||
204 | + forced=True) | ||
205 | + | ||
206 | + # Confirm inherited ACLs are identical | ||
207 | + | ||
208 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
209 | + self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
210 | + | ||
211 | + def test_acl_inheirt_renamed_object(self): | ||
212 | + # Make a new object | ||
213 | + new_ou = samba.tests.create_test_ou(self.ldb_dc1, | ||
214 | + "acl_test_l2") | ||
215 | + | ||
216 | + sub_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
217 | + | ||
218 | + try: | ||
219 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
220 | + base=new_ou, | ||
221 | + attrs=[]) | ||
222 | + self.fail() | ||
223 | + except LdbError as err: | ||
224 | + enum = err.args[0] | ||
225 | + self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT) | ||
226 | + | ||
227 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
228 | + fromDC=self.dnsname_dc1, | ||
229 | + forced=True) | ||
230 | + | ||
231 | + # Confirm it is now replicated | ||
232 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
233 | + base=new_ou, | ||
234 | + attrs=[]) | ||
235 | + | ||
236 | + # Set the inherited ACL on the parent OU on DC1 | ||
237 | + mod = "(A;CIOI;GA;;;SY)" | ||
238 | + self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
239 | + | ||
240 | + # Replicate to DC2 | ||
241 | + | ||
242 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
243 | + fromDC=self.dnsname_dc1, | ||
244 | + forced=True) | ||
245 | + | ||
246 | + # Rename to under self.ou | ||
247 | + | ||
248 | + self.ldb_dc1.rename(new_ou, sub_ou_dn) | ||
249 | + | ||
250 | + # Replicate to DC2 | ||
251 | + | ||
252 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
253 | + fromDC=self.dnsname_dc1, | ||
254 | + forced=True) | ||
255 | + | ||
256 | + # Confirm inherited ACLs are identical | ||
257 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn), | ||
258 | + self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn)) | ||
259 | + | ||
260 | + | ||
261 | + def test_acl_inheirt_renamed_object_in_conflict(self): | ||
262 | + # Make a new object to be renamed under self.ou | ||
263 | + new_ou = samba.tests.create_test_ou(self.ldb_dc1, | ||
264 | + "acl_test_l2") | ||
265 | + | ||
266 | + # Make a new OU under self.ou (on DC2) | ||
267 | + sub_ou_dn = ldb.Dn(self.ldb_dc2, "OU=l2,%s" % self.ou) | ||
268 | + self.ldb_dc2.add({"dn": sub_ou_dn, | ||
269 | + "objectclass": "organizationalUnit"}) | ||
270 | + | ||
271 | + # Set the inherited ACL on the parent OU | ||
272 | + mod = "(A;CIOI;GA;;;SY)" | ||
273 | + self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
274 | + | ||
275 | + # Replicate to DC2 | ||
276 | + | ||
277 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
278 | + fromDC=self.dnsname_dc1, | ||
279 | + forced=True) | ||
280 | + | ||
281 | + # Rename to under self.ou | ||
282 | + self.ldb_dc1.rename(new_ou, sub_ou_dn) | ||
283 | + | ||
284 | + # Replicate to DC2 (will cause a conflict, DC1 to win, version | ||
285 | + # is higher since named twice) | ||
286 | + | ||
287 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
288 | + fromDC=self.dnsname_dc1, | ||
289 | + forced=True) | ||
290 | + | ||
291 | + children = self.ldb_dc2.search(scope=ldb.SCOPE_ONELEVEL, | ||
292 | + base=self.ou, | ||
293 | + attrs=[]) | ||
294 | + for child in children: | ||
295 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn), | ||
296 | + self.sd_utils_dc2.get_sd_as_sddl(child.dn)) | ||
297 | + | ||
298 | + # Replicate back | ||
299 | + self._net_drs_replicate(DC=self.dnsname_dc1, | ||
300 | + fromDC=self.dnsname_dc2, | ||
301 | + forced=True) | ||
302 | + | ||
303 | + for child in children: | ||
304 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(child.dn), | ||
305 | + self.sd_utils_dc2.get_sd_as_sddl(child.dn)) | ||
306 | -- | ||
307 | 2.17.1 | ||
308 | |||
309 | |||
310 | From c5a005a45389c8d8fc0eae7137eab1904ea92d42 Mon Sep 17 00:00:00 2001 | ||
311 | From: Andrew Bartlett <abartlet@samba.org> | ||
312 | Date: Tue, 10 Dec 2019 15:16:24 +1300 | ||
313 | Subject: [PATCH 02/13] CVE-2019-14902 selftest: Add test for a special case | ||
314 | around replicated renames | ||
315 | |||
316 | It appears Samba is currently string-name based in the ACL inheritence code. | ||
317 | |||
318 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
319 | |||
320 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
321 | --- | ||
322 | selftest/knownfail.d/repl_secdesc | 1 + | ||
323 | source4/torture/drs/python/repl_secdesc.py | 69 ++++++++++++++++++++++ | ||
324 | 2 files changed, 70 insertions(+) | ||
325 | |||
326 | diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc | ||
327 | index 2aa24c61375..7d554ff237a 100644 | ||
328 | --- a/selftest/knownfail.d/repl_secdesc | ||
329 | +++ b/selftest/knownfail.d/repl_secdesc | ||
330 | @@ -1,2 +1,3 @@ | ||
331 | ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict | ||
332 | ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object | ||
333 | +^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object | ||
334 | diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py | ||
335 | index 4ed449a8a18..58861af3bac 100644 | ||
336 | --- a/source4/torture/drs/python/repl_secdesc.py | ||
337 | +++ b/source4/torture/drs/python/repl_secdesc.py | ||
338 | @@ -211,6 +211,75 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
339 | self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn)) | ||
340 | |||
341 | |||
342 | + def test_acl_inheirt_renamed_child_object(self): | ||
343 | + # Make a new OU | ||
344 | + new_ou = samba.tests.create_test_ou(self.ldb_dc1, | ||
345 | + "acl_test_l2") | ||
346 | + | ||
347 | + # Here is where the new OU will end up at the end. | ||
348 | + sub2_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
349 | + | ||
350 | + sub3_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % new_ou) | ||
351 | + sub3_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % sub2_ou_dn_final) | ||
352 | + | ||
353 | + self.ldb_dc1.add({"dn": sub3_ou_dn, | ||
354 | + "objectclass": "organizationalUnit"}) | ||
355 | + | ||
356 | + sub4_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn) | ||
357 | + sub4_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn_final) | ||
358 | + | ||
359 | + self.ldb_dc1.add({"dn": sub4_ou_dn, | ||
360 | + "objectclass": "organizationalUnit"}) | ||
361 | + | ||
362 | + try: | ||
363 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
364 | + base=new_ou, | ||
365 | + attrs=[]) | ||
366 | + self.fail() | ||
367 | + except LdbError as err: | ||
368 | + enum = err.args[0] | ||
369 | + self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT) | ||
370 | + | ||
371 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
372 | + fromDC=self.dnsname_dc1, | ||
373 | + forced=True) | ||
374 | + | ||
375 | + # Confirm it is now replicated | ||
376 | + self.ldb_dc2.search(scope=ldb.SCOPE_BASE, | ||
377 | + base=new_ou, | ||
378 | + attrs=[]) | ||
379 | + | ||
380 | + # | ||
381 | + # Given a tree new_ou -> l3 -> l4 | ||
382 | + # | ||
383 | + | ||
384 | + # Set the inherited ACL on the grandchild OU (l3) on DC1 | ||
385 | + mod = "(A;CIOI;GA;;;SY)" | ||
386 | + self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod) | ||
387 | + | ||
388 | + # Rename new_ou (l2) to under self.ou (this must happen second). If the | ||
