257 lines
9 KiB
Diff
257 lines
9 KiB
Diff
|
From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
|
||
|
From: Stefan Metzmacher <metze@samba.org>
|
||
|
Date: Sat, 27 Feb 2016 03:43:58 +0100
|
||
|
Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
|
||
|
|
||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
|
||
|
|
||
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||
|
---
|
||
|
docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
|
||
|
docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
|
||
|
source3/include/proto.h | 1 +
|
||
|
source3/param/loadparm.c | 12 ++++++++++++
|
||
|
4 files changed, 39 insertions(+)
|
||
|
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
|
||
|
|
||
|
--- /dev/null
|
||
|
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
|
||
|
@@ -0,0 +1,23 @@
|
||
|
+<samba:parameter name="client ipc signing"
|
||
|
+ context="G"
|
||
|
+ type="enum"
|
||
|
+ enumlist="enum_smb_signing_vals"
|
||
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||
|
+<description>
|
||
|
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
|
||
|
+ connections as DCERPC transport inside of winbind. Possible values
|
||
|
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
|
||
|
+ and <emphasis>disabled</emphasis>.
|
||
|
+ </para>
|
||
|
+
|
||
|
+ <para>When set to auto, SMB signing is offered, but not enforced and if set
|
||
|
+ to disabled, SMB signing is not offered either.</para>
|
||
|
+
|
||
|
+ <para>Connections from winbindd to Active Directory Domain Controllers
|
||
|
+ always enforce signing.</para>
|
||
|
+</description>
|
||
|
+
|
||
|
+<related>client signing</related>
|
||
|
+
|
||
|
+<value type="default">mandatory</value>
|
||
|
+</samba:parameter>
|
||
|
--- a/docs-xml/smbdotconf/security/clientsigning.xml
|
||
|
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
|
||
|
@@ -12,6 +12,9 @@
|
||
|
<para>When set to auto, SMB signing is offered, but not enforced.
|
||
|
When set to mandatory, SMB signing is required and if set
|
||
|
to disabled, SMB signing is not offered either.
|
||
|
+
|
||
|
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
|
||
|
+ <smbconfoption name="client ipc signing"/> option.</para>
|
||
|
</para>
|
||
|
</description>
|
||
|
|
||
|
--- a/source3/include/proto.h
|
||
|
+++ b/source3/include/proto.h
|
||
|
@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void);
|
||
|
int lp_winbind_reconnect_delay(void);
|
||
|
int lp_winbind_max_clients(void);
|
||
|
const char **lp_winbind_nss_info(void);
|
||
|
+bool lp_winbind_sealed_pipes(void);
|
||
|
int lp_algorithmic_rid_base(void);
|
||
|
int lp_name_cache_timeout(void);
|
||
|
int lp_client_signing(void);
|
||
|
+int lp_client_ipc_signing(void);
|
||
|
int lp_server_signing(void);
|
||
|
int lp_client_ldap_sasl_wrapping(void);
|
||
|
char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
|
||
|
--- a/source3/param/loadparm.c
|
||
|
+++ b/source3/param/loadparm.c
|
||
|
@@ -215,6 +215,7 @@ struct global {
|
||
|
int winbind_expand_groups;
|
||
|
bool bWinbindRefreshTickets;
|
||
|
bool bWinbindOfflineLogon;
|
||
|
+ bool bWinbindSealedPipes;
|
||
|
bool bWinbindNormalizeNames;
|
||
|
bool bWinbindRpcOnly;
|
||
|
bool bCreateKrb5Conf;
|
||
|
@@ -366,6 +367,7 @@ struct global {
|
||
|
int restrict_anonymous;
|
||
|
int name_cache_timeout;
|
||
|
int client_signing;
|
||
|
+ int client_ipc_signing;
|
||
|
int server_signing;
|
||
|
int client_ldap_sasl_wrapping;
|
||
|
int iUsershareMaxShares;
|
||
|
@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] =
|
||
|
.flags = FLAG_ADVANCED,
|
||
|
},
|
||
|
{
|
||
|
+ .label = "client ipc signing",
|
||
|
+ .type = P_ENUM,
|
||
|
+ .p_class = P_GLOBAL,
|
||
|
+ .ptr = &Globals.client_ipc_signing,
|
||
|
+ .special = NULL,
|
||
|
+ .enum_list = enum_smb_signing_vals,
|
||
|
+ .flags = FLAG_ADVANCED,
|
||
|
+ },
|
||
|
+ {
|
||
|
.label = "server signing",
|
||
|
.type = P_ENUM,
|
||
|
.p_class = P_GLOBAL,
|
||
|
@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] =
|
||
|
.flags = FLAG_ADVANCED,
|
||
|
},
|
||
|
{
|
||
|
+ .label = "winbind sealed pipes",
|
||
|
+ .type = P_BOOL,
|
||
|
+ .p_class = P_GLOBAL,
|
||
|
+ .ptr = &Globals.bWinbindSealedPipes,
|
||
|
+ .special = NULL,
|
||
|
+ .enum_list = NULL,
|
||
|
+ .flags = FLAG_ADVANCED,
|
||
|
+ },
|
||
|
+ {
|
||
|
.label = "winbind normalize names",
|
||
|
.type = P_BOOL,
|
||
|
.p_class = P_GLOBAL,
|
||
|
@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo
|
||
|
Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
|
||
|
Globals.bWinbindRefreshTickets = False;
|
||
|
Globals.bWinbindOfflineLogon = False;
|
||
|
+ Globals.bWinbindSealedPipes = True;
|
||
|
|
||
|
Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
|
||
|
Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
|
||
|
@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo
|
||
|
Globals.bClientUseSpnego = True;
|
||
|
|
||
