Author: timur
Date: Wed Mar 27 01:50:53 2013
New Revision: 315342
URL: http://svnweb.freebsd.org/changeset/ports/315342
Log:
Update port to the 4.0.4 version, closing CVE-2013-1863. Fix winbindd to
retrieve getgroupmembership() list directly, which fixed behaviour of 'id'.
Remove obsolete set_var in startup script.
Security: CVE-2013-1863
Added:
head/net/samba4/files/patch-nsswitch__winbind_nss_freebsd.c (contents, props changed)
Modified:
head/net/samba4/Makefile
head/net/samba4/distinfo
head/net/samba4/files/samba4.in
Modified: head/net/samba4/Makefile
==============================================================================
--- head/net/samba4/Makefile Wed Mar 27 00:34:41 2013 (r315341)
+++ head/net/samba4/Makefile Wed Mar 27 01:50:53 2013 (r315342)
@@ -20,7 +20,7 @@ MAKE_JOBS_SAFE= yes
SAMBA4_BASENAME= samba
SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4
-SAMBA4_VERSION= 4.0.3
+SAMBA4_VERSION= 4.0.4
SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|}
WRKSRC?= ${WRKDIR}/${DISTNAME}
@@ -70,6 +70,7 @@ CONFIGURE_ENV+= PTHREAD_CFLAGS="${PTHRE
USE_PYTHON_BUILD= -2.7
USE_PERL5_BUILD= yes
+USE_GCC= 4.2+
USE_PYTHON= yes
USE_ICONV= yes
USE_GETTEXT= yes
@@ -181,6 +182,7 @@ SUB_LIST+= NSUPDATE=""
.endif
.if ${PORT_OPTIONS:MDEBUG}
+WITH_DEBUG= yes
CONFIGURE_ARGS+= --verbose
_MAKE_JOBS+= --verbose
CONFIGURE_ARGS+= --enable-debug
@@ -352,11 +354,11 @@ PLIST_SUB+= LDAP="@comment "
.if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES)
SAMBA4_MODULES+= ${WANT_EXP_MODULES}
-CONFIGURE_ARGS+= --with-shared-modules="${WANT_EXP_MODULES:Q:C/(\\\\ )+/,/g}"
+CONFIGURE_ARGS+= --with-shared-modules="${WANT_EXP_MODULES:Q:C|(\\\\ )+|,|g:S|\\||g}"
.endif
.if defined(SAMBA4_BUNDLED_LIBS) && !empty(SAMBA4_BUNDLED_LIBS)
-CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C/(\\\\ )+/,/g}"
+CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C|(\\\\ )+|,|g:S|\\||g}"
.endif
# XXX
Modified: head/net/samba4/distinfo
==============================================================================
--- head/net/samba4/distinfo Wed Mar 27 00:34:41 2013 (r315341)
+++ head/net/samba4/distinfo Wed Mar 27 01:50:53 2013 (r315342)
@@ -1,2 +1,2 @@
-SHA256 (samba-4.0.3.tar.gz) = ab5d3618632f8869c838c0b2994b3f169da6824885710aad1146738172e44a4b
-SIZE (samba-4.0.3.tar.gz) = 22051995
+SHA256 (samba-4.0.4.tar.gz) = 20a84280155543892ce939e70482243396a9a8bfa77dcb4bf58328f7029772c5
+SIZE (samba-4.0.4.tar.gz) = 22055293
Added: head/net/samba4/files/patch-nsswitch__winbind_nss_freebsd.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/net/samba4/files/patch-nsswitch__winbind_nss_freebsd.c Wed Mar 27 01:50:53 2013 (r315342)
@@ -0,0 +1,100 @@
+--- ./nsswitch/winbind_nss_freebsd.c.orig 2012-10-02 08:24:41.000000000 +0000
++++ ./nsswitch/winbind_nss_freebsd.c 2013-03-13 09:40:37.285778609 +0000
+@@ -5,6 +5,7 @@
+ routines against Samba winbind/Windows NT Domain
+
+ Copyright (C) Aaron Collins 2003
++ Copyright (C) Timur I. Bakeyev 2013
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+@@ -53,6 +54,9 @@
+ NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r);
+ NSS_METHOD_PROTOTYPE(__nss_compat_setpwent);
+ NSS_METHOD_PROTOTYPE(__nss_compat_endpwent);
++NSS_METHOD_PROTOTYPE(__nss_compat_endpwent);
++
++NSS_METHOD_PROTOTYPE(__freebsd_getgroupmembership);
+
+ static ns_mtab methods[] = {
+ { NSDB_GROUP, "getgrnam_r", __nss_compat_getgrnam_r, _nss_winbind_getgrnam_r },
+@@ -60,6 +64,7 @@
+ { NSDB_GROUP, "getgrent_r", __nss_compat_getgrent_r, _nss_winbind_getgrent_r },
+ { NSDB_GROUP, "setgrent", __nss_compat_setgrent, _nss_winbind_setgrent },
