Date: Tue, 14 Aug 2018 15:09:36 +0000 (UTC) From: "Timur I. Bakeyev" <timur@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r477163 - in head/net: samba46 samba47 samba47/files samba48 samba48/files Message-ID: <201808141509.w7EF9aiQ040740@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: timur Date: Tue Aug 14 15:09:36 2018 New Revision: 477163 URL: https://svnweb.freebsd.org/changeset/ports/477163 Log: Update Samba ports to address multiple CVE vulnerabilities Security: CVE-2018-1139 CVE-2018-1140 CVE-2018-10858 CVE-2018-10918 CVE-2018-10919 Sponsored by: iXsystems Inc. Added: head/net/samba47/files/0001-audit.patch (contents, props changed) head/net/samba47/files/0001-bug-13351.patch (contents, props changed) head/net/samba47/files/0001-bug-228462.patch (contents, props changed) head/net/samba48/files/patch-lib__ldb__ldb_cache.c (contents, props changed) head/net/samba48/files/patch-lib__talloc__talloc.c (contents, props changed) head/net/samba48/files/patch-lib__talloc__wscript (contents, props changed) Deleted: head/net/samba47/files/patch-source3__client__dnsbrowse.c head/net/samba47/files/patch-source3__libads__kerberos_keytab.c head/net/samba48/files/patch-libgpo__wscript_build head/net/samba48/files/patch-quickfix__in__progress head/net/samba48/files/patch-source3__client__dnsbrowse.c head/net/samba48/files/patch-source3__libads__kerberos_keytab.c Modified: head/net/samba46/Makefile head/net/samba46/distinfo head/net/samba47/Makefile head/net/samba47/distinfo head/net/samba47/files/0001-Freenas-master-mdns-fixes-22.patch head/net/samba47/files/0001-Zfs-provision-1.patch head/net/samba47/files/patch-source3__modules__vfs_streams_xattr.c head/net/samba47/files/patch-vfs_freebsd.c head/net/samba48/Makefile head/net/samba48/distinfo head/net/samba48/files/0001-Freenas-master-mdns-fixes-22.patch head/net/samba48/files/0001-bug-13441.patch head/net/samba48/files/patch-source3__modules__vfs_streams_xattr.c head/net/samba48/pkg-plist Modified: head/net/samba46/Makefile ============================================================================== --- head/net/samba46/Makefile Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba46/Makefile Tue Aug 14 15:09:36 2018 (r477163) @@ -3,7 +3,7 @@ PORTNAME?= ${SAMBA4_BASENAME}46 PORTVERSION?= ${SAMBA4_VERSION} -PORTREVISION?= 1 +PORTREVISION?= 0 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -19,11 +19,9 @@ IGNORE_NONTHREAD_PYTHON= needs port lang/python${PYTHO CONFLICTS_INSTALL?= samba4-4.0.* samba4[1-57-9]-4.* p5-Parse-Pidl-4.* -#EXTRA_PATCHES= ${PATCHDIR}/extra-patch-security:-p1 - SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.6.15 +SAMBA4_VERSION= 4.6.16 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} Modified: head/net/samba46/distinfo ============================================================================== --- head/net/samba46/distinfo Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba46/distinfo Tue Aug 14 15:09:36 2018 (r477163) @@ -1,3 +1,3 @@ -TIMESTAMP = 1526084366 -SHA256 (samba-4.6.15.tar.gz) = 72f66dbefd08807d2f1bacdbbb1398a03536c3fc640deec6a3b91e7308b30772 -SIZE (samba-4.6.15.tar.gz) = 21175479 +TIMESTAMP = 1534257386 +SHA256 (samba-4.6.16.tar.gz) = 62987da35d88c7c7c20c26c57fe98e3e0de2bdb3aae5f9c8b1f6925b5d844067 +SIZE (samba-4.6.16.tar.gz) = 21184221 Modified: head/net/samba47/Makefile ============================================================================== --- head/net/samba47/Makefile Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba47/Makefile Tue Aug 14 15:09:36 2018 (r477163) @@ -3,7 +3,7 @@ PORTNAME= ${SAMBA4_BASENAME}47 PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 1 +PORTREVISION= 0 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -19,10 +19,13 @@ CONFLICTS_INSTALL?= samba4-4.0.* samba4[1-689]-4.* p5 EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 EXTRA_PATCHES+= ${PATCHDIR}/0001-Freenas-master-mdns-fixes-22.patch:-p1 +EXTRA_PATCHES+= ${PATCHDIR}/0001-audit.patch:-p1 +EXTRA_PATCHES+= ${PATCHDIR}/0001-bug-13351.patch:-p1 +EXTRA_PATCHES+= ${PATCHDIR}/0001-bug-228462.