termux-packages/packages/samba/0002-Remove-setuid-etc.patch

316 lines
12 KiB
Diff
Raw Normal View History

2021-10-08 17:55:57 +02:00
When non-root, this only succeeds when SELinux is in permissive mode.
diff -uNr samba-4.13.2/lib/replace/wscript samba-4.13.2.mod/lib/replace/wscript
--- samba-4.13.2/lib/replace/wscript 2020-09-15 13:43:18.000000000 +0000
+++ samba-4.13.2.mod/lib/replace/wscript 2020-11-23 13:26:08.057004700 +0000
@@ -389,8 +389,8 @@
conf.CHECK_FUNCS('shl_load shl_unload shl_findsym')
conf.CHECK_FUNCS('pipe strftime srandom random srand rand usleep setbuffer')
- conf.CHECK_FUNCS('lstat getpgrp utime utimes setuid seteuid setreuid setresuid setgid setegid')
- conf.CHECK_FUNCS('setregid setresgid chroot strerror vsyslog setlinebuf mktime')
+ conf.CHECK_FUNCS('lstat getpgrp utime utimes')
+ conf.CHECK_FUNCS('chroot strerror vsyslog setlinebuf mktime')
conf.CHECK_FUNCS('ftruncate chsize rename waitpid wait4')
conf.CHECK_FUNCS('initgroups pread pwrite strndup strcasestr strsep')
conf.CHECK_FUNCS('strtok_r mkdtemp dup2 dprintf vdprintf isatty chown lchown')
@@ -460,7 +460,7 @@
conf.CHECK_FUNCS('if_nametoindex strerror_r')
conf.CHECK_FUNCS('syslog')
conf.CHECK_FUNCS('gai_strerror get_current_dir_name')
- conf.CHECK_FUNCS('timegm getifaddrs freeifaddrs mmap setgroups syscall setsid')
+ conf.CHECK_FUNCS('timegm getifaddrs freeifaddrs mmap syscall setsid')
conf.CHECK_FUNCS('getgrent_r getgrgid_r getgrnam_r getgrouplist getpagesize')
conf.CHECK_FUNCS('getpwent_r getpwnam_r getpwuid_r epoll_create')
conf.CHECK_FUNCS('port_create')
diff -uNr samba-4.13.2/source3/lib/util_sec.c samba-4.13.2.mod/source3/lib/util_sec.c
--- samba-4.13.2/source3/lib/util_sec.c 2020-07-09 09:33:56.000000000 +0000
+++ samba-4.13.2.mod/source3/lib/util_sec.c 2020-11-23 13:26:08.057004700 +0000
@@ -132,11 +132,11 @@
if ((euid != (uid_t)-1 && geteuid() != euid) ||
(ruid != (uid_t)-1 && getuid() != ruid)) {
if (!non_root_mode()) {
- DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
+ DEBUG(5,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
(int)ruid, (int)euid,
(int)getuid(), (int)geteuid()));
- smb_panic("failed to set uid\n");
- exit(1);
+ /* smb_panic("failed to set uid\n");
+ exit(1); */
}
}
}
@@ -149,12 +149,12 @@
if ((egid != (gid_t)-1 && getegid() != egid) ||
(rgid != (gid_t)-1 && getgid() != rgid)) {
if (!non_root_mode()) {
- DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
+ DEBUG(5,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
(int)rgid, (int)egid,
(int)getgid(), (int)getegid(),
(int)getuid(), (int)geteuid()));
- smb_panic("failed to set gid\n");
- exit(1);
+ /* smb_panic("failed to set gid\n");
+ exit(1); */
}
}
}
@@ -501,11 +501,11 @@
if (samba_setresuid(uid, uid, -1) != 0) {
return -1;
}
- if (geteuid() != uid || getuid() != uid ||
+ /* if (geteuid() != uid || getuid() != uid ||
getegid() != gid || getgid() != gid) {
smb_panic("set_thread_credentials failed\n");
return -1;
- }
+ } */
#ifdef HAVE___THREAD
cache.active = true;
diff -uNr samba-4.13.2/source3/modules/vfs_aio_pthread.c samba-4.13.2.mod/source3/modules/vfs_aio_pthread.c
--- samba-4.13.2/source3/modules/vfs_aio_pthread.c 2020-07-09 09:33:56.000000000 +0000
+++ samba-4.13.2.mod/source3/modules/vfs_aio_pthread.c 2020-11-23 13:27:37.643739200 +0000
@@ -31,7 +31,7 @@
#include <linux/falloc.h>
#endif
-#if defined(HAVE_OPENAT) && defined(HAVE_LINUX_THREAD_CREDENTIALS)
+#if defined(HAVE_OPENAT)
/*
* We must have openat() to do any thread-based
@@ -53,7 +53,6 @@
struct smb_filename *smb_fname;
connection_struct *conn;
struct smbXsrv_connection *xconn;
- const struct security_unix_token *ux_tok;
uint64_t initial_allocation_size;
/* Returns. */
int ret_fd;
@@ -185,16 +184,6 @@
struct aio_open_private_data *opd =
(struct aio_open_private_data *)private_data;
- /* Become the correct credential on this thread. */
- if (set_thread_credentials(opd->ux_tok->uid,
- opd->ux_tok->gid,
- (size_t)opd->ux_tok->ngroups,
- opd->ux_tok->groups) != 0) {
- opd->ret_fd = -1;
- opd->ret_errno = errno;
- return;
- }
-
aio_open_do(opd);
}
@@ -281,11 +270,11 @@
};
/* Copy our current credentials. */
- opd->ux_tok = copy_unix_token(opd, get_current_utok(fsp->conn));
+ /*opd->ux_tok = copy_unix_token(opd, get_current_utok(fsp->conn));
if (opd->ux_tok == NULL) {
opd_free(opd);
return NULL;
- }
+ }*/
/*
* Copy the full fsp_name and smb_fname which is the basename.