389 | + # inheritence between l3 and l4 is name-based, this could | ||
390 | + # break. | ||
391 | + | ||
392 | + # The tree is now self.ou -> l2 -> l3 -> l4 | ||
393 | + | ||
394 | + self.ldb_dc1.rename(new_ou, sub2_ou_dn_final) | ||
395 | + | ||
396 | + # Replicate to DC2 | ||
397 | + | ||
398 | + self._net_drs_replicate(DC=self.dnsname_dc2, | ||
399 | + fromDC=self.dnsname_dc1, | ||
400 | + forced=True) | ||
401 | + | ||
402 | + # Confirm set ACLs (on l3 ) are identical. | ||
403 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final), | ||
404 | + self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final)) | ||
405 | + | ||
406 | + # Confirm inherited ACLs (from l3 to l4) are identical. | ||
407 | + self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final), | ||
408 | + self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final)) | ||
409 | + | ||
410 | + | ||
411 | def test_acl_inheirt_renamed_object_in_conflict(self): | ||
412 | # Make a new object to be renamed under self.ou | ||
413 | new_ou = samba.tests.create_test_ou(self.ldb_dc1, | ||
414 | -- | ||
415 | 2.17.1 | ||
416 | |||
417 | |||
418 | From 4afff32debe5ea4bf1219f42c3042eb65c3e1d6b Mon Sep 17 00:00:00 2001 | ||
419 | From: Andrew Bartlett <abartlet@samba.org> | ||
420 | Date: Mon, 16 Dec 2019 11:29:27 +1300 | ||
421 | Subject: [PATCH 03/13] selftest: Add test to confirm ACL inheritence really | ||
422 | happens | ||
423 | |||
424 | While we have a seperate test (sec_descriptor.py) that confirms inheritance in | ||
425 | general we want to lock in these specific patterns as this test covers | ||
426 | rename. | ||
427 | |||
428 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
429 | --- | ||
430 | source4/torture/drs/python/repl_secdesc.py | 115 +++++++++++++++++---- | ||
431 | 1 file changed, 94 insertions(+), 21 deletions(-) | ||
432 | |||
433 | diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py | ||
434 | index 58861af3bac..58212907e23 100644 | ||
435 | --- a/source4/torture/drs/python/repl_secdesc.py | ||
436 | +++ b/source4/torture/drs/python/repl_secdesc.py | ||
437 | @@ -28,6 +28,10 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
438 | |||
439 | def setUp(self): | ||
440 | super(ReplAclTestCase, self).setUp() | ||
441 | + self.mod = "(A;CIOI;GA;;;SY)" | ||
442 | + self.mod_becomes = "(A;OICIIO;GA;;;SY)" | ||
443 | + self.mod_inherits_as = "(A;OICIIOID;GA;;;SY)" | ||
444 | + | ||
445 | self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1) | ||
446 | self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2) | ||
447 | |||
448 | @@ -54,8 +58,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
449 | |||
450 | def test_acl_inheirt_new_object_1_pass(self): | ||
451 | # Set the inherited ACL on the parent OU | ||
452 | - mod = "(A;CIOI;GA;;;SY)" | ||
453 | - self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
454 | + self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod) | ||
455 | + | ||
456 | + # Assert ACL set stuck as expected | ||
457 | + self.assertIn(self.mod_becomes, | ||
458 | + self.sd_utils_dc1.get_sd_as_sddl(self.ou)) | ||
459 | |||
460 | # Make a new object | ||
461 | dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou) | ||
462 | @@ -65,15 +72,24 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
463 | fromDC=self.dnsname_dc1, | ||
464 | forced=True) | ||
465 | |||
466 | - # Confirm inherited ACLs are identical | ||
467 | + # Assert ACL replicated as expected | ||
468 | + self.assertIn(self.mod_becomes, | ||
469 | + self.sd_utils_dc2.get_sd_as_sddl(self.ou)) | ||
470 | |||
471 | + # Confirm inherited ACLs are identical and were inherited | ||
472 | + | ||
473 | + self.assertIn(self.mod_inherits_as, | ||
474 | + self.sd_utils_dc1.get_sd_as_sddl(dn)) | ||
475 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
476 | self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
477 | |||
478 | def test_acl_inheirt_new_object(self): | ||
479 | # Set the inherited ACL on the parent OU | ||
480 | - mod = "(A;CIOI;GA;;;SY)" | ||
481 | - self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
482 | + self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod) | ||
483 | + | ||
484 | + # Assert ACL set stuck as expected | ||
485 | + self.assertIn(self.mod_becomes, | ||
486 | + self.sd_utils_dc1.get_sd_as_sddl(self.ou)) | ||
487 | |||
488 | # Replicate to DC2 | ||
489 | |||
490 | @@ -89,8 +105,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
491 | fromDC=self.dnsname_dc1, | ||
492 | forced=True) | ||
493 | |||
494 | - # Confirm inherited ACLs are identical | ||
495 | + # Assert ACL replicated as expected | ||
496 | + self.assertIn(self.mod_becomes, | ||
497 | + self.sd_utils_dc2.get_sd_as_sddl(self.ou)) | ||
498 | |||
499 | + # Confirm inherited ACLs are identical and were inheritied | ||
500 | + | ||
501 | + self.assertIn(self.mod_inherits_as, | ||
502 | + self.sd_utils_dc1.get_sd_as_sddl(dn)) | ||
503 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
504 | self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
505 | |||
506 | @@ -118,8 +140,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
507 | attrs=[]) | ||
508 | |||
509 | # Set the inherited ACL on the parent OU | ||
510 | - mod = "(A;CIOI;GA;;;SY)" | ||
511 | - self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
512 | + self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod) | ||
513 | + | ||
514 | + # Assert ACL set stuck as expected | ||
515 | + self.assertIn(self.mod_becomes, | ||
516 | + self.sd_utils_dc1.get_sd_as_sddl(self.ou)) | ||
517 | |||
518 | # Replicate to DC2 | ||
519 | |||
520 | @@ -127,8 +152,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
521 | fromDC=self.dnsname_dc1, | ||
522 | forced=True) | ||
523 | |||
524 | - # Confirm inherited ACLs are identical | ||
525 | + # Confirm inherited ACLs are identical and were inherited | ||
526 | |||
527 | + # Assert ACL replicated as expected | ||
528 | + self.assertIn(self.mod_becomes, | ||
529 | + self.sd_utils_dc2.get_sd_as_sddl(self.ou)) | ||
530 | + | ||
531 | + self.assertIn(self.mod_inherits_as, | ||
532 | + self.sd_utils_dc1.get_sd_as_sddl(dn)) | ||
533 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
534 | self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
535 | |||
536 | @@ -147,8 +178,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
537 | self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT) | ||
538 | |||
539 | # Set the inherited ACL on the parent OU | ||
540 | - mod = "(A;CIOI;GA;;;SY)" | ||
541 | - self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
542 | + self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod) | ||
543 | + | ||
544 | + # Assert ACL set as expected | ||
545 | + self.assertIn(self.mod_becomes, | ||
546 | + self.sd_utils_dc1.get_sd_as_sddl(self.ou)) | ||
547 | |||
548 | # Replicate to DC2 | ||
549 | |||
550 | @@ -156,8 +190,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
551 | fromDC=self.dnsname_dc1, | ||
552 | forced=True) | ||
553 | |||
554 | - # Confirm inherited ACLs are identical | ||
555 | + # Assert ACL replicated as expected | ||
556 | + self.assertIn(self.mod_becomes, | ||
557 | + self.sd_utils_dc2.get_sd_as_sddl(self.ou)) | ||
558 | |||
559 | + # Confirm inherited ACLs are identical and were inherited | ||
560 | + | ||
561 | + self.assertIn(self.mod_inherits_as, | ||
562 | + self.sd_utils_dc1.get_sd_as_sddl(dn)) | ||
