Compare commits
16 Commits
master
...
samba-3_4_
Author | SHA1 | Date |
---|---|---|
Simo Sorce | ccc1d66aec | |
Guenther Deschner | f8bcc7c9c0 | |
Guenther Deschner | 849223fbb7 | |
Guenther Deschner | 4f1c05aa22 | |
Guenther Deschner | f3759650f3 | |
Guenther Deschner | d48a9ca95f | |
Guenther Deschner | f3e05c47a8 | |
Guenther Deschner | e5fc6f8867 | |
Guenther Deschner | b0ad939895 | |
Bill Nottingham | fa9d421675 | |
Guenther Deschner | 09d91c1f61 | |
Guenther Deschner | 44a179137f | |
Simo Sorce | fb6a77eb3a | |
Simo Sorce | 7e89586f18 | |
Guenther Deschner | 51c877fa18 | |
Jesse Keating | 9c2377efbb |
|
@ -1 +1 @@
|
|||
samba-3.4.1.tar.gz
|
||||
samba-3.4.7.tar.gz
|
||||
|
|
2
Makefile
2
Makefile
|
@ -4,7 +4,7 @@ NAME := samba
|
|||
SPECFILE = $(firstword $(wildcard *.spec))
|
||||
|
||||
define find-makefile-common
|
||||
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||
|
|
|
@ -0,0 +1,628 @@
|
|||
From 40520b65fcfba963e90dfcffe87acd63a1760881 Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Tue, 26 Jan 2010 08:45:53 -0500
|
||||
Subject: [PATCH 1/5] mount.cifs: directly include sys/stat.h in mtab.c
|
||||
|
||||
This file is mysteriously getting included when built via the makefile,
|
||||
but when you try to build mtab.o by hand it fails to build. Directly
|
||||
include it to remove any ambiguity.
|
||||
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
---
|
||||
source3/client/mtab.c | 1 +
|
||||
1 files changed, 1 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/source3/client/mtab.c b/source3/client/mtab.c
|
||||
index 93fbd11..70789bc 100644
|
||||
--- a/source3/client/mtab.c
|
||||
+++ b/source3/client/mtab.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/time.h>
|
||||
+#include <sys/stat.h>
|
||||
#include <time.h>
|
||||
#include <fcntl.h>
|
||||
#include <mntent.h>
|
||||
--
|
||||
1.6.6
|
||||
|
||||
From 59dd0bb8c8b46c875bcc8b55a6c22fee5ea2113b Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Tue, 26 Jan 2010 08:45:57 -0500
|
||||
Subject: [PATCH 2/5] mount.cifs: properly check for mount being in fstab when running setuid root (try#3)
|
||||
|
||||
This is the third attempt to clean up the checks when a setuid
|
||||
mount.cifs is run by an unprivileged user. The main difference in this
|
||||
patch from the last one is that it fixes a bug where the mount might
|
||||
have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.
|
||||
|
||||
When mount.cifs is installed setuid root and run as an unprivileged
|
||||
user, it does some checks to limit how the mount is used. It checks that
|
||||
the mountpoint is owned by the user doing the mount.
|
||||
|
||||
These checks however do not match those that /bin/mount does when it is
|
||||
called by an unprivileged user. When /bin/mount is called by an
|
||||
unprivileged user to do a mount, it checks that the mount in question is
|
||||
in /etc/fstab, that it has the "user" option set, etc.
|
||||
|
||||
This means that it's currently not possible to set up user mounts the
|
||||
standard way (by the admin, in /etc/fstab) and simultaneously protect
|
||||
from an unprivileged user calling mount.cifs directly to mount a share
|
||||
on any directory that that user owns.
|
||||
|
||||
Fix this by making the checks in mount.cifs match those of /bin/mount
|
||||
itself. This is a necessary step to make mount.cifs safe to be installed
|
||||
as a setuid binary, but not sufficient. For that, we'd need to give
|
||||
mount.cifs a proper security audit.
|
||||
|
||||
Since some users may be depending on the legacy behavior, this patch
|
||||
also adds the ability to build mount.cifs with the older behavior.
|
||||
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
---
|
||||
source3/client/mount.cifs.c | 202 ++++++++++++++++++++++++++++++++++---------
|
||||
1 files changed, 162 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
|
||||
index 43dc7f6..da2867c 100644
|
||||
--- a/source3/client/mount.cifs.c
|
||||
+++ b/source3/client/mount.cifs.c
|
||||
@@ -39,10 +39,11 @@
|
||||
#include <mntent.h>
|
||||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
+#include <fstab.h>
|
||||
#include "mount.h"
|
||||
|
||||
#define MOUNT_CIFS_VERSION_MAJOR "1"
|
||||
-#define MOUNT_CIFS_VERSION_MINOR "12"
|
||||
+#define MOUNT_CIFS_VERSION_MINOR "13"
|
||||
|
||||
#ifndef MOUNT_CIFS_VENDOR_SUFFIX
|
||||
#ifdef _SAMBA_BUILD_
|
||||
@@ -69,6 +70,10 @@
|
||||
#define MS_BIND 4096
|
||||
#endif
|
||||
|
||||
+/* private flags - clear these before passing to kernel */
|
||||
+#define MS_USERS 0x40000000
|
||||
+#define MS_USER 0x80000000
|
||||
+
|
||||
#define MAX_UNC_LEN 1024
|
||||
|
||||
#define CONST_DISCARD(type, ptr) ((type) ((void *) (ptr)))
|
||||
@@ -83,6 +88,27 @@
|
||||
/* currently maximum length of IPv6 address string */
|
||||
#define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
|
||||
|
||||
+/*
|
||||
+ * By default, mount.cifs follows the conventions set forth by /bin/mount
|
||||
+ * for user mounts. That is, it requires that the mount be listed in
|
||||
+ * /etc/fstab with the "user" option when run as an unprivileged user and
|
||||
+ * mount.cifs is setuid root.
|
||||
+ *
|
||||
+ * Older versions of mount.cifs however were "looser" in this regard. When
|
||||
+ * made setuid root, a user could run mount.cifs directly and mount any share
|
||||
+ * on a directory owned by that user.
|
||||
+ *
|
||||
+ * The legacy behavior is now disabled by default. To reenable it, set the
|
||||
+ * following #define to true.
|
||||
+ */
|
||||
+#define CIFS_LEGACY_SETUID_CHECK 0
|
||||
+
|
||||
+/*
|
||||
+ * When an unprivileged user runs a setuid mount.cifs, we set certain mount
|
||||
+ * flags by default. These defaults can be changed here.
|
||||
+ */
|
||||
+#define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)
|
||||
+
|
||||
const char *thisprogram;
|
||||
int verboseflag = 0;
|
||||
int fakemnt = 0;
|
||||
@@ -142,6 +168,99 @@ static size_t strlcat(char *d, const char *s, size_t bufsize)
|
||||
}
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * If an unprivileged user is doing the mounting then we need to ensure
|
||||
+ * that the entry is in /etc/fstab.
|
||||
+ */
|
||||
+static int
|
||||
+check_mountpoint(const char *progname, char *mountpoint)
|
||||
+{
|
||||
+ int err;
|
||||
+ struct stat statbuf;
|
||||
+
|
||||
+ /* does mountpoint exist and is it a directory? */
|
||||
+ err = stat(mountpoint, &statbuf);
|
||||
+ if (err) {
|
||||
+ fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
|
||||
+ mountpoint, strerror(errno));
|
||||
+ return EX_USAGE;
|
||||
+ }
|
||||
+
|
||||
+ if (!S_ISDIR(statbuf.st_mode)) {
|
||||
+ fprintf(stderr, "%s: %s is not a directory!", progname,
|
||||
+ mountpoint);
|
||||
+ return EX_USAGE;
|
||||
+ }
|
||||
+
|
||||
+#if CIFS_LEGACY_SETUID_CHECK
|
||||
+ /* do extra checks on mountpoint for legacy setuid behavior */
|
||||
+ if (!getuid() || geteuid())
|
||||
+ return 0;
|
||||
+
|
||||
+ if (statbuf.st_uid != getuid()) {
|
||||
+ fprintf(stderr, "%s: %s is not owned by user\n", progname,
|
||||
+ mountpoint);
|
||||
+ return EX_USAGE;
|
||||
+ }
|
||||
+
|
||||
+ if ((statbuf.st_mode & S_IRWXU) != S_IRWXU) {
|
||||
+ fprintf(stderr, "%s: invalid permissions on %s\n", progname,
|
||||
+ mountpoint);
|
||||
+ return EX_USAGE;
|
||||
+ }
|
||||
+#endif /* CIFS_LEGACY_SETUID_CHECK */
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#if CIFS_LEGACY_SETUID_CHECK
|
||||
+static int
|
||||
+check_fstab(const char *progname, char *mountpoint, char *devname,
|
||||
+ char **options)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+#else /* CIFS_LEGACY_SETUID_CHECK */
|
||||
+static int
|
||||
+check_fstab(const char *progname, char *mountpoint, char *devname,
|
||||
+ char **options)
|
||||
+{
|
||||
+ FILE *fstab;
|
||||
+ struct mntent *mnt;
|
||||
+
|
||||
+ /* make sure this mount is listed in /etc/fstab */
|
||||
+ fstab = setmntent(_PATH_FSTAB, "r");
|
||||
+ if (!fstab) {
|
||||
+ fprintf(stderr, "Couldn't open %s for reading!\n",
|
||||
+ _PATH_FSTAB);
|
||||
+ return EX_FILEIO;
|
||||
+ }
|
||||
+
|
||||
+ while((mnt = getmntent(fstab))) {
|
||||
+ if (!strcmp(mountpoint, mnt->mnt_dir))
|
||||
+ break;
|
||||
+ }
|
||||
+ endmntent(fstab);
|
||||
+
|
||||
+ if (mnt == NULL || strcmp(mnt->mnt_fsname, devname)) {
|
||||
+ fprintf(stderr, "%s: permission denied: no match for "
|
||||
+ "%s found in %s\n", progname, mountpoint,
|
||||
+ _PATH_FSTAB);
|
||||
+ return EX_USAGE;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * 'mount' munges the options from fstab before passing them
|
||||
+ * to us. It is non-trivial to test that we have the correct
|
||||
+ * set of options. We don't want to trust what the user
|
||||
+ * gave us, so just take whatever is in /etc/fstab.
