pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[PATCH] net/samba4 4.3.6 update, zfsacl option, winbindd smf, man pages option
Hi,
net/samba4 has been updated to version 4.3.6.
This update includes security fixes.
I have attached a patch for this, but don't know how the first line
comment header should be formatted.
Release notes are here
https://www.samba.org/samba/history/samba-4.3.6.html
https://www.samba.org/samba/history/samba-4.3.5.html
There is a change in the PLIST:
-${PYSITELIB}/samba/tests/getopt.py
+${PYSITELIB}/samba/tests/get_opt.py
This is documented here
https://github.com/samba-team/samba/commit/8cee2c814680147f3a4fc29957af35d4abe15788#diff-5f3e7a8fd1c3b9c98794ffb3208cc74a
I have also attached a patch to options to build the Samba vfs zfsacl
module.
This patch builds zfsacl on SunOS by default.
This comes from Jorge Schrauwen and Dave Finster's changes
https://github.com/sjorge/pkgsrc-blackdot/blob/master/samba/options.mk
This module provides proper integration with ZFS for Samba ACLs and
needs to be compiled with Samba to be used.
This module needs to be enabled in the configuration file to have an
effect on Samba.
I believe having this module built and included should not change how
Samba operates when the option is not specified in the configuration.
I have also attached a patch to include a winbindd service in the
package SMF.
This comes from Dave Finster's changes
https://github.com/davefinster/pkgsrc/blob/trunk/net/samba/files/smf/manifest.xml
Samba requires winbindd running to work as an AD domain member.
I have also attached a patch to options to build man pages. It adds the
man option.
This requires textproc/libxslt and textproc/docbook-xsl.
Samba requires these to build man pages. Life without man pages is
tough.
Samba seems to build unneeded man pages.
This uses GENERATE_PLIST, but I am not sure I have implemented it
correctly.
If these could be reviewed and considered, that would be great.
Please let me know what I should do differently.
The patches should be applied in numbered order.
I have built and tested these changes on SmartOS 2015Q4 i386 with
PKG_OPTIONS.samba4="man".
I have lightly tested the built package.
I have been using pkgsrc on SmartOS, and using the Joyent pkgbuild image
to modify and build Samba.
This has been working really well!
Regards,
--
John Thomson
From 0b45f5c18266b70bc195aec2c249a06739411e72 Mon Sep 17 00:00:00 2001
From: John <john@mgs.local>
Date: Mon, 14 Mar 2016 01:57:15 +0000
Subject: [PATCH] Update to 4.3.6
=============================
Release Notes for Samba 4.3.6
March 8, 2016
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
o CVE-2016-0771 (Out-of-bounds read in internal DNS server)
=======
Details
=======
o CVE-2015-7560:
All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
a malicious client overwriting the ownership of ACLs using symlinks.
An authenticated malicious client can use SMB1 UNIX extensions to
create a symlink to a file or directory, and then use non-UNIX SMB1
calls to overwrite the contents of the ACL on the file or directory
linked to.
o CVE-2016-0771:
All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
an AD DC and choose to run the internal DNS server, are vulnerable to an
out-of-bounds read issue during DNS TXT record handling caused by users
with permission to modify DNS records.
A malicious client can upload a specially constructed DNS TXT record,
resulting in a remote denial-of-service attack. As long as the affected
TXT record remains undisturbed in the Samba database, a targeted DNS
query may continue to trigger this exploit.
While unlikely, the out-of-bounds read may bypass safety checks and
allow leakage of memory from the server in the form of a DNS TXT reply.
By default only authenticated accounts can upload DNS records,
as "allow dns updates = secure only" is the default.
Any other value would allow anonymous clients to trigger this
bug, which is a much higher risk.
Changes since 4.3.5:
--------------------
o Jeremy Allison <jra%samba.org@localhost>
* BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
change permissions on link target.
o Garming Sam <garming%catalyst.net.nz@localhost>
* BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
handling.
o Stefan Metzmacher <metze%samba.org@localhost>
* BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
handling.