563 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn), | ||
564 | self.sd_utils_dc2.get_sd_as_sddl(dn)) | ||
565 | |||
566 | @@ -187,8 +227,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
567 | attrs=[]) | ||
568 | |||
569 | # Set the inherited ACL on the parent OU on DC1 | ||
570 | - mod = "(A;CIOI;GA;;;SY)" | ||
571 | - self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
572 | + self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod) | ||
573 | + | ||
574 | + # Assert ACL set as expected | ||
575 | + self.assertIn(self.mod_becomes, | ||
576 | + self.sd_utils_dc1.get_sd_as_sddl(self.ou)) | ||
577 | |||
578 | # Replicate to DC2 | ||
579 | |||
580 | @@ -196,6 +239,10 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
581 | fromDC=self.dnsname_dc1, | ||
582 | forced=True) | ||
583 | |||
584 | + # Assert ACL replicated as expected | ||
585 | + self.assertIn(self.mod_becomes, | ||
586 | + self.sd_utils_dc2.get_sd_as_sddl(self.ou)) | ||
587 | + | ||
588 | # Rename to under self.ou | ||
589 | |||
590 | self.ldb_dc1.rename(new_ou, sub_ou_dn) | ||
591 | @@ -206,7 +253,9 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
592 | fromDC=self.dnsname_dc1, | ||
593 | forced=True) | ||
594 | |||
595 | - # Confirm inherited ACLs are identical | ||
596 | + # Confirm inherited ACLs are identical and were inherited | ||
597 | + self.assertIn(self.mod_inherits_as, | ||
598 | + self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn)) | ||
599 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn), | ||
600 | self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn)) | ||
601 | |||
602 | @@ -254,8 +303,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
603 | # | ||
604 | |||
605 | # Set the inherited ACL on the grandchild OU (l3) on DC1 | ||
606 | - mod = "(A;CIOI;GA;;;SY)" | ||
607 | - self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod) | ||
608 | + self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, self.mod) | ||
609 | + | ||
610 | + # Assert ACL set stuck as expected | ||
611 | + self.assertIn(self.mod_becomes, | ||
612 | + self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn)) | ||
613 | |||
614 | # Rename new_ou (l2) to under self.ou (this must happen second). If the | ||
615 | # inheritence between l3 and l4 is name-based, this could | ||
616 | @@ -265,17 +317,26 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
617 | |||
618 | self.ldb_dc1.rename(new_ou, sub2_ou_dn_final) | ||
619 | |||
620 | + # Assert ACL set remained as expected | ||
621 | + self.assertIn(self.mod_becomes, | ||
622 | + self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final)) | ||
623 | + | ||
624 | # Replicate to DC2 | ||
625 | |||
626 | self._net_drs_replicate(DC=self.dnsname_dc2, | ||
627 | fromDC=self.dnsname_dc1, | ||
628 | forced=True) | ||
629 | |||
630 | - # Confirm set ACLs (on l3 ) are identical. | ||
631 | + # Confirm set ACLs (on l3 ) are identical and were inherited | ||
632 | + self.assertIn(self.mod_becomes, | ||
633 | + self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final)) | ||
634 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final), | ||
635 | self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final)) | ||
636 | |||
637 | - # Confirm inherited ACLs (from l3 to l4) are identical. | ||
638 | + # Confirm inherited ACLs (from l3 to l4) are identical | ||
639 | + # and where inherited | ||
640 | + self.assertIn(self.mod_inherits_as, | ||
641 | + self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final)) | ||
642 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final), | ||
643 | self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final)) | ||
644 | |||
645 | @@ -291,8 +352,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
646 | "objectclass": "organizationalUnit"}) | ||
647 | |||
648 | # Set the inherited ACL on the parent OU | ||
649 | - mod = "(A;CIOI;GA;;;SY)" | ||
650 | - self.sd_utils_dc1.dacl_add_ace(self.ou, mod) | ||
651 | + self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod) | ||
652 | + | ||
653 | + # Assert ACL set stuck as expected | ||
654 | + self.assertIn(self.mod_becomes, | ||
655 | + self.sd_utils_dc1.get_sd_as_sddl(self.ou)) | ||
656 | |||
657 | # Replicate to DC2 | ||
658 | |||
659 | @@ -302,6 +366,8 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
660 | |||
661 | # Rename to under self.ou | ||
662 | self.ldb_dc1.rename(new_ou, sub_ou_dn) | ||
663 | + self.assertIn(self.mod_inherits_as, | ||
664 | + self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn)) | ||
665 | |||
666 | # Replicate to DC2 (will cause a conflict, DC1 to win, version | ||
667 | # is higher since named twice) | ||
668 | @@ -314,6 +380,8 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
669 | base=self.ou, | ||
670 | attrs=[]) | ||
671 | for child in children: | ||
672 | + self.assertIn(self.mod_inherits_as, | ||
673 | + self.sd_utils_dc2.get_sd_as_sddl(child.dn)) | ||
674 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn), | ||
675 | self.sd_utils_dc2.get_sd_as_sddl(child.dn)) | ||
676 | |||
677 | @@ -322,6 +390,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase): | ||
678 | fromDC=self.dnsname_dc2, | ||
679 | forced=True) | ||
680 | |||
681 | + self.assertIn(self.mod_inherits_as, | ||
682 | + self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn)) | ||
683 | + | ||
684 | for child in children: | ||
685 | + self.assertIn(self.mod_inherits_as, | ||
686 | + self.sd_utils_dc1.get_sd_as_sddl(child.dn)) | ||
687 | self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(child.dn), | ||
688 | self.sd_utils_dc2.get_sd_as_sddl(child.dn)) | ||
689 | -- | ||
690 | 2.17.1 | ||
691 | |||
692 | |||
693 | From 17215b36b22d309a58a3b7bd08123f06e89657c9 Mon Sep 17 00:00:00 2001 | ||
694 | From: Andrew Bartlett <abartlet@samba.org> | ||
695 | Date: Tue, 26 Nov 2019 15:44:32 +1300 | ||
696 | Subject: [PATCH 04/13] CVE-2019-14902 dsdb: Explain that | ||
697 | descriptor_sd_propagation_recursive() is proctected by a transaction | ||
698 | |||
699 | This means we can trust the DB did not change between the two search | ||
700 | requests. | ||
701 | |||
702 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
703 | |||
704 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
705 | --- | ||
706 | source4/dsdb/samdb/ldb_modules/descriptor.c | 3 +++ | ||
707 | 1 file changed, 3 insertions(+) | ||
708 | |||
709 | diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
710 | index 9018b750ab5..fb2854438e1 100644 | ||
711 | --- a/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
712 | +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
713 | @@ -1199,6 +1199,9 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module, | ||
714 | * LDB_SCOPE_SUBTREE searches are expensive. | ||
715 | * | ||
716 | * Note: that we do not search for deleted/recycled objects | ||
717 | + * | ||
718 | + * We know this is safe against a rename race as we are in the | ||
719 | + * prepare_commit(), so must be in a transaction. | ||
720 | */ | ||
721 | ret = dsdb_module_search(module, | ||
722 | change, | ||
723 | -- | ||
724 | 2.17.1 | ||
725 | |||
726 | |||
727 | From 589d1e4846bbac0e5388af3ef0c6d6c41b5ff991 Mon Sep 17 00:00:00 2001 | ||
728 | From: Andrew Bartlett <abartlet@samba.org> | ||
729 | Date: Tue, 26 Nov 2019 16:17:32 +1300 | ||