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.7.7 +SAMBA4_VERSION= 4.7.9 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -119,7 +122,11 @@ UTMP_DESC= UTMP accounting BIND911_DESC= Use Bind 9.11 as AD DC DNS server frontend NSUPDATE_DESC= Use samba NSUPDATE utility for AD DC ############################################################################## -# XXX: Unconditional dependencies which can't be switched off(if present in the system) +# XXX: Unconditional dependencies which can't be switched off(if present in +# the system) +# Readline(sponsored by Python) +# XXX: USES=readline pollutes CPPFLAGS, so we explicitly put dependency +LIB_DEPENDS+= libreadline.so.7:devel/readline # popt LIB_DEPENDS+= libpopt.so:devel/popt # inotify @@ -143,7 +150,7 @@ RUN_DEPENDS+= libarchive>=3.1.2:archivers/libarchive #SAMBA4_BUNDLED_TALLOC= yes #SAMBA4_BUNDLED_TEVENT= yes #SAMBA4_BUNDLED_TDB= yes -#SAMBA4_BUNDLED_LDB= yes +SAMBA4_BUNDLED_LDB= yes SAMBA4_LDB= 12 # cmocka .if defined(SAMBA4_BUNDLED_CMOCKA) @@ -206,8 +213,8 @@ PLIST_SUB+= SAMBA4_BUNDLED_LDB="" SUB_LIST+= SAMBA4_BUNDLED_LDB="" .else . if ${SAMBA4_LDB} == 13 -BUILD_DEPENDS+= ldb13>=1.3.2:databases/ldb13 -RUN_DEPENDS+= ldb13>=1.3.2:databases/ldb13 +BUILD_DEPENDS+= ldb13>=1.3.3:databases/ldb13 +RUN_DEPENDS+= ldb13>=1.3.3:databases/ldb13 . elif ${SAMBA4_LDB} == 12 BUILD_DEPENDS+= ldb12>=1.2.3:databases/ldb12 RUN_DEPENDS+= ldb12>=1.2.3:databases/ldb12 @@ -358,7 +365,7 @@ SAMBA4_MODULES+= idmap_ad idmap_rfc2307 nss-info_temp .if ${PORT_OPTIONS:MDEVELOPER} SAMBA4_MODULES+= auth_skel pdb_test gpext_security gpext_registry gpext_scripts perfcount_test \ vfs_fake_dfq vfs_skel_opaque vfs_skel_transparent vfs_shadow_copy_test vfs_fake_acls \ - vfs_nfs4acl_xattr + vfs_nfs4acl_xattr vfs_error_inject .endif .if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) @@ -409,9 +416,9 @@ RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11 # XXX: This is a gross hack to make port use both Python 2.7+ and 3.3+ # This is not officially supported, use at your own risk .if defined(WITH_SAMBA4_PYTHON3) && ${WITH_SAMBA4_PYTHON3:M3\.[0-9]} -SAMBA4_PYTHON3_VERSION= ${WITH_SAMBA4_PYTHON3} -SAMBA4_PYTHON3= python${SAMBA4_PYTHON3_VERSION} -SAMBA4_PYTHON3_VER= ${SAMBA4_PYTHON3_VERSION:C/\.//} +SAMBA4_PYTHON3_VERSION= ${WITH_SAMBA4_PYTHON3} +SAMBA4_PYTHON3= python${SAMBA4_PYTHON3_VERSION} +SAMBA4_PYTHON3_VER= ${SAMBA4_PYTHON3_VERSION:C/\.//} .if !exists(${PORTSDIR}/lang/python${SAMBA4_PYTHON3_VER}) .error unsupported or unknown Python version ${SAMBA4_PYTHON3_VERSION} .endif @@ -461,7 +468,7 @@ MAKE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone) CFLAGS+= -fno-color-diagnostics .endif #.if ${readline_ARGS} == port -#CFLAGS+= -D_FUNCTION_DEF +CFLAGS+= -D_FUNCTION_DEF #.endif # Make sure that the right version of Python is used by the tools # https://bugzilla.samba.org/show_bug.cgi?id=7305 @@ -551,6 +558,10 @@ post-install-rm-junk: .for f in vfs_aio_linux.8 vfs_btrfs.8 vfs_ceph.8 vfs_gpfs.8 ${RM} ${STAGEDIR}${PREFIX}/man/man8/${f} .endfor +.if defined(NO_PYTHON) + ${RM} -r ${STAGEDIR}${PYTHON_SITELIBDIR}/samba/third_party/dns \ + ${STAGEDIR}${PYTHON_SITELIBDIR}/samba/third_party/iso8601 +.endif post-install: post-install-rm-junk ${LN} -sf smb.conf.5.gz ${STAGEDIR}${PREFIX}/man/man5/smb4.conf.5.gz Modified: head/net/samba47/distinfo ============================================================================== --- head/net/samba47/distinfo Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba47/distinfo Tue Aug 14 15:09:36 2018 (r477163) @@ -1,3 +1,3 @@ -TIMESTAMP = 1525222693 -SHA256 (samba-4.7.7.tar.gz) = 29fad16fa70c1342c300d28d1b474b04c01a2a650149e94cace36fcbace80131 -SIZE (samba-4.7.7.tar.gz) = 16875059 +TIMESTAMP = 1534254234 +SHA256 (samba-4.7.9.tar.gz) = ec9852b2efb974f2b92e9e7f7e6f559867e4a37ce58df51766bfb94ca66817ec +SIZE (samba-4.7.9.tar.gz) = 16907301 Modified: head/net/samba47/files/0001-Freenas-master-mdns-fixes-22.patch ============================================================================== --- head/net/samba47/files/0001-Freenas-master-mdns-fixes-22.patch Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba47/files/0001-Freenas-master-mdns-fixes-22.patch Tue Aug 14 15:09:36 2018 (r477163) @@ -36,6 +36,15 @@ index efd57d42d88..83aef966d2a 100644 err = DNSServiceResolve(&mdns_conn_sdref, 0 /* flags */, browsesrv->ifIndex, +@@ -91,7 +91,7 @@ static void do_smb_resolve(struct mdns_s + } + } + +- TALLOC_FREE(fdset); ++ TALLOC_FREE(ctx); + DNSServiceRefDeallocate(mdns_conn_sdref); + } + @@ -124,18 +125,19 @@ do_smb_browse_reply(DNSServiceRef sdRef, DNSServiceFlags flags, return; } Modified: head/net/samba47/files/0001-Zfs-provision-1.patch ============================================================================== --- head/net/samba47/files/0001-Zfs-provision-1.patch Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba47/files/0001-Zfs-provision-1.patch Tue Aug 14 15:09:36 2018 (r477163) @@ -120,11 +120,13 @@ diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysm index 63fc5d68c33..f5a536ee186 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c -@@ -335,6 +335,18 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) +@@ -368,6 +368,20 @@ static SMB_ACL_T make_simple_acl(TALLOC_ return acl; } -+static SMB_ACL_T make_simple_nfsv4_acl(gid_t gid, mode_t chmod_mode) ++static SMB_ACL_T make_simple_nfsv4_acl(TALLOC_CTX *mem_ctx, ++ gid_t gid, ++ mode_t chmod_mode) +{ + /* + * This function needs to create an NFSv4 ACL. Currently, the only way @@ -139,25 +141,10 @@ index 63fc5d68c33..f5a536ee186 100644 /* set a simple ACL on a file, as a test */ -@@ -363,6 +375,53 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject - } +@@ -413,6 +427,53 @@ static PyObject *py_smbd_set_simple_acl( + } - ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn); -+ -+ TALLOC_FREE(acl); -+ -+ if (ret != 0) { -+ TALLOC_FREE(frame); -+ errno = ret; -+ return PyErr_SetFromErrno(PyExc_OSError); -+ } -+ -+ TALLOC_FREE(frame); -+ -+ Py_RETURN_NONE; -+} -+ -+/* + /* + set a simple NFSv4 ACL on a file, as a test + */ +static PyObject *py_smbd_set_simple_nfsv4_acl(PyObject *self, PyObject *args, PyObject *kwargs) @@ -175,10 +162,14 @@ index 63fc5d68c33..f5a536ee186 100644 + &fname, &mode, &gid, &service)) + return NULL; + -+ acl = make_simple_nfsv4_acl(gid, mode); -+ + frame = talloc_stackframe(); + ++ acl = make_simple_nfsv4_acl(frame, gid, mode); ++ if (acl == NULL) { ++ TALLOC_FREE(frame); ++ return NULL; ++ } ++ + conn = get_conn(frame, service); + if (!conn) { + return NULL; @@ -187,13 +178,24 @@ index 63fc5d68c33..f5a536ee186 100644 + /* + * SMB_ACL_TYPE_ACCESS -> ACL_TYPE_ACCESS -> Not valid for NFSv4 ACL + */ -+ //ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn); + ret = 0; + - TALLOC_FREE(acl); - - if (ret != 0) { -@@ -483,7 +542,7 @@ static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs ++ if (ret != 0) { ++ TALLOC_FREE(frame); ++ errno = ret; ++ return PyErr_SetFromErrno(PyExc_OSError); ++ } ++ ++ TALLOC_FREE(frame); ++ ++ Py_RETURN_NONE; ++} ++ ++/* + chown a file + */ + static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) +@@ -519,7 +580,7 @@ static PyObject *py_smbd_unlink(PyObject } /* @@ -202,7 +204,7 @@ index 63fc5d68c33..f5a536ee186 100644 */ static PyObject *py_smbd_have_posix_acls(PyObject *self) { -@@ -494,6 +553,86 @@ static PyObject *py_smbd_have_posix_acls(PyObject *self) +@@ -530,6 +591,86 @@ static PyObject *py_smbd_have_posix_acls #endif } @@ -289,7 +291,7 @@ index 63fc5d68c33..f5a536ee186 100644 /* set the NT ACL on a file */ -@@ -681,9 +820,24 @@ static PyMethodDef py_smbd_methods[] = { +@@ -717,9 +858,24 @@ static PyMethodDef py_smbd_methods[] = { { "have_posix_acls", (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS, NULL }, Added: head/net/samba47/files/0001-audit.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba47/files/0001-audit.patch Tue Aug 14 15:09:36 2018 (r477163) @@ -0,0 +1,247 @@ +From 7d1bcfc99c393367093c903f95a5e365881b7989 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" <timur@iXsystems.com> +Date: Fri, 22 Jun 2018 12:15:30 +0800 +Subject: [PATCH 1/3] Make sure that vfs*audit modules recognize and accept all + the syslog facilities. + +--- + source3/modules/vfs_audit.c | 34 +++++++++++++++++++++++----------- + source3/modules/vfs_extd_audit.c | 34 +++++++++++++++++++++++----------- + source3/modules/vfs_full_audit.c | 34 +++++++++++++++++++++++----------- + 3 files changed, 69 insertions(+), 33 deletions(-) + +diff --git a/source3/modules/vfs_audit.c