@@ -506,7 +495,7 @@
#endif
static struct vfs_fn_pointers vfs_aio_pthread_fns = {
-#if defined(HAVE_OPENAT) && defined(HAVE_LINUX_THREAD_CREDENTIALS)
+#if defined(HAVE_OPENAT)
.openat_fn = aio_pthread_openat_fn,
#endif
};
diff -uNr samba-4.13.2/source3/modules/vfs_aio_pthread.c.rej samba-4.13.2.mod/source3/modules/vfs_aio_pthread.c.rej
--- samba-4.13.2/source3/modules/vfs_aio_pthread.c.rej 1970-01-01 00:00:00.000000000 +0000
+++ samba-4.13.2.mod/source3/modules/vfs_aio_pthread.c.rej 2020-11-23 13:26:08.058004764 +0000
@@ -0,0 +1,11 @@
+--- source3/modules/vfs_aio_pthread.c
++++ source3/modules/vfs_aio_pthread.c
+@@ -477,7 +466,7 @@ static int aio_pthread_open_fn(vfs_handle_struct *handle,
+ #endif
+
+ static struct vfs_fn_pointers vfs_aio_pthread_fns = {
+-#if defined(HAVE_OPENAT) && defined(HAVE_LINUX_THREAD_CREDENTIALS)
++#if defined(HAVE_OPENAT)
+ .open_fn = aio_pthread_open_fn,
+ #endif
+ };
diff -uNr samba-4.13.2/source3/modules/vfs_default.c samba-4.13.2.mod/source3/modules/vfs_default.c
--- samba-4.13.2/source3/modules/vfs_default.c 2020-07-09 09:33:56.000000000 +0000
+++ samba-4.13.2.mod/source3/modules/vfs_default.c 2020-11-23 13:26:08.059004828 +0000
@@ -3303,9 +3303,7 @@
*/
have_per_thread_cwd = per_thread_cwd_supported();
}
-#ifdef HAVE_LINUX_THREAD_CREDENTIALS
have_per_thread_creds = true;
-#endif
if (have_per_thread_cwd && have_per_thread_creds) {
do_async = true;
}
diff -uNr samba-4.13.2/source3/wscript samba-4.13.2.mod/source3/wscript
--- samba-4.13.2/source3/wscript 2020-09-07 10:52:25.000000000 +0000
+++ samba-4.13.2.mod/source3/wscript 2020-11-23 13:26:08.060004892 +0000
@@ -131,7 +131,7 @@
conf.CHECK_FUNCS('setsid glob strpbrk crypt16 getauthuid')
conf.CHECK_FUNCS('innetgr')
conf.CHECK_FUNCS('initgroups select poll rdchk getgrnam getgrent pathconf')
- conf.CHECK_FUNCS('setpriv setgidx setuidx setgroups syscall sysconf')
+ conf.CHECK_FUNCS('setpriv syscall sysconf')
conf.CHECK_FUNCS('atexit grantpt posix_openpt fallocate')
conf.CHECK_FUNCS('fseeko setluid')
conf.CHECK_FUNCS('getpwnam', headers='sys/types.h pwd.h')
