summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2009-06-06mount.cifs: properly check for mount being in fstab when running setuid root ↵Jeff Layton1-40/+162
(try#3) This is the third attempt to clean up the checks when a setuid mount.cifs is run by an unprivileged user. The main difference in this patch from the last one is that it fixes a bug where the mount might have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set. When mount.cifs is installed setuid root and run as an unprivileged user, it does some checks to limit how the mount is used. It checks that the mountpoint is owned by the user doing the mount. These checks however do not match those that /bin/mount does when it is called by an unprivileged user. When /bin/mount is called by an unprivileged user to do a mount, it checks that the mount in question is in /etc/fstab, that it has the "user" option set, etc. This means that it's currently not possible to set up user mounts the standard way (by the admin, in /etc/fstab) and simultaneously protect from an unprivileged user calling mount.cifs directly to mount a share on any directory that that user owns. Fix this by making the checks in mount.cifs match those of /bin/mount itself. This is a necessary step to make mount.cifs safe to be installed as a setuid binary, but not sufficient. For that, we'd need to give mount.cifs a proper security audit. Since some users may be depending on the legacy behavior, this patch also adds the ability to build mount.cifs with the older behavior. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-07s3-samr: fix _QueryDisplayInformation r->out.returned_size.Günther Deschner1-1/+1
*r->out.returned_size needs to be 0 if nothing was enumerated. Found by RPC-SAMR torture test. Guenther
2009-06-07s3-samr: remove total_data_size variable in _samr_QueryDisplayInfo.Günther Deschner1-5/+2
Guenther
2009-06-07s3-samr: let _samr_SetGroupInfo level 3 just pass with success.Günther Deschner1-0/+2
Guenther
2009-06-07s3-samr: _samr_EnumDomain{Users,Groups} need to return an emtpy array even ↵Günther Deschner1-12/+12
for builtin domain. Found by RPC-SAMR torture test. Guenther
2009-06-07s4-smbtorture: skip samr MultipleMember alias tests for 3 as well as we do ↵Günther Deschner1-2/+3
already for s4. Guenther
2009-06-07s3-samr: cosmetic fixes for _samr_QueryDisplayInfo.Günther Deschner1-20/+18
use the variables of the struct samr_QueryDisplayInfo directly to make it easier to track where variables are defined from. Guenther
2009-06-06testsuite/nsswitch/get{gr,pw}ent_r.c(dump_{gr,pw}ent): fixed wrong condition.Slava Semushin2-2/+2
When fopen() fails it return NULL, so condition where return value less than zero never evaluated to truth. Found by cppcheck.
2009-06-06lib/tdb/tools/tdbtorture.c: fixed memory leak.Slava Semushin1-0/+2
Found by cppcheck: [lib/tdb/tools/tdbtorture.c:326]: (error) Memory leak: pids
2009-06-06s3/docs: Fix example.Karolin Seeger1-2/+2
The 'ldap suffix' is not added automatically to the 'ldap admin dn'. This fixes bug #5584. Thanks to Stefan Bauer <stefan.bauer [at] plzk.de> for reporting! Karolin
2009-06-06Attempt to fix the build without system-ldap.Volker Lendecke1-1/+1
I really tried, but I knew I would miss something... :-)
2009-06-06s3/passdb: Fix debug message: 'net setmaxrid' does not exist.Karolin Seeger1-2/+2
This is aiming bug #6351. Karolin
2009-06-06Add an early prototyp of pdb_ads.c.Volker Lendecke3-1/+1290
The purpose of this module is to connect to a locally running samba4 ldap server for an alternative "Franky" setup. Right now it contains a couple of gross hacks: For example it just takes the s4-chosed RID directly as uid/gid... Checking in tldap and pdb_ads now, I think 3777 insertions are enough for a start...
2009-06-06Allow access as SYSTEM on a privileged ldapi connectionVolker Lendecke1-13/+83
This patch creates ldap_priv/ as a subdirectory under the private dir with the appropriate permissions to only allow the same access as the privileged winbind socket allows. Connecting to ldap_priv/ldapi gives SYSTEM access to the ldap database.
2009-06-06Add some samba-style tldap utility functionsVolker Lendecke4-1/+406
2009-06-06Add the early start of an async ldap libraryVolker Lendecke4-0/+2075
There's a lot of things this does not do yet: For example it does not parse the reply blob in the sasl bind, it does not do anything with controls yet, a lot of the ldap requests are not covered yet. But it provides a basis for me to play with a pdb_ads passdb module.