|
||||
+ */
|
||||
+ free(*options);
|
||||
+ *options = strdup(mnt->mnt_opts);
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* CIFS_LEGACY_SETUID_CHECK */
|
||||
+
|
||||
/* BB finish BB
|
||||
|
||||
cifs_umount
|
||||
@@ -373,7 +492,7 @@ static int get_password_from_file(int file_descript, char * filename)
|
||||
return rc;
|
||||
}
|
||||
|
||||
-static int parse_options(char ** optionsp, int * filesys_flags)
|
||||
+static int parse_options(char ** optionsp, unsigned long * filesys_flags)
|
||||
{
|
||||
const char * data;
|
||||
char * percent_char = NULL;
|
||||
@@ -423,6 +542,7 @@ static int parse_options(char ** optionsp, int * filesys_flags)
|
||||
|
||||
if (strncmp(data, "users",5) == 0) {
|
||||
if(!value || !*value) {
|
||||
+ *filesys_flags |= MS_USERS;
|
||||
goto nocopy;
|
||||
}
|
||||
} else if (strncmp(data, "user_xattr",10) == 0) {
|
||||
@@ -431,10 +551,7 @@ static int parse_options(char ** optionsp, int * filesys_flags)
|
||||
|
||||
if (!value || !*value) {
|
||||
if(data[4] == '\0') {
|
||||
- if(verboseflag)
|
||||
- printf("\nskipping empty user mount parameter\n");
|
||||
- /* remove the parm since it would otherwise be confusing
|
||||
- to the kernel code which would think it was a real username */
|
||||
+ *filesys_flags |= MS_USER;
|
||||
goto nocopy;
|
||||
} else {
|
||||
printf("username specified with no parameter\n");
|
||||
@@ -1046,7 +1163,7 @@ static void print_cifs_mount_version(void)
|
||||
int main(int argc, char ** argv)
|
||||
{
|
||||
int c;
|
||||
- int flags = MS_MANDLOCK; /* no need to set legacy MS_MGC_VAL */
|
||||
+ unsigned long flags = MS_MANDLOCK;
|
||||
char * orgoptions = NULL;
|
||||
char * share_name = NULL;
|
||||
const char * ipaddr = NULL;
|
||||
@@ -1069,7 +1186,6 @@ int main(int argc, char ** argv)
|
||||
size_t current_len;
|
||||
int retry = 0; /* set when we have to retry mount with uppercase */
|
||||
struct addrinfo *addrhead = NULL, *addr;
|
||||
- struct stat statbuf;
|
||||
struct utsname sysinfo;
|
||||
struct mntent mountent;
|
||||
struct sockaddr_in *addr4;
|
||||
@@ -1127,8 +1243,8 @@ int main(int argc, char ** argv)
|
||||
exit(EX_USAGE);
|
||||
}
|
||||
|
||||
- /* add sharename in opts string as unc= parm */
|
||||
|
||||
+ /* add sharename in opts string as unc= parm */
|
||||
while ((c = getopt_long (argc, argv, "afFhilL:no:O:rsSU:vVwt:",
|
||||
longopts, NULL)) != -1) {
|
||||
switch (c) {
|
||||
@@ -1266,6 +1382,22 @@ int main(int argc, char ** argv)
|
||||
exit(EX_USAGE);
|
||||
}
|
||||
|
||||
+ /* make sure mountpoint is legit */
|
||||
+ rc = check_mountpoint(thisprogram, mountpoint);
|
||||
+ if (rc)
|
||||
+ goto mount_exit;
|
||||
+
|
||||
+ /* sanity check for unprivileged mounts */
|
||||
+ if (getuid()) {
|
||||
+ rc = check_fstab(thisprogram, mountpoint, dev_name,
|
||||
+ &orgoptions);
|
||||
+ if (rc)
|
||||
+ goto mount_exit;
|
||||
+
|
||||
+ /* enable any default user mount flags */
|
||||
+ flags |= CIFS_SETUID_FLAGS;
|
||||
+ }
|
||||
+
|
||||
if (getenv("PASSWD")) {
|
||||
if(mountpassword == NULL)
|
||||
mountpassword = (char *)calloc(MOUNT_PASSWD_SIZE+1,1);
|
||||
@@ -1283,6 +1415,27 @@ int main(int argc, char ** argv)
|
||||
rc = EX_USAGE;
|
||||
goto mount_exit;
|
||||
}
|
||||
+
|
||||
+ if (getuid()) {
|
||||
+#if !CIFS_LEGACY_SETUID_CHECK
|
||||
+ if (!(flags & (MS_USERS|MS_USER))) {
|
||||
+ fprintf(stderr, "%s: permission denied\n", thisprogram);
|
||||
+ rc = EX_USAGE;
|
||||
+ goto mount_exit;
|
||||
+ }
|
||||
+#endif /* !CIFS_LEGACY_SETUID_CHECK */
|
||||
+
|
||||
+ if (geteuid()) {
|
||||
+ fprintf(stderr, "%s: not installed setuid - \"user\" "
|
||||
+ "CIFS mounts not supported.",
|
||||
+ thisprogram);
|
||||
+ rc = EX_FAIL;
|
||||
+ goto mount_exit;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ flags &= ~(MS_USERS|MS_USER);
|
||||
+
|
||||
addrhead = addr = parse_server(&share_name);
|
||||
if((addrhead == NULL) && (got_ip == 0)) {
|
||||
printf("No ip address specified and hostname not found\n");
|
||||
@@ -1299,37 +1452,6 @@ int main(int argc, char ** argv)
|
||||
mountpoint = resolved_path;
|
||||
}
|
||||
}
|
||||
- if(chdir(mountpoint)) {
|
||||
- printf("mount error: can not change directory into mount target %s\n",mountpoint);
|
||||
- rc = EX_USAGE;
|
||||
- goto mount_exit;
|
||||
- }
|
||||
-
|
||||
- if(stat (".", &statbuf)) {
|
||||
- printf("mount error: mount point %s does not exist\n",mountpoint);
|
||||
- rc = EX_USAGE;
|
||||
- goto mount_exit;
|
||||
- }
|
||||
-
|
||||
- if (S_ISDIR(statbuf.st_mode) == 0) {
|
||||
- printf("mount error: mount point %s is not a directory\n",mountpoint);
|
||||
- rc = EX_USAGE;
|
||||
- goto mount_exit;
|
||||
- }
|
||||
-
|
||||
- if((getuid() != 0) && (geteuid() == 0)) {
|
||||
- if((statbuf.st_uid == getuid()) && (S_IRWXU == (statbuf.st_mode & S_IRWXU))) {
|
||||
-#ifndef CIFS_ALLOW_USR_SUID
|
||||
- /* Do not allow user mounts to control suid flag
|
||||
- for mount unless explicitly built that way */
|
||||
- flags |= MS_NOSUID | MS_NODEV;
|
||||
-#endif
|
||||
- } else {
|
||||
- printf("mount error: permission denied or not superuser and mount.cifs not installed SUID\n");
|
||||
- exit(EX_USAGE);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if(got_user == 0) {
|
||||
/* Note that the password will not be retrieved from the
|
||||
USER env variable (ie user%password form) as there is
|
||||
--
|
||||
1.6.6
|
||||
|
||||
From a92fa34e73b988ca84fe15df6f67ea4879a6aa2e Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Tue, 26 Jan 2010 08:45:58 -0500
|
||||
Subject: [PATCH 3/5] mount.cifs: take extra care that mountpoint isn't changed during mount
|
||||
|
||||
It's possible to trick mount.cifs into mounting onto the wrong directory
|
||||
by replacing the mountpoint with a symlink to a directory. mount.cifs
|
||||
attempts to check the validity of the mountpoint, but there's still a
|
||||
possible race between those checks and the mount(2) syscall.
|
||||
|
||||
To guard against this, chdir to the mountpoint very early, and only deal
|
||||
with it as "." from then on out.
|
||||
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
---
|
||||
source3/client/mount.cifs.c | 34 ++++++++++++++++++++++++++--------
|
||||
1 files changed, 26 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
|
||||
index da2867c..53d1dad 100644
|
||||
--- a/source3/client/mount.cifs.c
|
||||
+++ b/source3/client/mount.cifs.c
|
||||
@@ -179,7 +179,7 @@ check_mountpoint(const char *progname, char *mountpoint)
|
||||
struct stat statbuf;
|
||||
|
||||
/* does mountpoint exist and is it a directory? */
|
||||
- err = stat(mountpoint, &statbuf);
|
||||
+ err = stat(".", &statbuf);
|
||||
if (err) {
|
||||
fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
|
||||
mountpoint, strerror(errno));
|
||||
@@ -1383,6 +1383,14 @@ int main(int argc, char ** argv)
|
||||
}
|
||||
|
||||
/* make sure mountpoint is legit */
|
||||
+ rc = chdir(mountpoint);
|
||||
+ if (rc) {
|
||||
+ fprintf(stderr, "Couldn't chdir to %s: %s\n", mountpoint,
|
||||
+ strerror(errno));
|
||||
+ rc = EX_USAGE;
|
||||
+ goto mount_exit;
|
||||
+ }
|
||||
+
|
||||
rc = check_mountpoint(thisprogram, mountpoint);
|
||||
if (rc)
|
||||
goto mount_exit;
|
||||
@@ -1445,13 +1453,23 @@ int main(int argc, char ** argv)
|
||||
|
||||
/* BB save off path and pop after mount returns? */
|
||||
resolved_path = (char *)malloc(PATH_MAX+1);
|
||||
- if(resolved_path) {
|
||||
- /* Note that if we can not canonicalize the name, we get
|
||||
- another chance to see if it is valid when we chdir to it */
|
||||
- if (realpath(mountpoint, resolved_path)) {
|
||||
- mountpoint = resolved_path;
|
||||
- }
|
||||
+ if (!resolved_path) {
|
||||
+ fprintf(stderr, "Unable to allocate memory.\n");
|
||||
+ rc = EX_SYSERR;
|
||||
+ goto mount_exit;
|
||||
}
|
||||
+
|
||||
+ /* Note that if we can not canonicalize the name, we get
|
||||
+ another chance to see if it is valid when we chdir to it */
|
||||
+ if(!realpath(".", resolved_path)) {
|
||||
+ fprintf(stderr, "Unable to resolve %s to canonical path: %s\n",
|
||||
+ mountpoint, strerror(errno));
|
||||
+ rc = EX_SYSERR;
|
||||
+ goto mount_exit;
|
||||
+ }
|
||||
+
|
||||
+ mountpoint = resolved_path;
|
||||
+
|
||||
if(got_user == 0) {
|
||||
/* Note that the password will not be retrieved from the
|
||||
USER env variable (ie user%password form) as there is
|
||||
@@ -1585,7 +1603,7 @@ mount_retry:
|
||||
if (verboseflag)
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
- if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
|
||||
+ if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
|
||||
switch (errno) {
|
||||
case ECONNREFUSED:
|
||||
case EHOSTUNREACH:
|
||||
--
|
||||
1.6.6
|
||||
|
||||
From bcdb9dc5d7daef6e93b742462e6dd056c0d1ed91 Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Tue, 26 Jan 2010 08:45:58 -0500
|
||||
Subject: [PATCH 4/5] mount.cifs: check for invalid characters in device name and mountpoint
|
||||
|
||||
It's apparently possible to corrupt the mtab if you pass embedded
|
||||
newlines to addmntent. Apparently tabs are also a problem with certain
|
||||
earlier glibc versions. Backslashes are also a minor issue apparently,
|
||||
but we can't reasonably filter those.