@@ -452,15 +452,12 @@
rdchk
select
setenv
-setgidx
-setgroups
setlocale
setluid
setmntent
setpgid
setpriv
setsid
-setuidx
statvfs
strcasecmp
strchr
@@ -989,110 +986,6 @@
#
# Ensure we select the correct set of system calls on Linux.
#
- if (host_os.rfind('linux') > -1):
- conf.CHECK_CODE('''
-#if defined(HAVE_UNISTD_H)
-#include <unistd.h>
-#endif
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <errno.h>
-
-#ifdef HAVE_SYS_PRIV_H
-#include <sys/priv.h>
-#endif
-#ifdef HAVE_SYS_ID_H
-#include <sys/id.h>
-#endif
-
-#if defined(HAVE_SYSCALL_H)
-#include <syscall.h>
-#endif
-
-#if defined(HAVE_SYS_SYSCALL_H)
-#include <sys/syscall.h>
-#endif
-
-syscall(SYS_setresuid32, -1, -1, -1);
-syscall(SYS_setresgid32, -1, -1, -1);
-syscall(SYS_setreuid32, -1, -1);
-syscall(SYS_setregid32, -1, -1);
-syscall(SYS_setuid32, -1);
-syscall(SYS_setgid32, -1);
-syscall(SYS_setgroups32, 0, NULL);
-''',
- 'USE_LINUX_32BIT_SYSCALLS',
- msg="Checking whether Linux should use 32-bit credential calls");
-
- if (conf.CONFIG_SET('USE_LINUX_32BIT_SYSCALLS')):
- seteuid = conf.CHECK_CODE('''
- #define AUTOCONF_TEST 1
- #define HAVE_LINUX_THREAD_CREDENTIALS 1
- #define USE_LINUX_32BIT_SYSCALLS 1
- #include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
- ''',
- 'HAVE_LINUX_THREAD_CREDENTIALS',
- addmain=False,
- execute=True,
- msg="Checking whether we can use Linux thread-specific credentials with 32-bit system calls")
- else:
- seteuid = conf.CHECK_CODE('''
- #define AUTOCONF_TEST 1
- #define HAVE_LINUX_THREAD_CREDENTIALS 1
- #include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
- ''',
- 'HAVE_LINUX_THREAD_CREDENTIALS',
- addmain=False,
- execute=True,
- msg="Checking whether we can use Linux thread-specific credentials")
- if not seteuid:
- seteuid = conf.CHECK_CODE('''
- #define AUTOCONF_TEST 1
- #define USE_SETREUID 1
- #include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
- ''',
- 'USE_SETREUID',
- addmain=False,
- execute=True,
- msg="Checking whether setreuid is available")
- if not seteuid:
- seteuid = conf.CHECK_CODE('''
- #define AUTOCONF_TEST 1
- #define USE_SETRESUID 1
- #include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
- ''',
- 'USE_SETRESUID',
- addmain=False,
- execute=True,
- msg="Checking whether setresuid is available")
- if not seteuid:
- seteuid = conf.CHECK_CODE('''
- #define AUTOCONF_TEST 1
- #define USE_SETEUID 1
- #include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
- ''',
- 'USE_SETEUID',
- addmain=False,
- execute=True,
- msg="Checking whether seteuid is available")
- if not seteuid:
- seteuid = conf.CHECK_CODE('''
- #define AUTOCONF_TEST 1
- #define USE_SETUIDX 1
- #include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
- ''',
- 'USE_SETUIDX',
- addmain=False,
- execute=True,
- mandatory=True,
- msg="Checking whether setuidx is available")
if Options.options.with_dnsupdate:
if not conf.CONFIG_SET('HAVE_KRB5'):
Logs.warn("--with-dnsupdate=yes but gssapi support not sufficient")
diff -uNr samba-4.13.2/tests/summary.c samba-4.13.2.mod/tests/summary.c
--- samba-4.13.2/tests/summary.c 2020-07-09 09:33:57.000000000 +0000
+++ samba-4.13.2.mod/tests/summary.c 2020-11-23 13:26:08.060004892 +0000
@@ -12,9 +12,11 @@
#warning "WARNING: No automated network interface determination"
#endif
+#ifndef __ANDROID__
#if !(defined(USE_SETEUID) || defined(USE_SETREUID) || defined(USE_SETRESUID) || defined(USE_SETUIDX) || defined(HAVE_LINUX_THREAD_CREDENTIALS))
#error "ERROR: no seteuid method available"
#endif
+#endif
#if !(defined(STAT_STATVFS) || defined(STAT_STATFS3_OSF1) || defined(STAT_STATFS2_BSIZE) || defined(STAT_STATFS4) || defined(STAT_STATFS2_FSIZE) || defined(STAT_STATFS2_FS_DATA))
#error "ERROR: No disk free routine!"