CVE-2020-25717: s3:auth: Check minimum domain uid

author Samuel Cabrero <scabrero@samba.org>

Tue, 28 Sep 2021 08:45:11 +0000 (10:45 +0200)

committer Andreas Schneider <asn@samba.org>

Mon, 8 Nov 2021 08:10:08 +0000 (09:10 +0100)
author Samuel Cabrero <scabrero@samba.org>
Tue, 28 Sep 2021 08:45:11 +0000 (10:45 +0200)
committer Andreas Schneider <asn@samba.org>
Mon, 8 Nov 2021 08:10:08 +0000 (09:10 +0100)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c

index 8ff20c33759d90f2f8f05f4eba7e1d99ef069d46..8801d3f0f0be42502290a19297ad159ca6e9b75c 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2078,6 +2078,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                         }
                 }
                 goto out;
+       } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
+                  !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) {
+               /*
+                * !is_myname(domain) because when smbd starts tries to setup
+                * the guest user info, calling this function with nobody
+                * username. Nobody is usually uid 65535 but it can be changed
+                * to a regular user with 'guest account' parameter
+                */
+               nt_status = NT_STATUS_INVALID_TOKEN;
+               DBG_NOTICE("Username '%s%s%s' is invalid on this system, "
+                          "it does not meet 'min domain uid' "
+                          "restriction (%u < %u): %s\n",
+                          nt_domain, lp_winbind_separator(), nt_username,
+                          pwd->pw_uid, lp_min_domain_uid(),
+                          nt_errstr(nt_status));
+               goto out;
         }
  
         result = make_server_info(tmp_ctx);
author	Samuel Cabrero <scabrero@samba.org>
	Tue, 28 Sep 2021 08:45:11 +0000 (10:45 +0200)
committer	Andreas Schneider <asn@samba.org>
	Mon, 8 Nov 2021 08:10:08 +0000 (09:10 +0100)