2009-06-06s3:smbd: FSCTL_PIPE_TRANSCEIVE on a none IPC$ share should give NOT_SUPPORTEDStefan Metzmacher1-1/+1
metze
2009-06-06s3:smbd: return the same things as Windows 7 for SMB2 Ioctl responsesStefan Metzmacher1-7/+23
metze
2009-06-06Fix some nonempty blank linesVolker Lendecke2-64/+60
2009-06-06Use data_blob_null instead of data_blob(NULL, 0)Volker Lendecke1-1/+1
2009-06-06Fix an uninitialized variable read in async_connect_sendVolker Lendecke1-5/+5
2009-06-06Allow AF_UNIX for open_socket_outVolker Lendecke1-0/+4
2009-06-06s3-winbindd: add some debug statements while tracking down a bug.Günther Deschner2-2/+20
Guenther
2009-06-06nss_wrapper: rename nwrap_cache_{re,un}load as per metzes request.Günther Deschner1-10/+10
Guenther
2009-06-05Make cli_ftruncate async. Also add a simple test.Jeremy Allison4-74/+148
Jeremy.
2009-06-06nss_wrapper: add support for loading nss_winbind.so via WINBIND_SO_PATH env.Günther Deschner1-0/+12
Guenther
2009-06-06nss_wrapper: fill in module nwrap_backend.Günther Deschner1-13/+332
Guenther
2009-06-05nss_wrapper: add missing return in nwrap_module_init().Günther Deschner1-0/+1
Guenther
2009-06-05nss_wrapper: add skeleton for module nwrap_backend.Günther Deschner1-0/+159
Guenther
2009-06-05nss_wrapper: add capability to load nss modules.Günther Deschner1-1/+115
Guenther
2009-06-05nss_wrapper: add struct nwrap_backend.Günther Deschner1-85/+320
Guenther
2009-06-05s3:smbd: split smbd_smb2_flush() into a tevent_req based _send()/_recv() pairStefan Metzmacher1-25/+97
metze
2009-06-05s3:smbd: split smbd_smb2_create() into a tevent_req based _send()/_recv() pairStefan Metzmacher1-99/+199
metze
2009-06-05s3:smbd: fix the build in smb2_ioctl.cStefan Metzmacher1-1/+1
metze
2009-06-05s3:smbd: add support for SMB2 Ioctl FSCTL_DFS_GET_REFERRALSStefan Metzmacher1-0/+74
metze
2009-06-05s3:smbd: add support for STATUS_BUFFER_OVERFLOW to SMB2 IoctlStefan Metzmacher1-5/+10
metze
2009-06-05s3:smbd: keep the chain_fsp for SMB2 requestsStefan Metzmacher3-0/+5
metze
2009-06-05s3:smbd: fix the logic for compounded requestsStefan Metzmacher1-1/+1
metze
2009-06-05s3:smbd: only setup the dyn iovec if a a dyn blob is givenStefan Metzmacher1-2/+1
Otherwise leave the default in there, which takes care of padding for compounded requests. metze
2009-06-05s3:smbd: add support for SMB2 Ioctl FSCTL_PIPE_TRANSCEIVE on IPC$Stefan Metzmacher1-0/+92
metze
2009-06-05s3:smbd: add support for SMB2 Read on IPC$Stefan Metzmacher1-6/+52
metze
2009-06-05s3:smbd: add support for SMB2 Write on IPC$Stefan Metzmacher1-5/+49
metze
2009-06-05s3:smbd: add support for SMB2 Create on IPC$Stefan Metzmacher1-1/+17
metze
2009-06-05s3:smbd: add support for SMB2 IoctlStefan Metzmacher4-4/+281
We don't implement any level yet. metze
2009-06-05nss_wrapper: add cross checking test to testsuite.Günther Deschner1-0/+90
Guenther
2009-06-05nss_wrapper: add tests for getgrent_r to testsuite.Günther Deschner1-0/+131
Guenther
2009-06-05nss_wrapper: add tests for getpwent_r to testsuite.Günther Deschner1-0/+141
Guenther
2009-06-05nss_wrapper: fix segfault in nwrap_gr_copy_r()Stefan Metzmacher1-3/+8
metze
2009-06-05s3/docs: Fix typo.Karolin Seeger1-2/+2
Karolin
2009-06-05s3:smbd: add missing return statements to the SMB2 write error casesStefan Metzmacher1-0/+2
metze