b/source3/modules/vfs_audit.c +index 12477d5b01f..4f9d16c452e 100644 +--- a/source3/modules/vfs_audit.c ++++ b/source3/modules/vfs_audit.c +@@ -33,16 +33,28 @@ + static int audit_syslog_facility(vfs_handle_struct *handle) + { + static const struct enum_list enum_log_facilities[] = { +- { LOG_USER, "USER" }, +- { LOG_LOCAL0, "LOCAL0" }, +- { LOG_LOCAL1, "LOCAL1" }, +- { LOG_LOCAL2, "LOCAL2" }, +- { LOG_LOCAL3, "LOCAL3" }, +- { LOG_LOCAL4, "LOCAL4" }, +- { LOG_LOCAL5, "LOCAL5" }, +- { LOG_LOCAL6, "LOCAL6" }, +- { LOG_LOCAL7, "LOCAL7" }, +- { -1, NULL} ++ { LOG_AUTH, "AUTH" }, ++ { LOG_CRON, "CRON" }, ++ { LOG_DAEMON, "DAEMON" }, ++ { LOG_FTP, "FTP" }, ++ { LOG_KERN, "KERN" }, ++ { LOG_LPR, "LPR" }, ++ { LOG_MAIL, "MAIL" }, ++ { LOG_NEWS, "NEWS" }, ++ { LOG_NTP, "NTP" }, ++ { LOG_SECURITY, "SECURITY" }, ++ { LOG_SYSLOG, "SYSLOG" }, ++ { LOG_USER, "USER" }, ++ { LOG_UUCP, "UUCP" }, ++ { LOG_LOCAL0, "LOCAL0" }, ++ { LOG_LOCAL1, "LOCAL1" }, ++ { LOG_LOCAL2, "LOCAL2" }, ++ { LOG_LOCAL3, "LOCAL3" }, ++ { LOG_LOCAL4, "LOCAL4" }, ++ { LOG_LOCAL5, "LOCAL5" }, ++ { LOG_LOCAL6, "LOCAL6" }, ++ { LOG_LOCAL7, "LOCAL7" }, ++ { -1, NULL } + }; + + int facility; +@@ -64,7 +76,7 @@ static int audit_syslog_priority(vfs_handle_struct *handle) + { LOG_NOTICE, "NOTICE" }, + { LOG_INFO, "INFO" }, + { LOG_DEBUG, "DEBUG" }, +- { -1, NULL} ++ { -1, NULL } + }; + + int priority; +diff --git a/source3/modules/vfs_extd_audit.c b/source3/modules/vfs_extd_audit.c +index 7d1fe273978..5307569a010 100644 +--- a/source3/modules/vfs_extd_audit.c ++++ b/source3/modules/vfs_extd_audit.c +@@ -36,16 +36,28 @@ static int vfs_extd_audit_debug_level = DBGC_VFS; + static int audit_syslog_facility(vfs_handle_struct *handle) + { + static const struct enum_list enum_log_facilities[] = { +- { LOG_USER, "USER" }, +- { LOG_LOCAL0, "LOCAL0" }, +- { LOG_LOCAL1, "LOCAL1" }, +- { LOG_LOCAL2, "LOCAL2" }, +- { LOG_LOCAL3, "LOCAL3" }, +- { LOG_LOCAL4, "LOCAL4" }, +- { LOG_LOCAL5, "LOCAL5" }, +- { LOG_LOCAL6, "LOCAL6" }, +- { LOG_LOCAL7, "LOCAL7" }, +- { -1, NULL} ++ { LOG_AUTH, "AUTH" }, ++ { LOG_CRON, "CRON" }, ++ { LOG_DAEMON, "DAEMON" }, ++ { LOG_FTP, "FTP" }, ++ { LOG_KERN, "KERN" }, ++ { LOG_LPR, "LPR" }, ++ { LOG_MAIL, "MAIL" }, ++ { LOG_NEWS, "NEWS" }, ++ { LOG_NTP, "NTP" }, ++ { LOG_SECURITY, "SECURITY" }, ++ { LOG_SYSLOG, "SYSLOG" }, ++ { LOG_USER, "USER" }, ++ { LOG_UUCP, "UUCP" }, ++ { LOG_LOCAL0, "LOCAL0" }, ++ { LOG_LOCAL1, "LOCAL1" }, ++ { LOG_LOCAL2, "LOCAL2" }, ++ { LOG_LOCAL3, "LOCAL3" }, ++ { LOG_LOCAL4, "LOCAL4" }, ++ { LOG_LOCAL5, "LOCAL5" }, ++ { LOG_LOCAL6, "LOCAL6" }, ++ { LOG_LOCAL7, "LOCAL7" }, ++ { -1, NULL } + }; + + int facility; +@@ -67,7 +79,7 @@ static int audit_syslog_priority(vfs_handle_struct *handle) + { LOG_NOTICE, "NOTICE" }, + { LOG_INFO, "INFO" }, + { LOG_DEBUG, "DEBUG" }, +- { -1, NULL} ++ { -1, NULL } + }; + + int priority; +diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c +index a205007f46f..a52af4b5740 100644 +--- a/source3/modules/vfs_full_audit.c ++++ b/source3/modules/vfs_full_audit.c +@@ -357,16 +357,28 @@ static struct { + static int audit_syslog_facility(vfs_handle_struct *handle) + { + static const struct enum_list enum_log_facilities[] = { +- { LOG_USER, "USER" }, +- { LOG_LOCAL0, "LOCAL0" }, +- { LOG_LOCAL1, "LOCAL1" }, +- { LOG_LOCAL2, "LOCAL2" }, +- { LOG_LOCAL3, "LOCAL3" }, +- { LOG_LOCAL4, "LOCAL4" }, +- { LOG_LOCAL5, "LOCAL5" }, +- { LOG_LOCAL6, "LOCAL6" }, +- { LOG_LOCAL7, "LOCAL7" }, +- { -1, NULL} ++ { LOG_AUTH, "AUTH" }, ++ { LOG_CRON, "CRON" }, ++ { LOG_DAEMON, "DAEMON" }, ++ { LOG_FTP, "FTP" }, ++ { LOG_KERN, "KERN" }, ++ { LOG_LPR, "LPR" }, ++ { LOG_MAIL, "MAIL" }, ++ { LOG_NEWS, "NEWS" }, ++ { LOG_NTP, "NTP" }, ++ { LOG_SECURITY, "SECURITY" }, ++ { LOG_SYSLOG, "SYSLOG" }, ++ { LOG_USER, "USER" }, ++ { LOG_UUCP, "UUCP" }, ++ { LOG_LOCAL0, "LOCAL0" }, ++ { LOG_LOCAL1, "LOCAL1" }, ++ { LOG_LOCAL2, "LOCAL2" }, ++ { LOG_LOCAL3, "LOCAL3" }, ++ { LOG_LOCAL4, "LOCAL4" }, ++ { LOG_LOCAL5, "LOCAL5" }, ++ { LOG_LOCAL6, "LOCAL6" }, ++ { LOG_LOCAL7, "LOCAL7" }, ++ { -1, NULL } + }; + + int facility; +@@ -387,7 +399,7 @@ static int audit_syslog_priority(vfs_handle_struct *handle) + { LOG_NOTICE, "NOTICE" }, + { LOG_INFO, "INFO" }, + { LOG_DEBUG, "DEBUG" }, +- { -1, NULL} ++ { -1, NULL } + }; + + int priority; +-- +2.16.3 + + +From b98fc517251ad25b695ef64453ffe3eaaffed5d8 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" <timur@iXsystems.com> +Date: Fri, 22 Jun 2018 12:19:42 +0800 +Subject: [PATCH 2/3] Make "none" is the default setting for the successful and + failed operations in the vfs_full_audit, so you don't blow up your server by + just adding this module to the configuration. + +--- + source3/modules/vfs_full_audit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c +index a52af4b5740..bc40c8137dc 100644 +--- a/source3/modules/vfs_full_audit.c ++++ b/source3/modules/vfs_full_audit.c +@@ -624,6 +624,7 @@ static int smb_full_audit_connect(vfs_handle_struct *handle, + const char *svc, const char *user) + { + int result; ++ const char *none[] = { "none" }; + struct vfs_full_audit_private_data *pd = NULL; + + result = SMB_VFS_NEXT_CONNECT(handle, svc, user); +@@ -663,10 +664,10 @@ static int smb_full_audit_connect(vfs_handle_struct *handle, + + pd->success_ops = init_bitmap( + pd, lp_parm_string_list(SNUM(handle->conn), "full_audit", +- "success", NULL)); ++ "success", none)); + pd->failure_ops = init_bitmap( + pd, lp_parm_string_list(SNUM(handle->conn), "full_audit", +- "failure", NULL)); ++ "failure", none)); + + /* Store the private data. */ + SMB_VFS_HANDLE_SET_DATA(handle, pd, NULL, +-- +2.16.3 + + +From e25f3a6cfc284737d8df941686f6629568763103 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" <timur@iXsystems.com> +Date: Fri, 22 Jun 2018 12:36:07 +0800 +Subject: [PATCH 3/3] Document that vfs_full_audit defaults are "none" for the + successful and failed operations. + +--- + docs-xml/manpages/vfs_full_audit.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml +index cefe66d8b6f..ac8473f9990 100644 +--- a/docs-xml/manpages/vfs_full_audit.8.xml ++++ b/docs-xml/manpages/vfs_full_audit.8.xml +@@ -164,7 +164,7 @@ + <para>LIST is a list of VFS operations that should be + recorded if they succeed. Operations are specified using + the names listed above. Operations can be unset by prefixing +- the names with "!". The default is all operations. ++ the names with "!". The default is none operations. + </para> + + </listitem> +@@ -176,7 +176,7 @@ + <para>LIST is a list of VFS operations that should be + recorded if they failed. Operations are specified using + the names listed above. Operations can be unset by prefixing +- the names with "!". The default is all operations. ++ the names with "!". The default is none operations. + </para> + + </listitem> +-- +2.16.3 + Added: head/net/samba47/files/0001-bug-13351.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba47/files/0001-bug-13351.patch Tue Aug 14 15:09:36 2018 (r477163) @@ -0,0 +1,50 @@ +From 1598b78bf791b5a2b8ff52745563ebfcc2a5a0cb Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Thu, 22 Mar 2018 08:03:58 +0100 +Subject: [PATCH] s3: smbd: always set vuid in check_user_ok() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A SMB session reauth will have invalidated conn->vuid via +conn_clear_vuid_caches(). + +Ensure conn->vuid always has the vuid of the current user in +check_user_ok(). + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13351 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Autobuild-User(master): Ralph Böhme <slow@samba.org> +Autobuild-Date(master): Thu Mar 22 18:26:04 CET 2018 on sn-devel-144 + +(cherry picked from commit 42d6dd2f30b6c3b3176bd1f378422a2eb62b1008) +--- + source3/smbd/uid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index 6eb53920abf..b24ae3cc3b0 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -202,6 +202,7 @@ static bool check_user_ok(connection_struct *conn, + conn->session_info = ent->session_info; + conn->read_only = ent->read_only; + conn->share_access = ent->share_access; ++ conn->vuid = ent->vuid; + return(True); + } + } +@@ -250,6 +251,7 @@ static bool check_user_ok(connection_struct *conn, + ent->share_access = share_access; + free_conn_session_info_if_unused(conn); + conn->session_info = ent->session_info; ++ conn->vuid = ent->vuid; + if (vuid == UID_FIELD_INVALID) { + /* + * Not strictly needed, just make it really +-- +2.13.6 + Added: head/net/samba47/files/0001-bug-228462.