|
||||
|
||||
Make sure that neither the devname or mountpoint contain any problematic
|
||||
characters before allowing the mount to proceed.
|
||||
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
---
|
||||
source3/client/mount.cifs.c | 34 ++++++++++++++++++++++++++++++++++
|
||||
1 files changed, 34 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
|
||||
index 53d1dad..85be62b 100644
|
||||
--- a/source3/client/mount.cifs.c
|
||||
+++ b/source3/client/mount.cifs.c
|
||||
@@ -1160,6 +1160,36 @@ static void print_cifs_mount_version(void)
|
||||
MOUNT_CIFS_VENDOR_SUFFIX);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * This function borrowed from fuse-utils...
|
||||
+ *
|
||||
+ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
|
||||
+ * newlines embedded within the text fields. To make sure no one corrupts
|
||||
+ * the mtab, fail the mount if there are embedded newlines.
|
||||
+ */
|
||||
+static int check_newline(const char *progname, const char *name)
|
||||
+{
|
||||
+ char *s;
|
||||
+ for (s = "\n"; *s; s++) {
|
||||
+ if (strchr(name, *s)) {
|
||||
+ fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
|
||||
+ progname, *s);
|
||||
+ return EX_USAGE;
|
||||
+ }
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int check_mtab(const char *progname, const char *devname,
|
||||
+ const char *dir)
|
||||
+{
|
||||
+ if (check_newline(progname, devname) == -1 ||
|
||||
+ check_newline(progname, dir) == -1)
|
||||
+ return EX_USAGE;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
int main(int argc, char ** argv)
|
||||
{
|
||||
int c;
|
||||
@@ -1603,6 +1633,10 @@ mount_retry:
|
||||
if (verboseflag)
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
+ rc = check_mtab(thisprogram, dev_name, mountpoint);
|
||||
+ if (rc)
|
||||
+ goto mount_exit;
|
||||
+
|
||||
if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
|
||||
switch (errno) {
|
||||
case ECONNREFUSED:
|
||||
--
|
||||
1.6.6
|
||||
|
||||
From ea8a30a9d217127eb2e5a0e0cd27d943cae7d13a Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Tue, 26 Jan 2010 08:45:58 -0500
|
||||
Subject: [PATCH 5/5] mount.cifs: don't allow it to be run as setuid root program
|
||||
|
||||
mount.cifs has been the subject of several "security" fire drills due to
|
||||
distributions installing it as a setuid root program. This program has
|
||||
not been properly audited for security and the Samba team highly
|
||||
recommends that it not be installed as a setuid root program at this
|
||||
time.
|
||||
|
||||
To make that abundantly clear, this patch forcibly disables the ability
|
||||
for mount.cifs to run as a setuid root program. People are welcome to
|
||||
trivially patch this out, but they do so at their own peril.
|
||||
|
||||
A security audit and redesign of this program is in progress and we hope
|
||||
that we'll be able to remove this in the near future.
|
||||
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
---
|
||||
source3/client/mount.cifs.c | 39 ++++++++++++++++++++++++++++++++++++++-
|
||||
1 files changed, 38 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
|
||||
index 85be62b..f29e1e6 100644
|
||||
--- a/source3/client/mount.cifs.c
|
||||
+++ b/source3/client/mount.cifs.c
|
||||
@@ -43,7 +43,7 @@
|
||||
#include "mount.h"
|
||||
|
||||
#define MOUNT_CIFS_VERSION_MAJOR "1"
|
||||
-#define MOUNT_CIFS_VERSION_MINOR "13"
|
||||
+#define MOUNT_CIFS_VERSION_MINOR "14"
|
||||
|
||||
#ifndef MOUNT_CIFS_VENDOR_SUFFIX
|
||||
#ifdef _SAMBA_BUILD_
|
||||
@@ -89,6 +89,17 @@
|
||||
#define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
|
||||
|
||||
/*
|
||||
+ * mount.cifs has been the subject of many "security" bugs that have arisen
|
||||
+ * because of users and distributions installing it as a setuid root program.
|
||||
+ * mount.cifs has not been audited for security. Thus, we strongly recommend
|
||||
+ * that it not be installed setuid root. To make that abundantly clear,
|
||||
+ * mount.cifs now check whether it's running setuid root and exit with an
|
||||
+ * error if it is. If you wish to disable this check, then set the following
|
||||
+ * #define to 1, but please realize that you do so at your own peril.
|
||||
+ */
|
||||
+#define CIFS_DISABLE_SETUID_CHECK 0
|
||||
+
|
||||
+/*
|
||||
* By default, mount.cifs follows the conventions set forth by /bin/mount
|
||||
* for user mounts. That is, it requires that the mount be listed in
|
||||
* /etc/fstab with the "user" option when run as an unprivileged user and
|
||||
@@ -213,6 +224,29 @@ check_mountpoint(const char *progname, char *mountpoint)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#if CIFS_DISABLE_SETUID_CHECK
|
||||
+static int
|
||||
+check_setuid(void)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+#else /* CIFS_DISABLE_SETUID_CHECK */
|
||||
+static int
|
||||
+check_setuid(void)
|
||||
+{
|
||||
+ if (getuid() && !geteuid()) {
|
||||
+ printf("This mount.cifs program has been built with the "
|
||||
+ "ability to run as a setuid root program disabled.\n"
|
||||
+ "mount.cifs has not been well audited for security "
|
||||
+ "holes. Therefore the Samba team does not recommend "
|
||||
+ "installing it as a setuid root program.\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* CIFS_DISABLE_SETUID_CHECK */
|
||||
+
|
||||
#if CIFS_LEGACY_SETUID_CHECK
|
||||
static int
|
||||
check_fstab(const char *progname, char *mountpoint, char *devname,
|
||||
@@ -1222,6 +1256,9 @@ int main(int argc, char ** argv)
|
||||
struct sockaddr_in6 *addr6;
|
||||
FILE * pmntfile;
|
||||
|
||||
+ if (check_setuid())
|
||||
+ return EX_USAGE;
|
||||
+
|
||||
/* setlocale(LC_ALL, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE); */
|
||||
--
|
||||
1.6.6
|
||||
|
489
samba.spec
489
samba.spec
|
@ -1,26 +1,23 @@
|
|||
%define main_release 45
|
||||
%define samba_version 3.4.1
|
||||
%define main_release 58
|
||||
%define samba_version 3.4.7
|
||||
%define tdb_version 1.1.3
|
||||
%define talloc_version 1.3.0
|
||||
#%define pre_release rc1
|
||||
%define pre_release %nil
|
||||
|
||||
%define samba_release 0%{pre_release}.%{main_release}%{?dist}
|
||||
|
||||
%define enable_talloc 0
|
||||
%define enable_tdb 0
|
||||
%define samba_release %{main_release}%{pre_release}%{?dist}
|
||||
|
||||
%define samba_source source3
|
||||
Summary: Server and Client software to interoperate with Windows machines
|
||||
Name: samba
|
||||
Epoch: 0
|
||||
Version: %{samba_version}
|
||||
Release: %{samba_release}.1
|
||||
Release: %{samba_release}
|
||||
License: GPLv3+ and LGPLv3+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.samba.org/
|
||||
|
||||
Source: http://www.samba.org/samba/ftp/samba/%{name}-%{samba_version}%{pre_release}.tar.gz
|
||||
Source: http://www.samba.org/samba/ftp/%{name}-%{samba_version}%{pre_release}.tar.gz
|
||||
|
||||
# Red Hat specific replacement-files
|
||||
Source1: samba.log
|
||||
|
@ -48,6 +45,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch
|
|||
# The passwd part has been applied, but not the group part
|
||||
Patch107: samba-3.2.0pre1-grouppwd.patch
|
||||
Patch200: samba-3.2.5-inotify.patch
|
||||
Patch202: samba-3.4.5-CVE-2009-3297-mount_cifs.patch
|
||||
|
||||
Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
|
||||
Requires: pam >= 0:0.64
|
||||
|
@ -57,12 +55,7 @@ Requires(post): /sbin/chkconfig, /sbin/service
|
|||
Requires(preun): /sbin/chkconfig, /sbin/service
|
||||
BuildRequires: pam-devel, readline-devel, ncurses-devel, libacl-devel, krb5-devel, openldap-devel, openssl-devel, cups-devel, ctdb-devel
|
||||
BuildRequires: autoconf, gawk, popt-devel, gtk2-devel, libcap-devel, libuuid-devel
|
||||
%if ! %enable_talloc
|
||||
BuildRequires: libtalloc-devel >= %{talloc_version}
|
||||
%endif
|
||||
%if ! %enable_tdb
|
||||
BuildRequires: libtdb-devel >= %{tdb_version}
|
||||
%endif
|
||||
BuildRequires: libtalloc-devel, libtdb-devel
|
||||
|
||||
# Working around perl dependency problem from docs
|
||||
%define __perl_requires %{SOURCE999}
|
||||
|
@ -85,7 +78,6 @@ need the NetBEUI (Microsoft Raw NetBIOS frame) protocol.