+ { NSDB_GROUP, "endgrent", __nss_compat_endgrent, _nss_winbind_endgrent },
++{ NSDB_GROUP, "getgroupmembership", __freebsd_getgroupmembership, NULL },
+
+ { NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, _nss_winbind_getpwnam_r },
+ { NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, _nss_winbind_getpwuid_r },
+@@ -69,6 +74,71 @@
+
+ };
+
++/* Taken from libc */
++static int
++gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *grpcnt)
++{
++ int ret, dupc;
++
++ /* skip duplicates */
++ for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) {
++ if (groups[dupc] == gid)
++ return 1;
++ }
++
++ ret = 1;
++ if (*grpcnt < maxgrp) /* add this gid */
++ groups[*grpcnt] = gid;
++ else
++ ret = 0;
++
++ (*grpcnt)++;
++
++ return ret;
++}
++
++/*
++ rv = _nsdispatch(NULL, dtab, NSDB_GROUP, "getgroupmembership",
++ defaultsrc, uname, agroup, groups, maxgrp, grpcnt);
++*/
++
++int
++__freebsd_getgroupmembership(void *retval, void *mdata, va_list ap)
++{
++ const char *uname = va_arg(ap, const char *);
++ gid_t group = va_arg(ap, gid_t);
++ gid_t *groups = va_arg(ap, gid_t *);
++ int maxgrp = va_arg(ap, int);
++ int *groupc = va_arg(ap, int *);
++
++ NSS_STATUS ret;
++ long int lcount, lsize;
++ int i, errnop;
++ gid_t *tmpgroups;
++
++ /* Can be realloc() inside _nss_winbind_initgroups_dyn() */
++ if ((tmpgroups=calloc(maxgrp, sizeof(gid_t))) == NULL) {
++ errno = ENOMEM;
++ return NS_TRYAGAIN;
++ }
++
++ lcount = 0;
++ lsize = maxgrp;
++ /* insert primary membership(possibly already there) */
++ gr_addgid(group, groups, maxgrp, groupc);
++ /* Don't limit number of groups, we want to know total size */
++ ret = _nss_winbind_initgroups_dyn(uname, group, &lcount, &lsize,
++ &tmpgroups, 0, &errnop);
++ if (ret == NSS_STATUS_SUCCESS) {
++ /* lcount potentially can be bigger than maxgrp, so would groupc */
++ for (i = 0; i < lcount; i++)
++ gr_addgid(tmpgroups[i], groups, maxgrp, groupc);
++ }
++ free(tmpgroups);
++ /* Let following nsswitch backend(s) add more groups(?) */
++ return NSS_STATUS_NOTFOUND;
++}
++
+ ns_mtab *
+ nss_module_register(const char *source, unsigned int *mtabsize,
+ nss_module_unregister_fn *unreg)
Modified: head/net/samba4/files/samba4.in
==============================================================================
--- head/net/samba4/files/samba4.in Wed Mar 27 00:34:41 2013 (r315341)
+++ head/net/samba4/files/samba4.in Wed Mar 27 01:50:53 2013 (r315342)
@@ -20,7 +20,7 @@
. /etc/rc.subr
name="samba4"
-rcvar=$(set_rcvar)
+rcvar=${name}_enable
load_rc_config "${name}"
@@ -30,15 +30,18 @@ samba4_flags=${samba4_flags=--daemon}
samba4_config_default="%%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%%"
samba4_config=${samba4_config=${samba4_config_default}}
samba4_configfile_arg=${samba4_config:+--configfile="${samba4_config}"} #"
-testparm_command="%%PREFIX%%/bin/testparm --suppress-prompt --verbose ${samba4_configfile_arg}"
+testparm_command="%%PREFIX%%/bin/samba-tool testparm --suppress-prompt --verbose ${samba4_configfile_arg}"
# Fetch parameters from configuration file
+samba4_role=$(${testparm_command} --parameter-name='server role' 2>/dev/null)
samba4_lockdir=$(${testparm_command} --parameter-name='lock directory' 2>/dev/null)
+samba4_piddir=$(${testparm_command} --parameter-name='pid directory' 2>/dev/null)
# Runtime options
start_precmd="samba4_prestart"
restart_precmd="samba4_checkconfig"
command="%%PREFIX%%/sbin/${name}"
command_args=${samba4_configfile_arg}
+pidfile="%%SAMBA4_RUNDIR%%/samba.pid"
# Requirements
required_files="${samba4_config}"
required_dirs="${samba4_lockdir}"