730 | Subject: [PATCH 05/13] CVE-2019-14902 dsdb: Add comments explaining why SD | ||
731 | propagation needs to be done here | ||
732 | |||
733 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
734 | |||
735 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
736 | --- | ||
737 | source4/dsdb/samdb/ldb_modules/descriptor.c | 7 +++++++ | ||
738 | 1 file changed, 7 insertions(+) | ||
739 | |||
740 | diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
741 | index fb2854438e1..7070affa645 100644 | ||
742 | --- a/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
743 | +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
744 | @@ -876,6 +876,9 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) | ||
745 | return ldb_oom(ldb); | ||
746 | } | ||
747 | |||
748 | + /* | ||
749 | + * Force SD propagation on children of this record | ||
750 | + */ | ||
751 | ret = dsdb_module_schedule_sd_propagation(module, nc_root, | ||
752 | dn, false); | ||
753 | if (ret != LDB_SUCCESS) { | ||
754 | @@ -966,6 +969,10 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req) | ||
755 | return ldb_oom(ldb); | ||
756 | } | ||
757 | |||
758 | + /* | ||
759 | + * Force SD propagation on this record (get a new | ||
760 | + * inherited SD from the potentially new parent | ||
761 | + */ | ||
762 | ret = dsdb_module_schedule_sd_propagation(module, nc_root, | ||
763 | newdn, true); | ||
764 | if (ret != LDB_SUCCESS) { | ||
765 | -- | ||
766 | 2.17.1 | ||
767 | |||
768 | |||
769 | From 0fa9a362e55abb289cbf0fe24baa09c45af4837e Mon Sep 17 00:00:00 2001 | ||
770 | From: Andrew Bartlett <abartlet@samba.org> | ||
771 | Date: Fri, 6 Dec 2019 17:54:23 +1300 | ||
772 | Subject: [PATCH 06/13] CVE-2019-14902 dsdb: Ensure we honour both | ||
773 | change->force_self and change->force_children | ||
774 | |||
775 | If we are renaming a DN we can be in a situation where we need to | ||
776 | |||
777 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
778 | |||
779 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
780 | --- | ||
781 | source4/dsdb/samdb/ldb_modules/descriptor.c | 7 +++++++ | ||
782 | 1 file changed, 7 insertions(+) | ||
783 | |||
784 | diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
785 | index 7070affa645..b9f465fc36f 100644 | ||
786 | --- a/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
787 | +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
788 | @@ -1291,6 +1291,13 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module, | ||
789 | |||
790 | if (cur != NULL) { | ||
791 | DLIST_REMOVE(change->children, cur); | ||
792 | + } else if (i == 0) { | ||
793 | + /* | ||
794 | + * in the change->force_self case | ||
795 | + * res->msgs[0]->elements was not overwritten, | ||
796 | + * so set cur here | ||
797 | + */ | ||
798 | + cur = change; | ||
799 | } | ||
800 | |||
801 | for (c = stopped_stack; c; c = stopped_stack) { | ||
802 | -- | ||
803 | 2.17.1 | ||
804 | |||
805 | |||
806 | From 9ac2b09fa5a2de44967a0b190918825e7dca8d53 Mon Sep 17 00:00:00 2001 | ||
807 | From: Andrew Bartlett <abartlet@samba.org> | ||
808 | Date: Fri, 6 Dec 2019 18:05:54 +1300 | ||
809 | Subject: [PATCH 07/13] CVE-2019-14902 repl_meta_data: schedule SD propagation | ||
810 | to a renamed DN | ||
811 | |||
812 | We need to check the SD of the parent if we rename, it is not the same as an incoming SD change. | ||
813 | |||
814 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
815 | |||
816 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
817 | --- | ||
818 | source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 17 ++++++++++++++++- | ||
819 | 1 file changed, 16 insertions(+), 1 deletion(-) | ||
820 | |||
821 | diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
822 | index 04a51ecab51..52ff3d75ee2 100644 | ||
823 | --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
824 | +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
825 | @@ -6290,7 +6290,22 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) | ||
826 | ar->index_current, msg->num_elements); | ||
827 | |||
828 | if (renamed) { | ||
829 | - sd_updated = true; | ||
830 | + /* | ||
831 | + * This is an new name for this object, so we must | ||
832 | + * inherit from the parent | ||
833 | + * | ||
834 | + * This is needed because descriptor is above | ||
835 | + * repl_meta_data in the module stack, so this will | ||
836 | + * not be trigered 'naturally' by the flow of | ||
837 | + * operations. | ||
838 | + */ | ||
839 | + ret = dsdb_module_schedule_sd_propagation(ar->module, | ||
840 | + ar->objs->partition_dn, | ||
841 | + msg->dn, | ||
842 | + true); | ||
843 | + if (ret != LDB_SUCCESS) { | ||
844 | + return ldb_operr(ldb); | ||
845 | + } | ||
846 | } | ||
847 | |||
848 | if (sd_updated && !isDeleted) { | ||
849 | -- | ||
850 | 2.17.1 | ||
851 | |||
852 | |||
853 | From 9e6b09e0fd52c664de7f0589074fef872c753fa2 Mon Sep 17 00:00:00 2001 | ||
854 | From: Andrew Bartlett <abartlet@samba.org> | ||
855 | Date: Tue, 26 Nov 2019 15:50:35 +1300 | ||
856 | Subject: [PATCH 08/13] CVE-2019-14902 repl_meta_data: Fix issue where | ||
857 | inherited Security Descriptors were not replicated. | ||
858 | |||
859 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
860 | |||
861 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
862 | --- | ||
863 | selftest/knownfail.d/repl_secdesc | 1 - | ||
864 | .../dsdb/samdb/ldb_modules/repl_meta_data.c | 22 ++++++++++++++++++- | ||
865 | 2 files changed, 21 insertions(+), 2 deletions(-) | ||
866 | |||
867 | diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc | ||
868 | index 7d554ff237a..13a9ce458dd 100644 | ||
869 | --- a/selftest/knownfail.d/repl_secdesc | ||
870 | +++ b/selftest/knownfail.d/repl_secdesc | ||
871 | @@ -1,3 +1,2 @@ | ||
872 | ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict | ||
873 | -^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object | ||
874 | ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object | ||
875 | diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
876 | index 52ff3d75ee2..9812ded99fb 100644 | ||
877 | --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
878 | +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
879 | @@ -5527,6 +5527,15 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar) | ||
880 | replmd_ldb_message_sort(msg, ar->schema); | ||
881 | |||
882 | if (!remote_isDeleted) { | ||
883 | + /* | ||
884 | + * Ensure any local ACL inheritence is applied from | ||
885 | + * the parent object. | ||
886 | + * | ||
887 | + * This is needed because descriptor is above | ||
888 | + * repl_meta_data in the module stack, so this will | ||
889 | + * not be trigered 'naturally' by the flow of | ||
890 | + * operations. | ||
891 | + */ | ||
892 | ret = dsdb_module_schedule_sd_propagation(ar->module, | ||
893 | ar->objs->partition_dn, | ||
894 | msg->dn, true); | ||
895 | @@ -6309,9 +6318,20 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) | ||
896 | } | ||
897 | |||
898 | if (sd_updated && !isDeleted) { | ||
899 | + /* | ||
900 | + * This is an existing object, so there is no need to | ||
901 | + * inherit from the parent, but we must inherit any | ||
902 | + * incoming changes to our child objects. | ||
903 | + * | ||
904 | + * This is needed because descriptor is above | ||
905 | + * repl_meta_data in the module stack, so this will | ||
906 | + * not be trigered 'naturally' by the flow of | ||
907 | + * operations. | ||