|
|||
Summary: Samba client programs
|
||||
Group: Applications/System
|
||||
Requires: samba-common = %{epoch}:%{samba_version}-%{release}
|
||||
Obsoletes: smbfs
|
||||
|
||||
%description client
|
||||
The samba-client package provides some SMB/CIFS clients to complement
|
||||
|
@ -111,14 +103,24 @@ packages of Samba.
|
|||
Summary: Samba winbind
|
||||
Group: Applications/System
|
||||
Requires: samba-common = %{epoch}:%{samba_version}-%{release}
|
||||
Requires: samba-winbind-clients = %{epoch}:%{samba_version}-%{release}
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
Requires(post): /sbin/chkconfig, /sbin/service, coreutils
|
||||
Requires(preun): /sbin/chkconfig, /sbin/service
|
||||
|
||||
%description winbind
|
||||
The samba-winbind package provides the winbind daemon, a NSS library, a PAM
|
||||
module and some client tools. Winbind enables Linux to be a full member in
|
||||
Windows domains and to use Windows user and group accounts on Linux.
|
||||
The samba-winbind package provides the winbind daemon and some client tools.
|
||||
Winbind enables Linux to be a full member in Windows domains and to use
|
||||
Windows user and group accounts on Linux.
|
||||
|
||||
|
||||
%package winbind-clients
|
||||
Summary: Samba winbind clients
|
||||
Group: Applications/System
|
||||
|
||||
%description winbind-clients
|
||||
The samba-winbind-clients package provides the NSS library and a PAM
|
||||
module necessary to communicate to the Winbind Daemon
|
||||
|
||||
|
||||
%package winbind-devel
|
||||
|
@ -177,63 +179,6 @@ Requires: libsmbclient = %{epoch}:%{samba_version}-%{release}
|
|||
The libsmbclient-devel package contains the header files and libraries needed to
|
||||
develop programs that link against the SMB client library in the Samba suite.
|
||||
|
||||
%if %enable_tdb
|
||||
%package -n libtdb
|
||||
Summary: The TDB library and tools
|
||||
Group: Applications/System
|
||||
Version: %{tdb_version}
|
||||
Release: %{main_release}%{?dist}
|
||||
|
||||
%description -n libtdb
|
||||
The TDB library from the Samba suite.
|
||||
|
||||
|
||||
%package -n tdb-tools
|
||||
Summary: The TDB tools
|
||||
Group: Applications/System
|
||||
Version: %{tdb_version}
|
||||
Release: %{main_release}%{?dist}
|
||||
Requires: libtdb = %{epoch}:%{tdb_version}-%{main_release}%{?dist}
|
||||
|
||||
%description -n tdb-tools
|
||||
Some TDB tools from the Samba suite.
|
||||
|
||||
|
||||
%package -n libtdb-devel
|
||||
Summary: Developer tools for the TDB library
|
||||
Group: Development
|
||||
Version: %{tdb_version}
|
||||
Release: %{main_release}%{?dist}
|
||||
Requires: libtdb = %{epoch}:%{tdb_version}-%{main_release}%{?dist}
|
||||
|
||||
%description -n libtdb-devel
|
||||
The libtdb-devel package contains the header files and libraries needed to
|
||||
develop programs that link against the TDB library in the Samba suite.
|
||||
%endif
|
||||
|
||||
%if %enable_talloc
|
||||
%package -n libtalloc
|
||||
Summary: The talloc library
|
||||
Group: Applications/System
|
||||
Version: %{talloc_version}
|
||||
Release: %{main_release}%{?dist}
|
||||
|
||||
%description -n libtalloc
|
||||
The talloc library from the Samba suite.
|
||||
|
||||
|
||||
%package -n libtalloc-devel
|
||||
Summary: Developer tools for the talloc library
|
||||
Group: Development
|
||||
Version: %{talloc_version}
|
||||
Release: %{main_release}%{?dist}
|
||||
Requires: libtalloc = %{epoch}:%{talloc_version}-%{main_release}%{?dist}
|
||||
|
||||
%description -n libtalloc-devel
|
||||
The libtalloc-devel package contains the header files and libraries needed to
|
||||
develop programs that link against the talloc library in the Samba suite.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
# TAG: change for non-pre
|
||||
%setup -q -n %{name}-%{samba_version}%{pre_release}
|
||||
|
@ -258,6 +203,7 @@ cp %{SOURCE11} packaging/Fedora/
|
|||
#%patch104 -p1 -b .nmbd-netbiosname # FIXME: does not apply
|
||||
%patch107 -p1 -b .grouppwd
|
||||
%patch200 -p0 -b .inotify
|
||||
%patch202 -p1 -b .CVE-2009-3297-mount_cifs
|
||||
|
||||
mv %samba_source/VERSION %samba_source/VERSION.orig
|
||||
sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
|
||||
|
@ -282,48 +228,52 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64"
|
|||
EXTRA="-D_LARGEFILE64_SOURCE"
|
||||
%endif
|
||||
CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -DLDAP_DEPRECATED" %configure \
|
||||
--with-dnsupdate \
|
||||
--with-ads \
|
||||
--with-acl-support \
|
||||
--with-automount \
|
||||
--with-dnsupdate \
|
||||
--with-libsmbclient \
|
||||
--with-libsmbsharemodes \
|
||||
--with-mmap \
|
||||
--with-pam \
|
||||
--with-pam_smbpass \
|
||||
--with-quotas \
|
||||
--with-sendfile-support \
|
||||
--with-syslog \
|
||||
--with-utmp \
|
||||
--with-vfs \
|
||||
--with-winbind \
|
||||
--without-smbwrapper \
|
||||
--with-lockdir=/var/lib/samba \
|
||||
--with-piddir=/var/run \
|
||||
--with-mandir=%{_mandir} \
|
||||
--with-privatedir=/var/lib/samba/private \
|
||||
--with-logfilebase=/var/log/samba \
|
||||
--with-libdir=%{_libdir} \
|
||||
--with-modulesdir=%{_libdir}/samba \
|
||||
--with-configdir=%{_sysconfdir}/samba \
|
||||
--with-pammodulesdir=%{_lib}/security \
|
||||
--with-swatdir=%{_datadir}/swat \
|
||||
--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 \
|
||||
--with-cifsupcall \
|
||||
--with-cluster-support
|
||||
# --with-aio-support \
|
||||
--with-dnsupdate \
|
||||
--with-ads \
|
||||
--with-acl-support \
|
||||
--with-automount \
|
||||
--with-dnsupdate \
|
||||
--with-libsmbclient \
|
||||
--with-libsmbsharemodes \
|
||||
--with-mmap \
|
||||
--with-pam \
|
||||
--with-pam_smbpass \
|
||||
--with-quotas \
|
||||
--with-sendfile-support \
|
||||
--with-syslog \
|
||||
--with-utmp \
|
||||
--with-vfs \
|
||||
--with-winbind \
|
||||
--without-smbwrapper \
|
||||
--with-lockdir=/var/lib/samba \
|
||||
--with-piddir=/var/run \
|
||||
--with-mandir=%{_mandir} \
|
||||
--with-privatedir=/var/lib/samba/private \
|
||||
--with-logfilebase=/var/log/samba \
|
||||
--with-libdir=%{_libdir} \
|
||||
--with-modulesdir=%{_libdir}/samba \
|
||||
--with-configdir=%{_sysconfdir}/samba \
|
||||
--with-pammodulesdir=%{_lib}/security \
|
||||
--with-swatdir=%{_datadir}/swat \
|
||||
--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 \
|
||||
--with-cifsupcall \
|
||||
--with-cluster-support \
|
||||
--with-libtalloc=no \
|
||||
--enable-external-libtalloc=yes \
|
||||
--with-libtdb=no \
|
||||
# --enable-external-libtdb=yes \
|
||||
# --with-aio-support \
|
||||
|
||||
|
||||
make pch
|
||||
|
||||
make LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}%{pre_release}/%samba_source/bin \
|
||||
%{?_smp_mflags} \
|
||||
all ../nsswitch/libnss_wins.so modules test_pam_modules test_nss_modules test_shlibs
|
||||
%{?_smp_mflags} \
|
||||
all ../nsswitch/libnss_wins.so modules test_pam_modules test_nss_modules test_shlibs
|
||||
|
||||
make LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}%{pre_release}/%samba_source/bin \
|
||||
%{?_smp_mflags} \
|
||||
-C lib/netapi/examples
|
||||
%{?_smp_mflags} \
|
||||
-C lib/netapi/examples
|
||||
|
||||
make debug2html smbfilter bin/cifs.upcall
|
||||
|
||||
|
@ -350,22 +300,22 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
|
|||
cd %samba_source
|
||||
|
||||
%makeinstall \
|
||||
BINDIR=$RPM_BUILD_ROOT%{_bindir} \
|
||||
BASEDIR=$RPM_BUILD_ROOT%{_prefix} \
|
||||
SBINDIR=$RPM_BUILD_ROOT%{_sbindir} \
|
||||
DATADIR=$RPM_BUILD_ROOT%{_datadir} \
|
||||
LOCKDIR=$RPM_BUILD_ROOT/var/lib/samba \
|
||||
PRIVATEDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
|
||||
LIBDIR=$RPM_BUILD_ROOT%{_libdir}/ \
|
||||
MODULESDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
|
||||
CONFIGDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
|
||||
PAMMODULESDIR=$RPM_BUILD_ROOT/%{_lib}/security \
|
||||
MANDIR=$RPM_BUILD_ROOT%{_mandir} \
|
||||
VARDIR=$RPM_BUILD_ROOT/var/log/samba \
|
||||
CODEPAGEDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
|
||||
SWATDIR=$RPM_BUILD_ROOT%{_datadir}/swat \
|
||||
SAMBABOOK=$RPM_BUILD_ROOT%{_datadir}/swat/using_samba \
|
||||
PIDDIR=$RPM_BUILD_ROOT/var/run
|
||||
BINDIR=$RPM_BUILD_ROOT%{_bindir} \
|
||||
BASEDIR=$RPM_BUILD_ROOT%{_prefix} \
|
||||
SBINDIR=$RPM_BUILD_ROOT%{_sbindir} \
|
||||
DATADIR=$RPM_BUILD_ROOT%{_datadir} \
|
||||
LOCKDIR=$RPM_BUILD_ROOT/var/lib/samba \
|
||||
PRIVATEDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
|
||||
LIBDIR=$RPM_BUILD_ROOT%{_libdir}/ \
|
||||
MODULESDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
|
||||
CONFIGDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
|
||||
PAMMODULESDIR=$RPM_BUILD_ROOT/%{_lib}/security \
|
||||
MANDIR=$RPM_BUILD_ROOT%{_mandir} \
|
||||
VARDIR=$RPM_BUILD_ROOT/var/log/samba \
|
||||
CODEPAGEDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
|
||||
SWATDIR=$RPM_BUILD_ROOT%{_datadir}/swat \
|
||||
SAMBABOOK=$RPM_BUILD_ROOT%{_datadir}/swat/using_samba \
|
||||
PIDDIR=$RPM_BUILD_ROOT/var/run
|
||||
|
||||
cd ..