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba47/files/0001-bug-228462.patch Tue Aug 14 15:09:36 2018 (r477163) @@ -0,0 +1,182 @@ +From d9b748869a8f4018ebee302aae8246bf29f60309 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" <timur@iXsystems.com> +Date: Fri, 1 Jun 2018 01:35:08 +0800 +Subject: [PATCH 1/2] vfs_fruit: allow broken AFP_Signature where the first + byte is 0 + +FreeBSD bug ... caused the first byte of the AFP_AfpInfo xattr to be 0 +instead of 'A'. This hack allows such broken AFP_AfpInfo blobs to be +parsed by afpinfo_unpack(). + +FreeBSD Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228462 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source3/modules/vfs_fruit.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c +index df3cd0c899e..d84e6991036 100644 +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -485,8 +485,9 @@ static int adouble_path(TALLOC_CTX *ctx, + struct smb_filename **ppsmb_fname_out); + static AfpInfo *afpinfo_new(TALLOC_CTX *ctx); + static ssize_t afpinfo_pack(const AfpInfo *ai, char *buf); +-static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data); +- ++static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, ++ const void *data, ++ const struct smb_filename *smb_fname); + + /** + * Return a pointer to an AppleDouble entry +@@ -2073,13 +2074,17 @@ static ssize_t afpinfo_pack(const AfpInfo *ai, char *buf) + return AFP_INFO_SIZE; + } + ++#define BROKEN_FREEBSD_AFP_Signature 0x00465000 ++ + /** + * Unpack a buffer into a AfpInfo structure + * + * Buffer size must be at least AFP_INFO_SIZE + * Returns allocated AfpInfo struct + **/ +-static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data) ++static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, ++ const void *data, ++ const struct smb_filename *smb_fname) + { + AfpInfo *ai = talloc_zero(ctx, AfpInfo); + if (ai == NULL) { +@@ -2092,10 +2097,21 @@ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data) + memcpy(ai->afpi_FinderInfo, (const char *)data + 16, + sizeof(ai->afpi_FinderInfo)); + +- if (ai->afpi_Signature != AFP_Signature +- || ai->afpi_Version != AFP_Version) { +- DEBUG(1, ("Bad AfpInfo signature or version\n")); ++ if (ai->afpi_Signature != AFP_Signature) { ++ DBG_WARNING("Bad signature [%x] on [%s]\n", ++ ai->afpi_Signature, smb_fname_str_dbg(smb_fname)); ++ ++ if (ai->afpi_Signature != BROKEN_FREEBSD_AFP_Signature) { ++ DBG_ERR("Bad AfpInfo signature\n"); ++ TALLOC_FREE(ai); ++ return NULL; ++ } ++ } ++ ++ if (ai->afpi_Version != AFP_Version) { ++ DBG_ERR("Bad AfpInfo version\n"); + TALLOC_FREE(ai); ++ return NULL; + } + + return ai; +@@ -4222,7 +4238,7 @@ static ssize_t fruit_pwrite_meta_stream(vfs_handle_struct *handle, + size_t nwritten; + bool ok; + +- ai = afpinfo_unpack(talloc_tos(), data); ++ ai = afpinfo_unpack(talloc_tos(), data, fsp->fsp_name); + if (ai == NULL) { + return -1; + } +@@ -4260,7 +4276,7 @@ static ssize_t fruit_pwrite_meta_netatalk(vfs_handle_struct *handle, + int ret; + bool ok; + +- ai = afpinfo_unpack(talloc_tos(), data); ++ ai = afpinfo_unpack(talloc_tos(), data, fsp->fsp_name); + if (ai == NULL) { + return -1; + } +-- +2.16.3 + + +From 83ce03a278ec9d15b595f4daf8da1641d27ebdd6 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" <timur@iXsystems.com> +Date: Fri, 1 Jun 2018 01:35:58 +0800 +Subject: [PATCH 2/2] vfs_streams_xattr: don't append 0 byte when creating + xattr + +Upstream Samba always appends an internal 0-byte to xattrs to cope +with filesytems or systems that don't support 0-byte sized xattrs. + +An older patch already remove this behaviour from the read and write +code paths, but didn't remove it from the create codepath. + +FreeBSD Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228462 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source3/modules/vfs_streams_xattr.