908 | + */ | ||
909 | ret = dsdb_module_schedule_sd_propagation(ar->module, | ||
910 | ar->objs->partition_dn, | ||
911 | - msg->dn, true); | ||
912 | + msg->dn, | ||
913 | + false); | ||
914 | if (ret != LDB_SUCCESS) { | ||
915 | return ldb_operr(ldb); | ||
916 | } | ||
917 | -- | ||
918 | 2.17.1 | ||
919 | |||
920 | |||
921 | From 7071888d5b556213be79545cac059a8b3f62baee Mon Sep 17 00:00:00 2001 | ||
922 | From: Andrew Bartlett <abartlet@samba.org> | ||
923 | Date: Fri, 6 Dec 2019 18:26:42 +1300 | ||
924 | Subject: [PATCH 09/13] CVE-2019-14902 repl_meta_data: Set renamed = true (and | ||
925 | so do SD inheritance) after any rename | ||
926 | |||
927 | Previously if there was a conflict, but the incoming object would still | ||
928 | win, this was not marked as a rename, and so inheritence was not done. | ||
929 | |||
930 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
931 | |||
932 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
933 | --- | ||
934 | selftest/knownfail.d/repl_secdesc | 1 - | ||
935 | source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +++++++++++++ | ||
936 | 2 files changed, 13 insertions(+), 1 deletion(-) | ||
937 | |||
938 | diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc | ||
939 | index 13a9ce458dd..9dd632d99ed 100644 | ||
940 | --- a/selftest/knownfail.d/repl_secdesc | ||
941 | +++ b/selftest/knownfail.d/repl_secdesc | ||
942 | @@ -1,2 +1 @@ | ||
943 | -^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict | ||
944 | ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object | ||
945 | diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
946 | index 9812ded99fb..e67c3b0281e 100644 | ||
947 | --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
948 | +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
949 | @@ -6134,6 +6134,19 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) | ||
950 | * replmd_replicated_apply_search_callback()) | ||
951 | */ | ||
952 | ret = replmd_replicated_handle_rename(ar, msg, ar->req, &renamed); | ||
953 | + | ||
954 | + /* | ||
955 | + * This looks strange, but we must set this after any | ||
956 | + * rename, otherwise the SD propegation will not | ||
957 | + * happen (which might matter if we have a new parent) | ||
958 | + * | ||
959 | + * The additional case of calling | ||
960 | + * replmd_op_name_modify_callback (below) is: | ||
961 | + * - a no-op if there was no name change | ||
962 | + * and | ||
963 | + * - called in the default case regardless. | ||
964 | + */ | ||
965 | + renamed = true; | ||
966 | } | ||
967 | |||
968 | if (ret != LDB_SUCCESS) { | ||
969 | -- | ||
970 | 2.17.1 | ||
971 | |||
972 | |||
973 | From 16b377276ee82c04d069666e53deaa95a7633dd4 Mon Sep 17 00:00:00 2001 | ||
974 | From: Andrew Bartlett <abartlet@samba.org> | ||
975 | Date: Thu, 12 Dec 2019 14:44:57 +1300 | ||
976 | Subject: [PATCH 10/13] CVE-2019-14902 dsdb: Change basis of descriptor module | ||
977 | deferred processing to be GUIDs | ||
978 | |||
979 | We can not process on the basis of a DN, as the DN may have changed in a rename, | ||
980 | not only that this module can see, but also from repl_meta_data below. | ||
981 | |||
982 | Therefore remove all the complex tree-based change processing, leaving only | ||
983 | a tree-based sort of the possible objects to be changed, and a single | ||
984 | stopped_dn variable containing the DN to stop processing below (after | ||
985 | a no-op change). | ||
986 | |||
987 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497 | ||
988 | |||
989 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
990 | --- | ||
991 | selftest/knownfail.d/repl_secdesc | 1 - | ||
992 | source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +- | ||
993 | source4/dsdb/samdb/ldb_modules/descriptor.c | 296 +++++++++--------- | ||
994 | .../dsdb/samdb/ldb_modules/repl_meta_data.c | 7 +- | ||
995 | source4/dsdb/samdb/samdb.h | 2 +- | ||
996 | 5 files changed, 156 insertions(+), 154 deletions(-) | ||
997 | delete mode 100644 selftest/knownfail.d/repl_secdesc | ||
998 | |||
999 | diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc | ||
1000 | deleted file mode 100644 | ||
1001 | index 9dd632d99ed..00000000000 | ||
1002 | --- a/selftest/knownfail.d/repl_secdesc | ||
1003 | +++ /dev/null | ||
1004 | @@ -1 +0,0 @@ | ||
1005 | -^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object | ||
1006 | diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c | ||
1007 | index 6d645b10fe2..b9931795e19 100644 | ||
1008 | --- a/source4/dsdb/samdb/ldb_modules/acl_util.c | ||
1009 | +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c | ||
1010 | @@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit) | ||
1011 | |||
1012 | int dsdb_module_schedule_sd_propagation(struct ldb_module *module, | ||
1013 | struct ldb_dn *nc_root, | ||
1014 | - struct ldb_dn *dn, | ||
1015 | + struct GUID guid, | ||
1016 | bool include_self) | ||
1017 | { | ||
1018 | struct ldb_context *ldb = ldb_module_get_ctx(module); | ||
1019 | @@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module, | ||
1020 | } | ||
1021 | |||
1022 | op->nc_root = nc_root; | ||
1023 | - op->dn = dn; | ||
1024 | + op->guid = guid; | ||
1025 | op->include_self = include_self; | ||
1026 | |||
1027 | ret = dsdb_module_extended(module, op, NULL, | ||
1028 | diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
1029 | index b9f465fc36f..daa08c2ebc7 100644 | ||
1030 | --- a/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
1031 | +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c | ||
1032 | @@ -46,9 +46,8 @@ | ||
1033 | |||
1034 | struct descriptor_changes { | ||
1035 | struct descriptor_changes *prev, *next; | ||
1036 | - struct descriptor_changes *children; | ||
1037 | struct ldb_dn *nc_root; | ||
1038 | - struct ldb_dn *dn; | ||
1039 | + struct GUID guid; | ||
1040 | bool force_self; | ||
1041 | bool force_children; | ||
1042 | struct ldb_dn *stopped_dn; | ||
1043 | @@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) | ||
1044 | current_attrs, | ||
1045 | DSDB_FLAG_NEXT_MODULE | | ||
1046 | DSDB_FLAG_AS_SYSTEM | | ||
1047 | - DSDB_SEARCH_SHOW_RECYCLED, | ||
1048 | + DSDB_SEARCH_SHOW_RECYCLED | | ||
1049 | + DSDB_SEARCH_SHOW_EXTENDED_DN, | ||
1050 | req); | ||
1051 | if (ret != LDB_SUCCESS) { | ||
1052 | ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n", | ||
1053 | @@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) | ||
1054 | user_sd = old_sd; | ||
1055 | } | ||
1056 | |||
1057 | - sd = get_new_descriptor(module, dn, req, | ||
1058 | + sd = get_new_descriptor(module, current_res->msgs[0]->dn, req, | ||
1059 | objectclass, parent_sd, | ||
1060 | user_sd, old_sd, sd_flags); | ||
1061 | if (sd == NULL) { | ||
1062 | @@ -869,18 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) | ||
1063 | return ldb_oom(ldb); | ||
1064 | } | ||
1065 | } else if (cmp_ret != 0) { | ||
1066 | + struct GUID guid; | ||
1067 | struct ldb_dn *nc_root; | ||
1068 | + NTSTATUS status; | ||
1069 | |||
1070 | - ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root); | ||
1071 | + ret = dsdb_find_nc_root(ldb, | ||
1072 | + msg, | ||
1073 | + current_res->msgs[0]->dn, | ||
1074 | + &nc_root); | ||
1075 | if (ret != LDB_SUCCESS) { | ||
1076 | return ldb_oom(ldb); | ||
1077 | } | ||
1078 | |||
1079 | + status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn, | ||