|
||||
|
||||
|
@ -396,30 +346,12 @@ ln -sf /%{_lib}/libnss_wins.so.2 $RPM_BUILD_ROOT%{_libdir}/libnss_wins.so
|
|||
mkdir -p $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_includedir}
|
||||
build_libdir="$RPM_BUILD_ROOT%{_libdir}"
|
||||
|
||||
%if %enable_talloc
|
||||
# talloc
|
||||
cd lib/talloc
|
||||
# just to get the correct .pc file generated
|
||||
./autogen.sh && ./configure --prefix=%{_prefix} --libdir=%{_libdir}
|
||||
cd ../..
|
||||
install -m 644 lib/talloc/talloc.pc $build_libdir/pkgconfig/
|
||||
%endif
|
||||
|
||||
%if %enable_tdb
|
||||
# tdb
|
||||
cd lib/tdb
|
||||
# just to get the correct .pc file generated
|
||||
./autogen.sh && ./configure --prefix=%{_prefix} --libdir=%{_libdir}
|
||||
cd ../..
|
||||
install -m 644 lib/tdb/tdb.pc $build_libdir/pkgconfig/
|
||||
%endif
|
||||
|
||||
# make install puts libraries in the wrong place
|
||||
# (but at least gets the versioning right now)
|
||||
|
||||
list="smbclient smbsharemodes netapi talloc tdb wbclient"
|
||||
for i in $list; do
|
||||
install -m 644 %samba_source/pkgconfig/$i.pc $build_libdir/pkgconfig/ || true
|
||||
install -m 644 %samba_source/pkgconfig/$i.pc $build_libdir/pkgconfig/ || true
|
||||
done
|
||||
|
||||
|
||||
|
@ -469,25 +401,21 @@ mv -f $RPM_BUILD_ROOT%{_mandir}/man1/ldbmodify.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
|||
mv -f $RPM_BUILD_ROOT%{_mandir}/man1/ldbsearch.1 $RPM_BUILD_ROOT%{_mandir}/man1/ldb3search.1
|
||||
mv -f $RPM_BUILD_ROOT%{_mandir}/man1/ldbrename.1 $RPM_BUILD_ROOT%{_mandir}/man1/ldb3rename.1
|
||||
|
||||
%if ! %enable_talloc
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so.*
|
||||
rm -f $RPM_BUILD_ROOT%{_includedir}/talloc.h
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/talloc.pc
|
||||
%endif
|
||||
#rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so.*
|
||||
#rm -f $RPM_BUILD_ROOT%{_includedir}/talloc.h
|
||||
#rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so
|
||||
#rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/talloc.pc
|
||||
|
||||
%if ! %enable_tdb
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so.*
|
||||
rm -f $RPM_BUILD_ROOT%{_includedir}/tdb.h
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/tdb.pc
|
||||
#rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so.*
|
||||
#rm -f $RPM_BUILD_ROOT%{_includedir}/tdb.h
|
||||
#rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so
|
||||
#rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/tdb.pc
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/tdbbackup
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/tdbdump
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/tdbtool
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/tdbbackup.8*
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/tdbdump.8*
|
||||
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/tdbtool.8*
|
||||
%endif
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
@ -498,8 +426,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||
/sbin/chkconfig --add smb
|
||||
/sbin/chkconfig --add nmb
|
||||
if [ "$1" -ge "1" ]; then
|
||||
/sbin/service smb condrestart >/dev/null 2>&1 || :
|
||||
/sbin/service nmb condrestart >/dev/null 2>&1 || :
|
||||
/sbin/service smb condrestart >/dev/null 2>&1 || :
|
||||
/sbin/service nmb condrestart >/dev/null 2>&1 || :
|
||||
fi
|
||||
exit 0
|
||||
|
||||
|
@ -522,132 +450,12 @@ exit 0
|
|||
/sbin/chkconfig --add winbind
|
||||
|
||||
if [ "$1" -ge "1" ]; then
|
||||
/sbin/service winbind condrestart >/dev/null 2>&1 || :
|
||||
/sbin/service winbind condrestart >/dev/null 2>&1 || :