|
Globals.client_signing = Auto;
|
||
|
+ Globals.client_ipc_signing = Required;
|
||
|
Globals.server_signing = False;
|
||
|
|
||
|
Globals.bDeferSharingViolations = True;
|
||
|
@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups,
|
||
|
FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
|
||
|
FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
|
||
|
FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
|
||
|
+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
|
||
|
FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
|
||
|
FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
|
||
|
FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
|
||
|
@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo
|
||
|
FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
|
||
|
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
|
||
|
FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
|
||
|
+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
|
||
|
FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
|
||
|
FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
|
||
|
|
||
|
@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn
|
||
|
lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
|
||
|
}
|
||
|
|
||
|
+ if (!lp_is_in_client()) {
|
||
|
+ switch (lp_client_ipc_signing()) {
|
||
|
+ case Required:
|
||
|
+ lp_set_cmdline("client signing", "mandatory");
|
||
|
+ break;
|
||
|
+ case Auto:
|
||
|
+ lp_set_cmdline("client signing", "auto");
|
||
|
+ break;
|
||
|
+ case False:
|
||
|
+ lp_set_cmdline("client signing", "disabled");
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
init_iconv();
|
||
|
|
||
|
bAllowIncludeRegistry = true;
|
||
|
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
||
|
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
||
|
@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st
|
||
|
"", /* username */
|
||
|
"", /* domain */
|
||
|
"", /* password */
|
||
|
- 0, lp_client_signing());
|
||
|
+ 0, False);
|
||
|
|
||
|
if ( !NT_STATUS_IS_OK( ret ) ) {
|
||
|
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
|
||
|
--- /dev/null
|
||
|
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
|
||
|
@@ -0,0 +1,15 @@
|
||
|
+<samba:parameter name="winbind sealed pipes"
|
||
|
+ context="G"
|
||
|
+ type="boolean"
|
||
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||
|
+<description>
|
||
|
+ <para>This option controls whether any requests from winbindd to domain controllers
|
||
|
+ pipe will be sealed. Disabling sealing can be useful for debugging
|
||
|
+ purposes.</para>
|
||
|
+
|
||
|
+ <para>The behavior can be controlled per netbios domain
|
||
|
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
|
||
|
+</description>
|
||
|
+
|
||
|
+<value type="default">yes</value>
|
||
|
+</samba:parameter>
|
||
|
--- a/source3/winbindd/winbindd_cm.c
|
||
|
+++ b/source3/winbindd/winbindd_cm.c
|
||
|
@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_
|
||
|
TALLOC_FREE(conn->samr_pipe);
|
||
|
|
||
|
anonymous:
|
||
|
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
|
||
|
+ status = NT_STATUS_DOWNGRADE_DETECTED;
|
||
|
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
|
||
|
+ "without connection level security, "
|
||
|
+ "must set 'winbind sealed pipes = false' "
|
||
|
+ "to proceed: %s\n",
|
||
|
+ domain->name, nt_errstr(status)));
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
|
||
|
/* Finally fall back to anonymous. */
|
||
|
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
|
||
|
@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_
|
||
|
|
||
|
anonymous:
|
||
|
|
||
|
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
|
||
|
+ result = NT_STATUS_DOWNGRADE_DETECTED;
|
||
|
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
|
||
|
+ "without connection level security, "
|
||
|
+ "must set 'winbind sealed pipes = false' "
|
||
|
+ "to proceed: %s\n",
|
||
|
+ domain->name, nt_errstr(result)));
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
result = cli_rpc_pipe_open_noauth(conn->cli,
|
||
|
&ndr_table_lsarpc.syntax_id,
|
||
|
&conn->lsa_pipe);
|
||
|
@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb
|
||
|
|
||
|
no_schannel:
|
||
|
if ((lp_client_schannel() == False) ||
|
||
|
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
|
||
|
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
|
||
|
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
|
||
|
+ result = NT_STATUS_DOWNGRADE_DETECTED;
|
||
|
+ DEBUG(1, ("Unwilling to make connection to domain %s "
|
||
|
+ "without connection level security, "
|
||
|
+ "must set 'winbind sealed pipes = false' "
|
||
|
+ "to proceed: %s\n",
|
||
|
+ domain->name, nt_errstr(result)));
|
||
|
+ TALLOC_FREE(netlogon_pipe);
|
||
|
+ invalidate_cm_connection(conn);
|
||
|
+ return result;
|
||
|
+ }
|
||
|
/*
|
||
|
* NetSamLogonEx only works for schannel
|
||
|
*/
|