1080 | + &guid, | ||
1081 | + "GUID"); | ||
1082 | + if (!NT_STATUS_IS_OK(status)) { | ||
1083 | + return ldb_operr(ldb); | ||
1084 | + } | ||
1085 | + | ||
1086 | /* | ||
1087 | * Force SD propagation on children of this record | ||
1088 | */ | ||
1089 | - ret = dsdb_module_schedule_sd_propagation(module, nc_root, | ||
1090 | - dn, false); | ||
1091 | + ret = dsdb_module_schedule_sd_propagation(module, | ||
1092 | + nc_root, | ||
1093 | + guid, | ||
1094 | + false); | ||
1095 | if (ret != LDB_SUCCESS) { | ||
1096 | return ldb_operr(ldb); | ||
1097 | } | ||
1098 | @@ -963,20 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req) | ||
1099 | |||
1100 | if (ldb_dn_compare(olddn, newdn) != 0) { | ||
1101 | struct ldb_dn *nc_root; | ||
1102 | + struct GUID guid; | ||
1103 | |||
1104 | ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root); | ||
1105 | if (ret != LDB_SUCCESS) { | ||
1106 | return ldb_oom(ldb); | ||
1107 | } | ||
1108 | |||
1109 | - /* | ||
1110 | - * Force SD propagation on this record (get a new | ||
1111 | - * inherited SD from the potentially new parent | ||
1112 | - */ | ||
1113 | - ret = dsdb_module_schedule_sd_propagation(module, nc_root, | ||
1114 | - newdn, true); | ||
1115 | - if (ret != LDB_SUCCESS) { | ||
1116 | - return ldb_operr(ldb); | ||
1117 | + ret = dsdb_module_guid_by_dn(module, | ||
1118 | + olddn, | ||
1119 | + &guid, | ||
1120 | + req); | ||
1121 | + if (ret == LDB_SUCCESS) { | ||
1122 | + /* | ||
1123 | + * Without disturbing any errors if the olddn | ||
1124 | + * does not exit, force SD propagation on | ||
1125 | + * this record (get a new inherited SD from | ||
1126 | + * the potentially new parent | ||
1127 | + */ | ||
1128 | + ret = dsdb_module_schedule_sd_propagation(module, | ||
1129 | + nc_root, | ||
1130 | + guid, | ||
1131 | + true); | ||
1132 | + if (ret != LDB_SUCCESS) { | ||
1133 | + return ldb_operr(ldb); | ||
1134 | + } | ||
1135 | } | ||
1136 | } | ||
1137 | |||
1138 | @@ -992,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module, | ||
1139 | struct ldb_context *ldb = ldb_module_get_ctx(module); | ||
1140 | struct dsdb_extended_sec_desc_propagation_op *op; | ||
1141 | TALLOC_CTX *parent_mem = NULL; | ||
1142 | - struct descriptor_changes *parent_change = NULL; | ||
1143 | struct descriptor_changes *c; | ||
1144 | - int ret; | ||
1145 | |||
1146 | op = talloc_get_type(req->op.extended.data, | ||
1147 | struct dsdb_extended_sec_desc_propagation_op); | ||
1148 | @@ -1011,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module, | ||
1149 | |||
1150 | parent_mem = descriptor_private->trans_mem; | ||
1151 | |||
1152 | - for (c = descriptor_private->changes; c; c = c->next) { | ||
1153 | - ret = ldb_dn_compare(c->nc_root, op->nc_root); | ||
1154 | - if (ret != 0) { | ||
1155 | - continue; | ||
1156 | - } | ||
1157 | - | ||
1158 | - ret = ldb_dn_compare(c->dn, op->dn); | ||
1159 | - if (ret == 0) { | ||
1160 | - if (op->include_self) { | ||
1161 | - c->force_self = true; | ||
1162 | - } else { | ||
1163 | - c->force_children = true; | ||
1164 | - } | ||
1165 | - return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); | ||
1166 | - } | ||
1167 | - | ||
1168 | - ret = ldb_dn_compare_base(c->dn, op->dn); | ||
1169 | - if (ret != 0) { | ||
1170 | - continue; | ||
1171 | - } | ||
1172 | - | ||
1173 | - parent_mem = c; | ||
1174 | - parent_change = c; | ||
1175 | - break; | ||
1176 | - } | ||
1177 | - | ||
1178 | c = talloc_zero(parent_mem, struct descriptor_changes); | ||
1179 | if (c == NULL) { | ||
1180 | return ldb_module_oom(module); | ||
1181 | @@ -1045,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module, | ||
1182 | if (c->nc_root == NULL) { | ||
1183 | return ldb_module_oom(module); | ||
1184 | } | ||
1185 | - c->dn = ldb_dn_copy(c, op->dn); | ||
1186 | - if (c->dn == NULL) { | ||
1187 | - return ldb_module_oom(module); | ||
1188 | - } | ||
1189 | + c->guid = op->guid; | ||
1190 | if (op->include_self) { | ||
1191 | c->force_self = true; | ||
1192 | } else { | ||
1193 | c->force_children = true; | ||
1194 | } | ||
1195 | |||
1196 | - if (parent_change != NULL) { | ||
1197 | - DLIST_ADD_END(parent_change->children, c); | ||
1198 | - } else { | ||
1199 | - DLIST_ADD_END(descriptor_private->changes, c); | ||
1200 | - } | ||
1201 | + DLIST_ADD_END(descriptor_private->changes, c); | ||
1202 | |||
1203 | return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); | ||
1204 | } | ||
1205 | @@ -1179,41 +1169,75 @@ static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1, | ||
1206 | return ldb_dn_compare(dn2, dn1); | ||
1207 | } | ||
1208 | |||
1209 | -static int descriptor_sd_propagation_dn_sort(struct ldb_dn *dn1, | ||
1210 | - struct ldb_dn *dn2) | ||
1211 | -{ | ||
1212 | - /* | ||
1213 | - * This sorts in tree order, parents first | ||
1214 | - */ | ||
1215 | - return ldb_dn_compare(dn2, dn1); | ||
1216 | -} | ||
1217 | - | ||
1218 | static int descriptor_sd_propagation_recursive(struct ldb_module *module, | ||
1219 | struct descriptor_changes *change) | ||
1220 | { | ||
1221 | - struct ldb_context *ldb = ldb_module_get_ctx(module); | ||
1222 | + struct ldb_result *guid_res = NULL; | ||
1223 | struct ldb_result *res = NULL; | ||
1224 | unsigned int i; | ||
1225 | const char * const no_attrs[] = { "@__NONE__", NULL }; | ||
1226 | - struct descriptor_changes *c; | ||
1227 | - struct descriptor_changes *stopped_stack = NULL; | ||
1228 | - enum ldb_scope scope; | ||
1229 | + struct ldb_dn *stopped_dn = NULL; | ||
1230 | + struct GUID_txt_buf guid_buf; | ||
1231 | int ret; | ||
1232 | + bool stop = false; | ||
1233 | |||
1234 | /* | ||
1235 | - * First confirm this object has children, or exists (depending on change->force_self) | ||
1236 | + * First confirm this object has children, or exists | ||
1237 | + * (depending on change->force_self) | ||
1238 | * | ||
1239 | * LDB_SCOPE_SUBTREE searches are expensive. | ||
1240 | * | ||
1241 | - * Note: that we do not search for deleted/recycled objects | ||
1242 | - * | ||
1243 | * We know this is safe against a rename race as we are in the | ||
1244 | * prepare_commit(), so must be in a transaction. | ||
1245 | */ | ||
1246 | + | ||
1247 | + /* Find the DN by GUID, as this is stable under rename */ | ||
1248 | + ret = dsdb_module_search(module, | ||
1249 | + change, | ||
1250 | + &guid_res, | ||
1251 | + change->nc_root, | ||
1252 | + LDB_SCOPE_SUBTREE, | ||
1253 | + no_attrs, | ||
1254 | + DSDB_FLAG_NEXT_MODULE | | ||
1255 | + DSDB_FLAG_AS_SYSTEM | | ||
1256 | + DSDB_SEARCH_SHOW_DELETED | | ||
1257 | + DSDB_SEARCH_SHOW_RECYCLED, | ||
1258 | + NULL, /* parent_req */ | ||
1259 | + "(objectGUID=%s)", | ||
1260 | + GUID_buf_string(&change->guid, | ||
1261 | + &guid_buf)); | ||
1262 | + | ||
1263 | + if (ret != LDB_SUCCESS) { | ||
1264 | + return ret; | ||
1265 | + } | ||
1266 | + | ||
1267 | + if (guid_res->count != 1) { | ||
1268 | + /* | ||
1269 | + * We were just given this GUID during the same | ||
1270 | + * transaction, if it is missing this is a big | ||
1271 | + * problem. | ||
1272 | + * | ||
1273 | + * Cleanup of tombstones does not trigger this module | ||
1274 | + * as it just does a delete. | ||
1275 | + */ | ||
1276 | + ldb_asprintf_errstring(ldb_module_get_ctx(module), | ||
1277 | + "failed to find GUID %s under %s " | ||
1278 | + "for transaction-end SD inheritance: %d results", | ||
1279 | + GUID_buf_string(&change->guid, | ||