|
||||
fi
|
||||
|
||||
%post common
|
||||
/sbin/ldconfig
|
||||
|
||||
###############################################################################
|
||||
## We have new default since F-8, time to stop checking for old files are there
|
||||
## should be none in any support upgrade case
|
||||
## (keeping it commented just for reference for a while
|
||||
##
|
||||
## # This script must be run always on installs or upgrades
|
||||
## # it checks if a previous installation have created files
|
||||
## # under /var/cache/samba and move them in that case as the
|
||||
## # new package wants them to be under /var/lib/samba for
|
||||
## # FHS compliance
|
||||
## #
|
||||
## # - we must stop the dameon if running and restart it
|
||||
## # after the script if it was
|
||||
## # - we do not overwrite newer files
|
||||
## # - even if /etc/init.d/smb is in samba and not
|
||||
## # samba-common we need to stop smbd/nmbd, if they
|
||||
## # are running, here as well, or we will mess up
|
||||
## # shared (between winbindd and smbd/nmbd) tdbs
|
||||
##
|
||||
## OLDPATH="/var/cache/samba"
|
||||
## NEWPATH="/var/lib/samba"
|
||||
##
|
||||
## eval ls $OLDPATH/*.tdb >/dev/null 2>&1
|
||||
## if [ $? = 0 ]; then
|
||||
## eval testparm -s 2>/dev/null |grep "lock dir" >/dev/null
|
||||
## if [ $? = 0 ]; then
|
||||
## echo "Warning: lock dir explicitly set. Not moving tdb files to new default location"
|
||||
## else
|
||||
##
|
||||
## #Stop daemons before we move the files around
|
||||
##
|
||||
## #this is what condrestart checks as well
|
||||
## if [ -f /var/lock/subsys/winbindd ]; then
|
||||
## /sbin/service winbind stop >/dev/null 2>&1 || :
|
||||
## # Use a dirty trick to fool condrestart later
|
||||
## touch /var/lock/subsys/winbindd
|
||||
## fi
|
||||
##
|
||||
## if [ -f /var/lock/subsys/smb ]; then
|
||||
## /sbin/service smb stop >/dev/null 2>&1 || :
|
||||
## # We need to stop smbd here as we are moving also smbd owned files
|
||||
## # but we can't restart it until the new server is installed.
|
||||
## # Use a dirty trick to fool condrestart later
|
||||
## touch /var/lock/subsys/smb
|
||||
## fi
|
||||
##
|
||||
## if [ -f /var/lock/subsys/nmb ]; then
|
||||
## /sbin/service nmb stop >/dev/null 2>&1 || :
|
||||
## # We need to stop smbd here as we are moving also smbd owned files
|
||||
## # but we can't restart it until the new server is installed.
|
||||
## # Use a dirty trick to fool condrestart later
|
||||
## touch /var/lock/subsys/nmb
|
||||
## fi
|
||||
##
|
||||
## eval ls $NEWPATH/*.tdb >/dev/null 2>&1
|
||||
## if [ $? = 0 ]; then
|
||||
## #something strange here, lets backup this stuff and avoid just wiping it
|
||||
##
|
||||
## mkdir $NEWPATH.pkgbkp
|
||||
## mv -f $NEWPATH/*.tdb $NEWPATH.pkgbkp/ >/dev/null 2>&1
|
||||
## mv -f $NEWPATH/*.dat $NEWPATH.pkgbkp/ >/dev/null 2>&1
|
||||
## mv -f $NEWPATH/perfmon $NEWPATH.pkgbkp/ >/dev/null 2>&1
|
||||
## mv -f $NEWPATH/printing $NEWPATH.pkgbkp/ >/dev/null 2>&1
|
||||
## fi
|
||||
##
|
||||
## mv -f $OLDPATH/*.tdb $NEWPATH/ >/dev/null 2>&1
|
||||
## mv -f $OLDPATH/*.dat $NEWPATH/ >/dev/null 2>&1
|
||||
## mv -f $OLDPATH/perfmon $NEWPATH/ >/dev/null 2>&1
|
||||
## mv -f $OLDPATH/printing $NEWPATH/ >/dev/null 2>&1
|
||||
##
|
||||
## fi
|
||||
## fi
|
||||
##
|
||||
## # We also moved private files from /etc/samba to
|
||||
## # /var/lib/samba/private so we need to migrate these as well
|
||||
##
|
||||
## #secrets.tdb
|
||||
## if [ -f %{_sysconfdir}/samba/secrets.tdb ]; then
|
||||
## eval testparm -s 2>/dev/null |grep "private dir" >/dev/null
|
||||
## if [ $? = 0 ]; then
|
||||
## echo "Warning: private dir explicitly set. Not moving secrets.tdb to new default location"
|
||||
## else
|
||||
## if [ -f /var/lib/samba/private/secrets.tdb ]; then
|
||||
## mv -f /var/lib/samba/private/secrets.tdb /var/lib/samba/private/secrets.tdb.old
|
||||
## fi
|
||||
## mv -f %{_sysconfdir}/samba/secrets.tdb /var/lib/samba/private/secrets.tdb
|
||||
## fi
|
||||
## fi
|
||||
##
|
||||
## #smbpasswd
|
||||
## if [ -f %{_sysconfdir}/samba/smbpasswd ]; then
|
||||
## eval testparm -s 2>/dev/null |grep "smb passwd file" >/dev/null
|
||||
## if [ $? = 0 ]; then
|
||||
## echo "Warning: smbpasswd file location explicitly set. Not moving smbpasswd to new default location"
|
||||
## else
|
||||
## if [ -f /var/lib/samba/private/smbpasswd ]; then
|
||||
## mv -f /var/lib/samba/private/smbpasswd /var/lib/samba/private/smbpasswd.old
|
||||
## fi
|
||||
## mv -f %{_sysconfdir}/samba/smbpasswd /var/lib/samba/private/smbpasswd
|
||||
## fi
|
||||
## fi
|
||||
##
|
||||
## #passdb.tdb
|
||||
## if [ -f %{_sysconfdir}/samba/passdb.tdb ]; then
|
||||
## eval testparm -s 2>/dev/null |grep "private dir" >/dev/null || testparm -s 2>/dev/null |grep -P "^\s*passdb\s*backend\s*=.*tdbsam:/etc/samba/passdb.tdb.*"
|
||||
## if [ $? = 0 ]; then
|
||||
## echo "Warning: passdb.tdb location explicitly set. Not moving passdb.tdb to new default location"
|
||||
## else
|
||||
## if [ -f /var/lib/samba/private/passdb.tdb ]; then
|
||||
## mv -f /var/lib/samba/private/passdb.tdb /var/lib/samba/private/passdb.tdb.old
|
||||
## fi
|
||||
## mv -f %{_sysconfdir}/samba/passdb.tdb /var/lib/samba/private/passdb.tdb
|
||||
## fi
|
||||
## fi
|
||||
##
|
||||
## #remove schannel_store if existing, it is not info we need to keep across restarts
|
||||
## if [ -f %{_sysconfdir}/samba/schannel_store.tdb ]; then
|
||||
## rm -f %{_sysconfdir}/samba/schannel_store.tdb
|
||||
## fi
|
||||
##
|
||||
%preun winbind
|
||||
if [ $1 = 0 ] ; then
|
||||
/sbin/service winbind stop >/dev/null 2>&1 || :
|
||||
|
@ -665,22 +473,6 @@ exit 0
|
|||
%postun -n libsmbclient
|
||||
/sbin/ldconfig
|
||||
|
||||
%if %enable_tdb
|
||||
%post -n libtdb
|
||||
/sbin/ldconfig
|
||||
|
||||
%postun -n libtdb
|
||||
/sbin/ldconfig
|
||||
%endif
|
||||
|
||||
%if %enable_talloc
|
||||
%post -n libtalloc
|
||||
/sbin/ldconfig
|
||||
|
||||
%postun -n libtalloc
|
||||
/sbin/ldconfig
|
||||
%endif
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%{_sbindir}/smbd
|
||||
|
@ -753,8 +545,6 @@ exit 0
|
|||
%{_libdir}/samba/lowcase.dat
|
||||
%{_libdir}/samba/upcase.dat
|
||||
%{_libdir}/samba/valid.dat
|
||||
%{_libdir}/libnss_wins.so
|
||||
/%{_lib}/libnss_wins.so.2
|
||||
%{_libdir}/libnetapi.so
|
||||
%attr(755,root,root) %{_libdir}/libnetapi.so.*
|
||||
%{_includedir}/netapi.h
|
||||
|
@ -800,18 +590,15 @@ exit 0
|
|||
%{_mandir}/man8/pdbedit.8*
|
||||
%{_mandir}/man8/net.8*
|
||||
|
||||
%doc README COPYING Manifest
|
||||
%doc README COPYING Manifest
|
||||
%doc WHATSNEW.txt Roadmap
|
||||
|
||||
%files winbind
|
||||
%defattr(-,root,root)
|
||||
%{_bindir}/ntlm_auth
|
||||
%{_bindir}/wbinfo
|
||||
%{_libdir}/libnss_winbind.so
|
||||
%attr(755,root,root) %{_libdir}/libwbclient.so.*
|
||||
%{_libdir}/samba/idmap
|
||||
%{_libdir}/samba/nss_info
|
||||
/%{_lib}/libnss_winbind.so.2
|
||||
/%{_lib}/security/pam_winbind.so
|
||||
%{_sbindir}/winbindd
|
||||
%dir /var/run/winbindd
|
||||
%attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged
|
||||
|
@ -825,21 +612,34 @@ exit 0
|
|||
%{_mandir}/man8/idmap_*.8*
|
||||
%{_datadir}/locale/*/LC_MESSAGES/pam_winbind.mo
|
||||
|
||||
%files winbind-clients
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libnss_winbind.so
|
||||
/%{_lib}/libnss_winbind.so.2
|
||||
%{_libdir}/libnss_wins.so
|
||||
/%{_lib}/libnss_wins.so.2
|
||||
/%{_lib}/security/pam_winbind.so
|
||||
%attr(755,root,root) %{_libdir}/libwbclient.so.*
|
||||
|
||||
%files winbind-devel
|
||||
%defattr(-,root,root)
|
||||
%{_includedir}/wbclient.h
|
||||
%{_libdir}/libwbclient.so
|
||||
%{_libdir}/pkgconfig/wbclient.pc
|
||||
|
||||
%files doc
|
||||
%defattr(-,root,root)
|
||||
%doc docs/Samba3-Developers-Guide.pdf docs/Samba3-ByExample.pdf
|
||||
%doc docs/Samba3-HOWTO.pdf
|
||||
%doc docs/htmldocs
|
||||
|
||||
%files -n libsmbclient
|
||||
%defattr(-,root,root)
|
||||
%attr(755,root,root) %{_libdir}/libsmbclient.so.*
|
||||
%attr(755,root,root) %{_libdir}/libsmbsharemodes.so.*
|
||||
|
||||
%files -n libsmbclient-devel
|
||||
%defattr(-,root,root)
|
||||
%{_includedir}/libsmbclient.h
|
||||
%{_includedir}/smb_share_modes.h
|
||||
%{_libdir}/libsmbclient.so
|
||||
|
@ -848,34 +648,6 @@ exit 0
|
|||
%{_libdir}/pkgconfig/smbsharemodes.pc
|
||||
%{_mandir}/man7/libsmbclient.7*
|
||||
|
||||
%if %enable_talloc
|
||||
%files -n libtalloc
|
||||
%attr(755,root,root) %{_libdir}/libtalloc.so.*
|
||||
|
||||
%files -n libtalloc-devel
|
||||
%{_includedir}/talloc.h
|
||||
%{_libdir}/libtalloc.so
|
||||
%{_libdir}/pkgconfig/talloc.pc
|
||||
%endif
|
||||
|
||||
%if %enable_tdb
|
||||
%files -n libtdb
|
||||
%attr(755,root,root) %{_libdir}/libtdb.so.*
|
||||
|
||||
%files -n libtdb-devel
|
||||
%{_includedir}/tdb.h
|
||||
%{_libdir}/libtdb.so
|
||||
%{_libdir}/pkgconfig/tdb.pc
|
||||
|
||||
%files -n tdb-tools
|
||||
%{_bindir}/tdbbackup
|
||||
%{_bindir}/tdbdump
|
||||
%{_bindir}/tdbtool
|
||||
%{_mandir}/man8/tdbbackup.8*
|
||||
%{_mandir}/man8/tdbdump.8*
|
||||
%{_mandir}/man8/tdbtool.8*
|
||||
%endif
|
||||
|
||||
%files domainjoin-gui
|
||||
%{_sbindir}/netdomjoin-gui
|
||||
%dir %{_datadir}/pixmaps/samba
|
||||
|
@ -884,6 +656,61 @@ exit 0
|
|||
%{_datadir}/pixmaps/samba/logo-small.png
|
||||
|
||||
%changelog
|
||||
* Mon Mar 08 2010 Simo Sorce <ssorce@redhat.com> - 3.4.7-58
|
||||
- Security update to 3.4.7
|
||||
- Fixes CVE-2010-0728
|
||||
|
||||
* Wed Feb 24 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.6-57
|
||||
- Update to 3.4.6
|
||||
|
||||
* Wed Feb 17 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-56
|
||||
- Fix crash in cifs.upcall
|
||||
- resolves: #565446
|
||||
|
||||
* Wed Jan 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-55
|
||||
- Security Release, fixes CVE-2009-3297
|
||||
- resolves: #532940
|
||||
|
||||
* Wed Jan 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-54
|
||||
- Fix crash in pdbedit
|
||||
- resolves: #541267
|
||||
|
||||
* Tue Jan 19 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-53
|
||||
- Update to 3.4.5
|
||||
|
||||
* Thu Jan 14 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.4-52
|
||||
- Fix crash bug in libsmbclient (SMBC_parse_path)
|
||||
- resolves: #552658
|
||||
|
||||
* Thu Jan 07 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.4-51
|
||||
- Update to 3.4.4
|
||||
|
||||
* Tue Dec 01 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-50
|
||||
- Fix uninitialized rpc client pipe, causing winbind to crash
|
||||
- resolves: #541328
|
||||
|
||||
* Wed Nov 25 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-49
|
||||
- Various updates to inline documentation in default smb.conf file
|
||||
- resolves: #483703
|
||||
|
||||
* Thu Oct 29 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-48
|
||||
- Update to 3.4.3
|
||||
|
||||
* Fri Oct 09 2009 Simo Sorce <ssorce@redhat.com> - 3.4.2-47
|
||||
- Spec file cleanup
|
||||
- Fix sources upstream location
|
||||
- Remove conditionals to build talloc and tdb, now they are completely indepent
|
||||
packages in Fedora
|
||||
- Add defattr() where missing
|
||||
- Turn all tabs into 4 spaces
|
||||
- Remove unused migration script
|
||||
- Split winbind-clients out of main winbind package to avoid multilib to include
|
||||
huge packages for no good reason
|
||||
|
||||
* Thu Oct 01 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.2-0.46
|
||||
- Update to 3.4.2
|
||||
- Security Release, fixes CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906