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c +index 8714007cb8d..5f3dfb30beb 100644 +--- a/source3/modules/vfs_streams_xattr.c ++++ b/source3/modules/vfs_streams_xattr.c +@@ -476,19 +476,13 @@ static int streams_xattr_open(vfs_handle_struct *handle, + /* + * The attribute does not exist or needs to be truncated + */ +- +- /* +- * Darn, xattrs need at least 1 byte +- */ +- char null = '\0'; +- + DEBUG(10, ("creating or truncating attribute %s on file %s\n", + xattr_name, smb_fname->base_name)); + + ret = SMB_VFS_SETXATTR(fsp->conn, + smb_fname, + xattr_name, +- &null, sizeof(null), ++ NULL, 0, + flags & O_EXCL ? XATTR_CREATE : 0); + if (ret != 0) { + goto fail; +-- +2.16.3 + +From daa9930fc10459f0567931622e2ffbb636e365f0 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Sat, 19 May 2018 01:35:45 +0200 +Subject: [PATCH] vfs_fruit: fixup broken AFP_Signatures + +FreeBSD Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228462 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source3/modules/vfs_fruit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c +index d92049cc899..0594fd7a538 100644 +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -3935,10 +3935,16 @@ static ssize_t fruit_pread_meta_stream(vfs_handle_struct *handle, + { + ssize_t nread; + int ret; ++ char *p = (char *)data; + + nread = SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); + + if (nread == n) { ++ if (offset == 0 && nread > 3 && p[0] == 0 && p[1] == 'F' && p[2] == 'P') { ++ DBG_NOTICE("Fixing AFP_Info of [%s]\n", ++ fsp_str_dbg(fsp)); ++ p[0] = 'A'; ++ } + return nread; + } + +-- +2.17.0 + Modified: head/net/samba47/files/patch-source3__modules__vfs_streams_xattr.c ============================================================================== --- head/net/samba47/files/patch-source3__modules__vfs_streams_xattr.c Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba47/files/patch-source3__modules__vfs_streams_xattr.c Tue Aug 14 15:09:36 2018 (r477163) @@ -1,4 +1,4 @@ ---- source3/modules/vfs_streams_xattr.c.orig 2017-09-17 22:15:34 UTC +--- source3/modules/vfs_streams_xattr.c.orig 2018-08-11 23:00:01 UTC +++ source3/modules/vfs_streams_xattr.c @@ -1,10 +1,10 @@ /* @@ -30,7 +30,6 @@ - xattr_name, &ea); + result = SMB_VFS_GETXATTR(conn, smb_fname, xattr_name, NULL, 0); + // ? -1 -+// result = result-1; + return result; +} @@ -54,6 +53,7 @@ - TALLOC_FREE(ea.value.data); - return result; + pea->value = data_blob_talloc(mem_ctx, NULL, attr_size); ++ /* We may have xattr of a 0 size */ + if(pea->value.data == NULL && attr_size) { + DEBUG(5, + ("get_xattr_value: for EA '%s' failed to allocate %lu bytes\n", @@ -141,7 +141,7 @@ if (sbuf->st_ex_size == -1) { TALLOC_FREE(smb_fname_base); SET_STAT_INVALID(*sbuf); -@@ -451,10 +506,10 @@ static int streams_xattr_open(vfs_handle +@@ -453,10 +508,10 @@ static int streams_xattr_open(vfs_handle pipe_fds[1] = -1; fakefd = pipe_fds[0]; @@ -155,7 +155,7 @@ if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { -@@ -631,8 +686,8 @@ static int streams_xattr_rename(vfs_hand +@@ -625,8 +680,8 @@ static int streams_xattr_rename(vfs_hand } /* read the old stream */ @@ -166,7 +166,7 @@ if (!NT_STATUS_IS_OK(status)) { errno = ENOENT; goto fail; -@@ -719,14 +774,13 @@ static NTSTATUS walk_xattr_streams(vfs_h +@@ -713,14 +768,13 @@ static NTSTATUS walk_xattr_streams(vfs_h continue; } @@ -183,7 +183,7 @@ names[i], smb_fname->base_name, nt_errstr(status))); -@@ -788,16 +842,17 @@ struct streaminfo_state { +@@ -782,16 +836,17 @@ struct streaminfo_state { NTSTATUS status; }; @@ -204,7 +204,7 @@ state->status = NT_STATUS_NO_MEMORY; return false; } -@@ -917,14 +972,17 @@ static ssize_t streams_xattr_pwrite(vfs_ +@@ -911,14 +966,17 @@ static ssize_t streams_xattr_pwrite(vfs_ files_struct *fsp, const void *data, size_t n, off_t offset) { @@ -225,7 +225,7 @@ if (sio == NULL) { return SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset); -@@ -934,6 +992,8 @@ static ssize_t streams_xattr_pwrite(vfs_ +@@ -928,6 +986,8 @@ static ssize_t streams_xattr_pwrite(vfs_ return -1; } @@ -234,25 +234,39 @@ /* Create an smb_filename with stream_name == NULL. */ smb_fname_base = synthetic_smb_fname(talloc_tos(), sio->base, -@@ -945,35 +1005,28 @@ static ssize_t streams_xattr_pwrite(vfs_ +@@ -935,39 +995,55 @@ static ssize_t streams_xattr_pwrite(vfs_ + NULL, + fsp->fsp_name->flags); + if (smb_fname_base == NULL) { ++ TALLOC_FREE(frame); + errno = ENOMEM; return -1; } - status = get_ea_value(talloc_tos(), handle->conn, NULL, - smb_fname_base, sio->xattr_name, &ea); -+ status = get_xattr_value(talloc_tos(), handle->conn, -+ smb_fname_base, sio->xattr_name, &ea); - if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); - return -1; - } +- if (!NT_STATUS_IS_OK(status)) { +- return -1; +- } - - if ((offset + n) > ea.value.length-1) { - uint8_t *tmp; -- ++ status = get_xattr_value(talloc_tos(), handle->conn, ++ smb_fname_base, sio->xattr_name, &ea); + - tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t, - offset + n + 1); -- ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { ++ /* ++ * This can happen if we sit behind vfs_fruit: ++ * fruit_ftruncate calls UNLINK on an attribute ++ * truncating the "file" to zero length. A later ++ * pwrite faces a non-existing attribute, we need to ++ * cope with that here. ++ * ++ * This might be not the last word on this. ++ */ + - if (tmp == NULL) { - TALLOC_FREE(ea.value.data); - errno = ENOMEM; @@ -262,8 +276,21 @@ - ea.value.length = offset + n + 1; - ea.value.data[offset+n] = 0; - } -- ++ ea = (struct ea_struct) {0}; ++ ea.name = talloc_strdup(talloc_tos(), sio->xattr_name); ++ if (ea.name == NULL) { ++ TALLOC_FREE(frame); ++ errno = ENOMEM; ++ return -1; ++ } ++ status = NT_STATUS_OK; ++ } + - memcpy(ea.value.data + offset, data, n); ++ if (!NT_STATUS_IS_OK(status)) { ++ TALLOC_FREE(frame); ++ return -1; ++ } + // ? -1 + if ((offset + n) > ea.value.length) { + if(!data_blob_realloc(talloc_tos(), &ea.value, offset + n)) { @@ -284,7 +311,7 @@ if (ret == -1) { return -1; -@@ -986,15 +1039,17 @@ static ssize_t streams_xattr_pread(vfs_h +@@ -980,15 +1056,17 @@ static ssize_t streams_xattr_pread(vfs_h files_struct *fsp, void *data, size_t n, off_t offset) { @@ -307,7 +334,7 @@ if (sio == NULL) { return SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); -@@ -1004,6 +1059,8 @@ static ssize_t streams_xattr_pread(vfs_h +@@ -998,6 +1076,8 @@ static ssize_t streams_xattr_pread(vfs_h return -1; } @@ -316,7 +343,7 @@ /* Create an smb_filename with stream_name == NULL. */ smb_fname_base = synthetic_smb_fname(talloc_tos(), sio->base, -@@ -1011,31 +1068,35 @@ static ssize_t streams_xattr_pread(vfs_h +@@ -1005,31 +1085,35 @@ static ssize_t streams_xattr_pread(vfs_h NULL, fsp->fsp_name->flags); if (smb_fname_base == NULL) { @@ -365,7 +392,7 @@ } struct streams_xattr_pread_state { -@@ -1202,16 +1263,18 @@ static int streams_xattr_ftruncate(struc +@@ -1196,16 +1280,18 @@ static int streams_xattr_ftruncate(struc struct files_struct *fsp, off_t offset) { @@ -391,7 +418,7 @@ if (sio == NULL) { return SMB_VFS_NEXT_FTRUNCATE(handle, fsp, offset); -@@ -1221,6 +1284,8 @@ static int streams_xattr_ftruncate(struc +@@ -1215,6 +1301,8 @@ static int streams_xattr_ftruncate(struc return -1; } @@ -400,7 +427,7 @@ /* Create an smb_filename with stream_name == NULL. */ smb_fname_base = synthetic_smb_fname(talloc_tos(), sio->base, -@@ -1228,40 +1293,46 @@ static int streams_xattr_ftruncate(struc +@@ -1222,40 +1310,46 @@ static int streams_xattr_ftruncate(struc NULL, fsp->fsp_name->flags); if (smb_fname_base == NULL) { @@ -463,7 +490,7 @@ if (ret == -1) { return -1; -@@ -1279,9 +1350,9 @@ static int streams_xattr_fallocate(struc +@@ -1273,9 +1367,9 @@ static int streams_xattr_fallocate(struc struct stream_io *sio = (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); Modified: head/net/samba47/files/patch-vfs_freebsd.c ============================================================================== --- head/net/samba47/files/patch-vfs_freebsd.c Tue Aug 14 15:06:38 2018 (r477162) +++ head/net/samba47/files/patch-vfs_freebsd.c Tue Aug 14 15:09:36 2018 (r477163) @@ -67,7 +67,7 @@ + +typedef struct { + enum { -+ FILE, LINK, FDES ++ EXTATTR_FILE, EXTATTR_LINK, EXTATTR_FDES + } method; + union { + const char *path; @@ -173,17 +173,17 @@ + + switch(arg.method) { +#if defined(HAVE_EXTATTR_GET_FILE) -+ case FILE: ++ case EXTATTR_FILE: + result = extattr_get_file(arg.param.path, attr->namespace, attr->name, NULL, 0); + break; +#endif +#if defined(HAVE_EXTATTR_GET_LINK) -+ case LINK: ++ case EXTATTR_LINK: + result = extattr_get_link(arg.param.path, attr->namespace, attr->name, NULL, 0); + break; +#endif *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808141509.w7EF9aiQ040740>