1280 | + &guid_buf), | ||
1281 | + ldb_dn_get_linearized(change->nc_root), | ||
1282 | + guid_res->count); | ||
1283 | + return LDB_ERR_OPERATIONS_ERROR; | ||
1284 | + } | ||
1285 | + | ||
1286 | + /* | ||
1287 | + * OK, so there was a parent, are there children? Note: that | ||
1288 | + * this time we do not search for deleted/recycled objects | ||
1289 | + */ | ||
1290 | ret = dsdb_module_search(module, | ||
1291 | change, | ||
1292 | &res, | ||
1293 | - change->dn, | ||
1294 | + guid_res->msgs[0]->dn, | ||
1295 | LDB_SCOPE_ONELEVEL, | ||
1296 | no_attrs, | ||
1297 | DSDB_FLAG_NEXT_MODULE | | ||
1298 | @@ -1221,26 +1245,55 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module, | ||
1299 | NULL, /* parent_req */ | ||
1300 | "(objectClass=*)"); | ||
1301 | if (ret != LDB_SUCCESS) { | ||
1302 | + /* | ||
1303 | + * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted | ||
1304 | + * object, is ignored by the caller | ||
1305 | + */ | ||
1306 | return ret; | ||
1307 | } | ||
1308 | |||
1309 | if (res->count == 0 && !change->force_self) { | ||
1310 | + /* All done, no children */ | ||
1311 | TALLOC_FREE(res); | ||
1312 | return LDB_SUCCESS; | ||
1313 | - } else if (res->count == 0 && change->force_self) { | ||
1314 | - scope = LDB_SCOPE_BASE; | ||
1315 | - } else { | ||
1316 | - scope = LDB_SCOPE_SUBTREE; | ||
1317 | } | ||
1318 | |||
1319 | /* | ||
1320 | + * First, if we are in force_self mode (eg renamed under new | ||
1321 | + * parent) then apply the SD to the top object | ||
1322 | + */ | ||
1323 | + if (change->force_self) { | ||
1324 | + ret = descriptor_sd_propagation_object(module, | ||
1325 | + guid_res->msgs[0], | ||
1326 | + &stop); | ||
1327 | + if (ret != LDB_SUCCESS) { | ||
1328 | + TALLOC_FREE(guid_res); | ||
1329 | + return ret; | ||
1330 | + } | ||
1331 | + | ||
1332 | + if (stop == true && !change->force_children) { | ||
1333 | + /* There was no change, nothing more to do */ | ||
1334 | + TALLOC_FREE(guid_res); | ||
1335 | + return LDB_SUCCESS; | ||
1336 | + } | ||
1337 | + | ||
1338 | + if (res->count == 0) { | ||
1339 | + /* All done! */ | ||
1340 | + TALLOC_FREE(guid_res); | ||
1341 | + return LDB_SUCCESS; | ||
1342 | + } | ||
1343 | + } | ||
1344 | + | ||
1345 | + /* | ||
1346 | + * Look for children | ||
1347 | + * | ||
1348 | * Note: that we do not search for deleted/recycled objects | ||
1349 | */ | ||
1350 | ret = dsdb_module_search(module, | ||
1351 | change, | ||
1352 | &res, | ||
1353 | - change->dn, | ||
1354 | - scope, | ||
1355 | + guid_res->msgs[0]->dn, | ||
1356 | + LDB_SCOPE_SUBTREE, | ||
1357 | no_attrs, | ||
1358 | DSDB_FLAG_NEXT_MODULE | | ||
1359 | DSDB_FLAG_AS_SYSTEM, | ||
1360 | @@ -1253,90 +1306,39 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module, | ||
1361 | TYPESAFE_QSORT(res->msgs, res->count, | ||
1362 | descriptor_sd_propagation_msg_sort); | ||
1363 | |||
1364 | - for (c = change->children; c; c = c->next) { | ||
1365 | - struct ldb_message *msg = NULL; | ||
1366 | - | ||
1367 | - BINARY_ARRAY_SEARCH_P(res->msgs, res->count, dn, c->dn, | ||
1368 | - descriptor_sd_propagation_dn_sort, | ||
1369 | - msg); | ||
1370 | - | ||
1371 | - if (msg == NULL) { | ||
1372 | - ldb_debug(ldb, LDB_DEBUG_WARNING, | ||
1373 | - "descriptor_sd_propagation_recursive: " | ||
1374 | - "%s not found under %s", | ||
1375 | - ldb_dn_get_linearized(c->dn), | ||
1376 | - ldb_dn_get_linearized(change->dn)); | ||
1377 | - continue; | ||
1378 | - } | ||
1379 | - | ||
1380 | - msg->elements = (struct ldb_message_element *)c; | ||
1381 | - } | ||
1382 | - | ||
1383 | - DLIST_ADD(stopped_stack, change); | ||
1384 | - | ||
1385 | - if (change->force_self) { | ||
1386 | - i = 0; | ||
1387 | - } else { | ||
1388 | - i = 1; | ||
1389 | - } | ||
1390 | - | ||
1391 | - for (; i < res->count; i++) { | ||
1392 | - struct descriptor_changes *cur; | ||
1393 | - bool stop = false; | ||
1394 | - | ||
1395 | - cur = talloc_get_type(res->msgs[i]->elements, | ||
1396 | - struct descriptor_changes); | ||
1397 | - res->msgs[i]->elements = NULL; | ||
1398 | - res->msgs[i]->num_elements = 0; | ||
1399 | - | ||
1400 | - if (cur != NULL) { | ||
1401 | - DLIST_REMOVE(change->children, cur); | ||
1402 | - } else if (i == 0) { | ||
1403 | + /* We start from 1, the top object has been done */ | ||
1404 | + for (i = 1; i < res->count; i++) { | ||
1405 | + /* | ||
1406 | + * ldb_dn_compare_base() does not match for NULL but | ||
1407 | + * this is clearer | ||
1408 | + */ | ||
1409 | + if (stopped_dn != NULL) { | ||
1410 | + ret = ldb_dn_compare_base(stopped_dn, | ||
1411 | + res->msgs[i]->dn); | ||
1412 | /* | ||
1413 | - * in the change->force_self case | ||
1414 | - * res->msgs[0]->elements was not overwritten, | ||
1415 | - * so set cur here | ||
1416 | + * Skip further processing of this | ||
1417 | + * sub-subtree | ||
1418 | */ | ||
1419 | - cur = change; | ||
1420 | - } | ||
1421 | - | ||
1422 | - for (c = stopped_stack; c; c = stopped_stack) { | ||
1423 | - ret = ldb_dn_compare_base(c->dn, | ||
1424 | - res->msgs[i]->dn); | ||
1425 | - if (ret == 0) { | ||
1426 | - break; | ||
1427 | - } | ||
1428 | - | ||
1429 | - c->stopped_dn = NULL; | ||
1430 | - DLIST_REMOVE(stopped_stack, c); | ||
1431 | - } | ||
1432 | - | ||
1433 | - if (cur != NULL) { | ||
1434 | - DLIST_ADD(stopped_stack, cur); | ||
1435 | - } | ||
1436 | - | ||
1437 | - if (stopped_stack->stopped_dn != NULL) { | ||
1438 | - ret = ldb_dn_compare_base(stopped_stack->stopped_dn, | ||
1439 | - res->msgs[i]->dn); | ||
1440 | if (ret == 0) { | ||
1441 | continue; | ||
1442 | } | ||
1443 | - stopped_stack->stopped_dn = NULL; | ||
1444 | } | ||
1445 | - | ||
1446 | - ret = descriptor_sd_propagation_object(module, res->msgs[i], | ||
1447 | + ret = descriptor_sd_propagation_object(module, | ||
1448 | + res->msgs[i], | ||
1449 | &stop); | ||
1450 | if (ret != LDB_SUCCESS) { | ||
1451 | return ret; | ||
1452 | } | ||
1453 | |||
1454 | - if (cur != NULL && cur->force_children) { | ||
1455 | - continue; | ||
1456 | - } | ||
1457 | - | ||
1458 | if (stop) { | ||
1459 | - stopped_stack->stopped_dn = res->msgs[i]->dn; | ||
1460 | - continue; | ||
1461 | + /* | ||
1462 | + * If this child didn't change, then nothing | ||
1463 | + * under it needs to change | ||
1464 | + * | ||
1465 | + * res has been sorted into tree order so the | ||
1466 | + * next few entries can be skipped | ||
1467 | + */ | ||
1468 | + stopped_dn = res->msgs[i]->dn; | ||
1469 | } | ||
1470 | } | ||
1471 | |||
1472 | diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
1473 | index e67c3b0281e..a2a6bcc98f3 100644 | ||
1474 | --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
1475 | +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c | ||
1476 | @@ -5538,7 +5538,8 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar) | ||
1477 | */ | ||
1478 | ret = dsdb_module_schedule_sd_propagation(ar->module, | ||
1479 | ar->objs->partition_dn, | ||
1480 | - msg->dn, true); | ||
1481 | + ar->objs->objects[ar->index_current].object_guid, | ||
1482 | + true); | ||
1483 | if (ret != LDB_SUCCESS) { | ||
1484 | return replmd_replicated_request_error(ar, ret); | ||
1485 | } | ||
1486 | @@ -6323,7 +6324,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) | ||
1487 | */ | ||
1488 | ret = dsdb_module_schedule_sd_propagation(ar->module, | ||
1489 | ar->objs->partition_dn, | ||
1490 | - msg->dn, | ||