|
||||
|
||||
* Wed Sep 16 2009 Tomas Mraz <tmraz@redhat.com> - 3.4.1-0.45
|
||||
- Use password-auth common PAM configuration instead of system-auth
|
||||
|
||||
|
|
311
smb.conf.default
311
smb.conf.default
|
@ -1,102 +1,119 @@
|
|||
# This is the main Samba configuration file. You should read the
|
||||
# smb.conf(5) manual page in order to understand the options listed
|
||||
# here. Samba has a huge number of configurable options (perhaps too
|
||||
# many!) most of which are not shown in this example
|
||||
# This is the main Samba configuration file. For detailed information about the
|
||||
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
|
||||
# number of configurable options, most of which are not shown in this example.
|
||||
#
|
||||
# For a step to step guide on installing, configuring and using samba,
|
||||
# read the Samba-HOWTO-Collection. This may be obtained from:
|
||||
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
|
||||
# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
|
||||
# guides for installing, configuring, and using Samba:
|
||||
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
|
||||
#
|
||||
# Many working examples of smb.conf files can be found in the
|
||||
# Samba-Guide which is generated daily and can be downloaded from:
|
||||
# http://www.samba.org/samba/docs/Samba-Guide.pdf
|
||||
# The Samba-3 by Example guide has working examples for smb.conf. This guide is
|
||||
# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
|
||||
#
|
||||
# Any line which starts with a ; (semi-colon) or a # (hash)
|
||||
# is a comment and is ignored. In this example we will use a #
|
||||
# for commentry and a ; for parts of the config file that you
|
||||
# may wish to enable
|
||||
# In this file, lines starting with a semicolon (;) or a hash (#) are
|
||||
# comments and are ignored. This file uses hashes to denote commentary and
|
||||
# semicolons for parts of the file you may wish to configure.
|
||||
#
|
||||
# NOTE: Whenever you modify this file you should run the command "testparm"
|
||||
# to check that you have not made any basic syntactic errors.
|
||||
# Note: Run the "testparm" command after modifying this file to check for basic
|
||||
# syntax errors.
|
||||
#
|
||||
#---------------
|
||||
# SELINUX NOTES:
|
||||
# Security-Enhanced Linux (SELinux) Notes:
|
||||
#
|
||||
# If you want to use the useradd/groupadd family of binaries please run:
|
||||
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
|
||||
# and groupadd family of binaries. Run the following command as the root user to
|
||||
# turn this Boolean on:
|
||||
# setsebool -P samba_domain_controller on
|
||||
#
|
||||
# If you want to share home directories via samba please run:
|
||||
# Turn the samba_enable_home_dirs Boolean on if you want to share home
|
||||
# directories via Samba. Run the following command as the root user to turn this
|
||||
# Boolean on:
|
||||
# setsebool -P samba_enable_home_dirs on
|
||||
#
|
||||
# If you create a new directory you want to share you should mark it as
|
||||
# "samba-share_t" so that selinux will let you write into it.
|
||||
# Make sure not to do that on system directories as they may already have
|
||||
# been marked with othe SELinux labels.
|
||||
# If you create a new directory, such as a new top-level directory, label it
|
||||
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
|
||||
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
|
||||
# such directories should already have an SELinux label.
|
||||
#
|
||||
# Use ls -ldZ /path to see which context a directory has
|
||||
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
|
||||
# label for a given directory.
|
||||
#
|
||||
# Set labels only on directories you created!
|
||||
# To set a label use the following: chcon -t samba_share_t /path
|
||||
# Set SELinux labels only on files and directories you have created. Use the
|
||||
# chcon command to temporarily change a label:
|
||||
# chcon -t samba_share_t /path/to/directory
|
||||
#
|
||||
# If you need to share a system created directory you can use one of the
|
||||
# following (read-only/read-write):
|
||||
# Changes made via chcon are lost when the file system is relabeled or commands
|
||||
# such as restorecon are run.
|
||||
#
|
||||
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
|
||||
# directories. To share such directories and only allow read-only permissions:
|
||||
# setsebool -P samba_export_all_ro on
|
||||
# or
|
||||
# To share such directories and allow read and write permissions:
|
||||
# setsebool -P samba_export_all_rw on
|
||||
#
|
||||
# If you want to run scripts (preexec/root prexec/print command/...) please
|
||||
# put them into the /var/lib/samba/scripts directory so that smbd will be
|
||||
# allowed to run them.
|
||||
# Make sure you COPY them and not MOVE them so that the right SELinux context
|
||||
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
|
||||
# To run scripts (preexec/root prexec/print command/...), copy them to the
|
||||
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
|
||||
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
|
||||
# their existing SELinux labels, which may be labels that SELinux does not allow
|
||||
# smbd to run. Copying the scripts will result in the correct SELinux labels.
|
||||
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
|
||||
# apply the correct SELinux labels to these files.
|
||||
#
|
||||
#--------------
|
||||
#
|
||||
#======================= Global Settings =====================================
|
||||
|
||||
|
||||
[global]
|
||||
|
||||
# ----------------------- Netwrok Related Options -------------------------
|
||||
|
||||
# ----------------------- Network-Related Options -------------------------
|
||||
#
|
||||
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
|
||||
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
|
||||
#
|
||||
# server string is the equivalent of the NT Description field
|
||||
# server string = the equivalent of the Windows NT Description field.
|
||||
#
|
||||
# netbios name can be used to specify a server name not tied to the hostname
|
||||
# netbios name = used to specify a server name that is not tied to the hostname.
|
||||
#
|
||||
# Interfaces lets you configure Samba to use multiple interfaces
|
||||
# If you have multiple network interfaces then you can list the ones
|
||||
# you want to listen on (never omit localhost)
|
||||
# interfaces = used to configure Samba to listen on multiple network interfaces.
|
||||
# If you have multiple interfaces, you can use the "interfaces =" option to
|
||||
# configure which of those interfaces Samba listens on. Never omit the localhost
|
||||
# interface (lo).
|
||||
#
|
||||
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
|
||||
# specifiy it as a per share option as well
|
||||
# hosts allow = the hosts allowed to connect. This option can also be used on a
|
||||
# per-share basis.
|
||||
|
||||
# hosts deny = the hosts not allowed to connect. This option can also be used on
|
||||
# a per-share basis.
|
||||
#
|
||||
workgroup = MYGROUP
|
||||
server string = Samba Server Version %v
|
||||
|
||||
|
||||
; netbios name = MYSERVER
|
||||
|
||||
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
|
||||
|
||||
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
|
||||
; hosts allow = 127. 192.168.12. 192.168.13.
|
||||
|
||||
|
||||
# --------------------------- Logging Options -----------------------------
|
||||
#
|
||||
# Log File let you specify where to put logs and how to split them up.
|
||||
# log file = specify where log files are written to and how they are split.
|
||||
#
|
||||
# Max Log Size let you specify the max size log files should reach
|
||||
|
||||
# logs split per machine
|
||||
# max log size = specify the maximum size log files are allowed to reach. Log
|
||||
# files are rotated when they reach the size specified with "max log size".
|
||||
#
|
||||
|
||||
# log files split per-machine:
|
||||
log file = /var/log/samba/log.%m
|
||||
# max 50KB per log file, then rotate
|
||||
# maximum size of 50KB per log file, then rotate:
|
||||
max log size = 50
|
||||
|
||||
|
||||
# ----------------------- Standalone Server Options ------------------------
|
||||
#
|
||||
# Scurity can be set to user, share(deprecated) or server(deprecated)
|
||||
# security = the mode Samba runs in. This can be set to user, share
|
||||
# (deprecated), or server (deprecated).
|
||||
#
|
||||
# passdb backend = the backend used to store user information in. New
|
||||
# installations should use either tdbsam or ldapsam. No additional configuration
|
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards
|
||||
# compatibility.
|
||||
#
|
||||
# Backend to store user information in. New installations should
|
||||
# use either tdbsam or ldapsam. smbpasswd is available for backwards
|
||||
# compatibility. tdbsam requires no further configuration.
|
||||
|
||||
security = user
|
||||
passdb backend = tdbsam
|
||||
|
@ -104,23 +121,24 @@
|
|||
|
||||
# ----------------------- Domain Members Options ------------------------
|
||||
#
|
||||
# Security must be set to domain or ads
|
||||
# security = must be set to domain or ads.
|
||||
#
|
||||
# Use the realm option only with security = ads
|
||||
# Specifies the Active Directory realm the host is part of
|
||||
# passdb backend = the backend used to store user information in. New
|
||||
# installations should use either tdbsam or ldapsam. No additional configuration
|
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards
|
||||
# compatibility.
|
||||
#
|
||||
# Backend to store user information in. New installations should
|
||||
# use either tdbsam or ldapsam. smbpasswd is available for backwards
|
||||
# compatibility. tdbsam requires no further configuration.
|
||||
# realm = only use the realm option when the "security = ads" option is set.
|
||||
# The realm option specifies the Active Directory realm the host is a part of.
|
||||
#
|
||||
# Use password server option only with security = server or if you can't
|
||||
# use the DNS to locate Domain Controllers
|
||||
# The argument list may include:
|
||||
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
|
||||
# or to auto-locate the domain controller/s
|
||||
# password server = *
|
||||
|
||||
|
||||
# password server = only use this option when the "security = server"
|
||||
# option is set, or if you cannot use DNS to locate a Domain Controller. The
|
||||
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
|
||||
#
|
||||
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
|
||||
#
|
||||
# Use "password server = *" to automatically locate Domain Controllers.
|
||||
|
||||
; security = domain
|
||||
; passdb backend = tdbsam
|
||||
; realm = MY_REALM
|
||||
|
@ -129,112 +147,123 @@
|
|||
|
||||
# ----------------------- Domain Controller Options ------------------------
|
||||
#
|
||||
# Security must be set to user for domain controllers
|
||||
# security = must be set to user for domain controllers.
|
||||
#
|
||||
# Backend to store user information in. New installations should
|
||||
# use either tdbsam or ldapsam. smbpasswd is available for backwards
|
||||
# compatibility. tdbsam requires no further configuration.
|
||||
# passdb backend = the backend used to store user information in. New
|
||||
# installations should use either tdbsam or ldapsam. No additional configuration
|
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards
|
||||
# compatibility.
|
||||
#
|
||||
# Domain Master specifies Samba to be the Domain Master Browser. This
|
||||
# allows Samba to collate browse lists between subnets. Don't use this
|
||||
# if you already have a Windows NT domain controller doing this job
|
||||
# domain master = specifies Samba to be the Domain Master Browser, allowing
|
||||
# Samba to collate browse lists between subnets. Do not use the "domain master"
|
||||
# option if you already have a Windows NT domain controller performing this task.
|
||||
#
|
||||
# Domain Logons let Samba be a domain logon server for Windows workstations.
|
||||
# domain logons = allows Samba to provide a network logon service for Windows
|
||||
# workstations.
|
||||
#
|
||||
# Logon Scrpit let yuou specify a script to be run at login time on the client
|
||||
# You need to provide it in a share called NETLOGON
|
||||
# logon script = specifies a script to run at login time on the client. These
|
||||
# scripts must be provided in a share named NETLOGON.
|
||||
#
|
||||
# Logon Path let you specify where user profiles are stored (UNC path)
|
||||
# logon path = specifies (with a UNC path) where user profiles are stored.
|
||||
#
|
||||
# Various scripts can be used on a domain controller or stand-alone
|
||||
# machine to add or delete corresponding unix accounts
|
||||
#
|
||||
; security = user
|
||||
; passdb backend = tdbsam
|
||||
|
||||
; domain master = yes
|
||||
|
||||
; domain master = yes
|
||||
; domain logons = yes
|
||||
|
||||
# the login script name depends on the machine name
|
||||
|
||||
# the following login script name is determined by the machine name
|
||||
# (%m):
|
||||
; logon script = %m.bat
|
||||
# the login script name depends on the unix user used
|
||||
# the following login script name is determined by the UNIX user used:
|
||||
; logon script = %u.bat
|
||||
; logon path = \\%L\Profiles\%u
|
||||
# disables profiles support by specifing an empty path
|
||||
; logon path =
|
||||
|
||||
# use an empty path to disable profile support:
|
||||
; logon path =
|
||||
|
||||
# various scripts can be used on a domain controller or a stand-alone
|
||||
# machine to add or delete corresponding UNIX accounts:
|
||||
|
||||
; add user script = /usr/sbin/useradd "%u" -n -g users
|
||||
; add group script = /usr/sbin/groupadd "%g"
|
||||
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
|
||||
; delete user script = /usr/sbin/userdel "%u"
|
||||
; delete user from group script = /usr/sbin/userdel "%u" "%g"
|
||||
; delete group script = /usr/sbin/groupdel "%g"
|
||||
|
||||
|
||||
|
||||
|
||||
# ----------------------- Browser Control Options ----------------------------
|
||||
#
|
||||
# set local master to no if you don't want Samba to become a master
|
||||
# browser on your network. Otherwise the normal election rules apply
|
||||
# local master = when set to no, Samba does not become the master browser on
|
||||
# your network. When set to yes, normal election rules apply.
|
||||
#
|
||||
# OS Level determines the precedence of this server in master browser
|
||||
# elections. The default value should be reasonable
|
||||
# os level = determines the precedence the server has in master browser
|
||||
# elections. The default value should be reasonable.
|
||||
#
|
||||
# preferred master = when set to yes, Samba forces a local browser election at
|
||||
# start up (and gives itself a slightly higher chance of winning the election).
|
||||
#
|
||||
# Preferred Master causes Samba to force a local browser election on startup
|
||||
# and gives it a slightly higher chance of winning the election
|
||||
; local master = no
|
||||
; os level = 33
|
||||
; preferred master = yes
|
||||
|
||||
|
||||
#----------------------------- Name Resolution -------------------------------
|
||||
# Windows Internet Name Serving Support Section:
|
||||
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
|
||||
#
|
||||
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
|
||||
# This section details the support for the Windows Internet Name Service (WINS).
|
||||
#
|
||||
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
|
||||
# Note: Samba can be either a WINS server or a WINS client, but not both.
|
||||
#
|
||||
# - WINS Proxy: Tells Samba to answer name resolution queries on
|
||||
# behalf of a non WINS capable client, for this to work there must be
|
||||
# at least one WINS Server on the network. The default is NO.
|
||||
# wins support = when set to yes, the NMBD component of Samba enables its WINS
|
||||
# server.
|
||||
#
|
||||
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
|
||||
# via DNS nslookups.
|
||||
|
||||
# wins server = tells the NMBD component of Samba to be a WINS client.
|
||||
#
|
||||
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
|
||||
# of a non WINS capable client. For this to work, there must be at least one
|
||||
# WINS server on the network. The default is no.
|
||||
#
|
||||
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
|
||||
# nslookups.
|
||||
|
||||
; wins support = yes
|
||||
; wins server = w.x.y.z
|
||||
; wins proxy = yes
|
||||
|
||||
|
||||
; dns proxy = yes
|
||||
|
||||
|
||||
# --------------------------- Printing Options -----------------------------
|
||||
#
|
||||
# Load Printers let you load automatically the list of printers rather
|
||||
# than setting them up individually
|
||||
# The options in this section allow you to configure a non-default printing
|
||||
# system.
|
||||
#
|
||||
# Cups Options let you pass the cups libs custom options, setting it to raw
|
||||
# for example will let you use drivers on your Windows clients
|
||||
# load printers = when set you yes, the list of printers is automatically
|
||||
# loaded, rather than setting them up individually.
|
||||
#
|
||||
# Printcap Name let you specify an alternative printcap file
|
||||
# cups options = allows you to pass options to the CUPS library. Setting this
|
||||
# option to raw, for example, allows you to use drivers on your Windows clients.
|
||||
#
|
||||
# You can choose a non default printing system using the Printing option
|
||||
|
||||
# printcap name = used to specify an alternative printcap file.
|
||||
#
|
||||
|
||||
load printers = yes
|
||||
cups options = raw
|
||||
|
||||
; printcap name = /etc/printcap
|
||||
#obtain list of printers automatically on SystemV
|
||||
# obtain a list of printers automatically on UNIX System V systems:
|
||||
; printcap name = lpstat
|
||||
; printing = cups
|
||||
|
||||
# --------------------------- Filesystem Options ---------------------------
|
||||
# --------------------------- File System Options ---------------------------
|
||||
#
|
||||
# The following options can be uncommented if the filesystem supports
|
||||
# Extended Attributes and they are enabled (usually by the mount option
|
||||
# user_xattr). Thess options will let the admin store the DOS attributes
|
||||
# in an EA and make samba not mess with the permission bits.
|
||||
# The options in this section can be un-commented if the file system supports
|
||||
# extended attributes, and those attributes are enabled (usually via the
|
||||
# "user_xattr" mount option). These options allow the administrator to specify
|
||||
# that DOS attributes are stored in extended attributes and also make sure that
|
||||
# Samba does not change the permission bits.
|
||||
#
|
||||
# Note: these options can also be set just per share, setting them in global
|
||||
# makes them the default for all shares
|
||||
# Note: These options can be used on a per-share basis. Setting them globally
|
||||
# (in the [global] section) makes them the default for all shares.
|
||||
|
||||
; map archive = no
|
||||
; map hidden = no
|
||||
|
@ -244,14 +273,14 @@
|
|||
|
||||
|
||||
#============================ Share Definitions ==============================
|
||||
|
||||
|
||||
[homes]
|
||||
comment = Home Directories
|
||||
browseable = no
|
||||
writable = yes
|
||||
; valid users = %S
|
||||
; valid users = MYDOMAIN\%S
|
||||
|
||||
|
||||
[printers]
|
||||
comment = All Printers
|
||||
path = /var/spool/samba
|
||||
|
@ -259,26 +288,24 @@
|
|||
guest ok = no
|
||||
writable = no
|
||||
printable = yes
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons:
|
||||
; [netlogon]
|
||||
; comment = Network Logon Service
|
||||
; path = /var/lib/samba/netlogon
|
||||
; guest ok = yes
|
||||
; writable = no
|
||||
; share modes = no
|
||||
|
||||
|
||||
# Un-comment the following to provide a specific roving profile share
|
||||
# the default is to use the user's home directory
|
||||
|
||||
# Un-comment the following to provide a specific roving profile share.
|
||||
# The default is to use the user's home directory:
|
||||
; [Profiles]
|
||||
; path = /var/lib/samba/profiles
|
||||
; browseable = no
|
||||
; guest ok = yes
|
||||
|
||||
|
||||
# A publicly accessible directory, but read only, except for people in
|
||||
# the "staff" group
|
||||
|
||||
# A publicly accessible directory that is read only, except for users in the
|
||||
# "staff" group (which have write permissions):
|
||||
; [public]
|
||||
; comment = Public Stuff
|
||||
; path = /home/samba
|
||||
|
|
Loading…
Reference in New Issue