1491 | + ar->objs->objects[ar->index_current].object_guid, | ||
1492 | true); | ||
1493 | if (ret != LDB_SUCCESS) { | ||
1494 | return ldb_operr(ldb); | ||
1495 | @@ -6343,7 +6344,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) | ||
1496 | */ | ||
1497 | ret = dsdb_module_schedule_sd_propagation(ar->module, | ||
1498 | ar->objs->partition_dn, | ||
1499 | - msg->dn, | ||
1500 | + ar->objs->objects[ar->index_current].object_guid, | ||
1501 | false); | ||
1502 | if (ret != LDB_SUCCESS) { | ||
1503 | return ldb_operr(ldb); | ||
1504 | diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h | ||
1505 | index e1b0e4aa4e3..3f47b863a83 100644 | ||
1506 | --- a/source4/dsdb/samdb/samdb.h | ||
1507 | +++ b/source4/dsdb/samdb/samdb.h | ||
1508 | @@ -338,7 +338,7 @@ struct dsdb_extended_allocate_rid { | ||
1509 | #define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.4.7" | ||
1510 | struct dsdb_extended_sec_desc_propagation_op { | ||
1511 | struct ldb_dn *nc_root; | ||
1512 | - struct ldb_dn *dn; | ||
1513 | + struct GUID guid; | ||
1514 | bool include_self; | ||
1515 | }; | ||
1516 | |||
1517 | -- | ||
1518 | 2.17.1 | ||
1519 | |||
1520 | |||
1521 | From 030fa9e5455125e30b71c90be80baadb657d8993 Mon Sep 17 00:00:00 2001 | ||
1522 | From: Noel Power <noel.power@suse.com> | ||
1523 | Date: Fri, 24 May 2019 13:37:00 +0000 | ||
1524 | Subject: [PATCH 11/13] CVE-2019-14907 lib/util/charset: clang: Fix Value | ||
1525 | stored to 'reason' is never read warning | ||
1526 | |||
1527 | Fixes: | ||
1528 | |||
1529 | lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang] | ||
1530 | |||
1531 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 | ||
1532 | |||
1533 | Signed-off-by: Noel Power <noel.power@suse.com> | ||
1534 | Reviewed-by: Gary Lockyer gary@catalyst.net.nz | ||
1535 | (cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677) | ||
1536 | --- | ||
1537 | lib/util/charset/convert_string.c | 8 ++++---- | ||
1538 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
1539 | |||
1540 | diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c | ||
1541 | index 196302aacfd..34facab6fe6 100644 | ||
1542 | --- a/lib/util/charset/convert_string.c | ||
1543 | +++ b/lib/util/charset/convert_string.c | ||
1544 | @@ -300,13 +300,13 @@ bool convert_string_handle(struct smb_iconv_handle *ic, | ||
1545 | { | ||
1546 | reason="No more room"; | ||
1547 | if (from == CH_UNIX) { | ||
1548 | - DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n", | ||
1549 | + DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n", | ||
1550 | charset_name(ic, from), charset_name(ic, to), | ||
1551 | - (unsigned int)srclen, (unsigned int)destlen, (const char *)src)); | ||
1552 | + (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason)); | ||
1553 | } else { | ||
1554 | - DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u\n", | ||
1555 | + DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", | ||
1556 | charset_name(ic, from), charset_name(ic, to), | ||
1557 | - (unsigned int)srclen, (unsigned int)destlen)); | ||
1558 | + (unsigned int)srclen, (unsigned int)destlen, reason)); | ||
1559 | } | ||
1560 | break; | ||
1561 | } | ||
1562 | -- | ||
1563 | 2.17.1 | ||
1564 | |||
1565 | |||
1566 | From ad0e68d354ad33c577dbf146fc4a1b8254857558 Mon Sep 17 00:00:00 2001 | ||
1567 | From: Andrew Bartlett <abartlet@samba.org> | ||
1568 | Date: Fri, 29 Nov 2019 20:58:47 +1300 | ||
1569 | Subject: [PATCH 12/13] CVE-2019-14907 lib/util: Do not print the failed to | ||
1570 | convert string into the logs | ||
1571 | MIME-Version: 1.0 | ||
1572 | Content-Type: text/plain; charset=UTF-8 | ||
1573 | Content-Transfer-Encoding: 8bit | ||
1574 | |||
1575 | The string may be in another charset, or may be sensitive and | ||
1576 | certainly may not be terminated. It is not safe to just print. | ||
1577 | |||
1578 | Found by Robert Święcki using a fuzzer he wrote for smbd. | ||
1579 | |||
1580 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 | ||
1581 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
1582 | |||
1583 | (adapted from master commit) | ||
1584 | --- | ||
1585 | lib/util/charset/convert_string.c | 33 +++++++++++++++++-------------- | ||
1586 | 1 file changed, 18 insertions(+), 15 deletions(-) | ||
1587 | |||
1588 | diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c | ||
1589 | index 34facab6fe6..b546e056953 100644 | ||
1590 | --- a/lib/util/charset/convert_string.c | ||
1591 | +++ b/lib/util/charset/convert_string.c | ||
1592 | @@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic, | ||
1593 | switch(errno) { | ||
1594 | case EINVAL: | ||
1595 | reason="Incomplete multibyte sequence"; | ||
1596 | - DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", | ||
1597 | - reason, (const char *)src)); | ||
1598 | + DBG_NOTICE("Conversion error: %s\n", | ||
1599 | + reason); | ||
1600 | break; | ||
1601 | case E2BIG: | ||
1602 | { | ||
1603 | reason="No more room"; | ||
1604 | if (from == CH_UNIX) { | ||
1605 | - DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n", | ||
1606 | - charset_name(ic, from), charset_name(ic, to), | ||
1607 | - (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason)); | ||
1608 | + DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", | ||
1609 | + charset_name(ic, from), charset_name(ic, to), | ||
1610 | + (unsigned int)srclen, (unsigned int)destlen, reason); | ||
1611 | } else { | ||
1612 | - DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", | ||
1613 | - charset_name(ic, from), charset_name(ic, to), | ||
1614 | - (unsigned int)srclen, (unsigned int)destlen, reason)); | ||
1615 | + DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", | ||
1616 | + charset_name(ic, from), charset_name(ic, to), | ||
1617 | + (unsigned int)srclen, (unsigned int)destlen, reason); | ||
1618 | } | ||
1619 | break; | ||
1620 | } | ||
1621 | case EILSEQ: | ||
1622 | reason="Illegal multibyte sequence"; | ||
1623 | - DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", | ||
1624 | - reason, (const char *)src)); | ||
1625 | + DBG_NOTICE("convert_string_internal: Conversion error: %s\n", | ||
1626 | + reason); | ||
1627 | break; | ||
1628 | default: | ||
1629 | - DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n", | ||
1630 | - reason, (const char *)src)); | ||
1631 | + DBG_ERR("convert_string_internal: Conversion error: %s\n", | ||
1632 | + reason); | ||
1633 | break; | ||
1634 | } | ||
1635 | /* smb_panic(reason); */ | ||
1636 | @@ -427,16 +427,19 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic, | ||
1637 | switch(errno) { | ||
1638 | case EINVAL: | ||
1639 | reason="Incomplete multibyte sequence"; | ||
1640 | - DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); | ||
1641 | + DBG_NOTICE("Conversion error: %s\n", | ||
1642 | + reason); | ||
1643 | break; | ||
1644 | case E2BIG: | ||
1645 | goto convert; | ||
1646 | case EILSEQ: | ||
1647 | reason="Illegal multibyte sequence"; | ||
1648 | - DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); | ||
1649 | + DBG_NOTICE("Conversion error: %s\n", | ||
1650 | + reason); | ||
1651 | break; | ||
1652 | default: | ||
1653 | - DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf)); | ||
1654 | + DBG_ERR("Conversion error: %s\n", | ||
1655 | + reason); | ||
1656 | break; | ||
1657 | } | ||
1658 | /* smb_panic(reason); */ | ||
1659 | -- | ||
1660 | 2.17.1 | ||
1661 | |||
1662 | |||