=============================
Release Notes for Samba 4.3.5
February 23, 2016
=============================
This is the latest stable release of Samba 4.3.
Changes since 4.3.4:
--------------------
o Jeremy Allison <jra%samba.org@localhost>
* BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
filesystem with no ACL support.
* BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
o Christian Ambach <ambi%samba.org@localhost>
* BUG 6482: s3:utils/smbget: Fix recursive download.
* BUG 11400: s3:smbd/oplock: Obey kernel oplock setting when releasing
oplocks.
o Alexander Bokovoy <ab%samba.org@localhost>
* BUG 11693: s3-parm: Clean up defaults when removing global parameters.
o Ralph Boehme <slow%samba.org@localhost>
* BUG 11684: s3:smbd: Ignore initial allocation size for directory creation.
* BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
o Amitay Isaacs <amitay%gmail.com@localhost>
* BUG 11705: ctdb: Remove error messages after kernel security update
(CVE-2015-8543).
o Volker Lendecke <vl%samba.org@localhost>
* BUG 11732: param: Fix str_list_v3 to accept ";" again.
o Stefan Metzmacher <metze%samba.org@localhost>
* BUG 11699: Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4.
o Jose A. Rivera <jarrpa%samba.org@localhost>
* BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
creating a new file.
o Christof Schmitt <cs%samba.org@localhost>
* BUG 11670: winbindd: Handle expired sessions correctly.
o Andreas Schneider <asn%samba.org@localhost>
* BUG 11690: s3-client: Add a KRB5 wrapper for smbspool.
o Uri Simchoni <uri%samba.org@localhost>
* BUG 11580: vfs_shadow_copy2: Fix case where snapshots are outside the
share.
* BUG 11662: smbclient: Query disk usage relative to current directory.
* BUG 11681: smbd: Show correct disk size for different quota and dfree block
sizes.
* BUG 11682: smbcacls: Fix uninitialized variable.
o Martin Schwenke <martin%meltin.net@localhost>
* BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...".
o Hemanth Thummala <hemanth.thummala%nutanix.com@localhost>
* BUG 11708: loadparm: Fix memory leak issue.
---
net/samba4/Makefile | 5 ++---
net/samba4/PLIST | 4 ++--
net/samba4/distinfo | 10 +++++-----
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/net/samba4/Makefile b/net/samba4/Makefile
index 3e594ad..6084593 100644
--- a/net/samba4/Makefile
+++ b/net/samba4/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.16 2016/03/05 11:29:11 jperkin Exp $
+# $NetBSD: Makefile$
DISTNAME= samba-${VERSION}
-PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= http://download.samba.org/pub/samba/stable/
@@ -12,7 +11,7 @@ LICENSE= gnu-gpl-v3
DEPENDS+= ${PYPKGPREFIX}-expat-[0-9]*:../../textproc/py-expat
-VERSION= 4.3.4
+VERSION= 4.3.6
CONFLICTS+= ja-samba-[0-9]* pam-smbpass-[0-9]* tdb-[0-9]* winbind-[0-9]*
BUILD_DEPENDS+= ${PYPKGPREFIX}-expat-[0-9]*:../../textproc/py-expat
diff --git a/net/samba4/PLIST b/net/samba4/PLIST
index 3438aeb..adbaf59 100644
--- a/net/samba4/PLIST
+++ b/net/samba4/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2016/01/31 20:28:23 ryoon Exp $
+@comment $NetBSD: PLIST$
bin/cifsdd
bin/dbwrap_tool
bin/eventlogadm
@@ -410,7 +410,7 @@ ${PYSITELIB}/samba/tests/dns.py
${PYSITELIB}/samba/tests/docs.py
${PYSITELIB}/samba/tests/dsdb.py
${PYSITELIB}/samba/tests/gensec.py
-${PYSITELIB}/samba/tests/getopt.py
+${PYSITELIB}/samba/tests/get_opt.py
${PYSITELIB}/samba/tests/hostconfig.py
${PYSITELIB}/samba/tests/kcc/__init__.py
${PYSITELIB}/samba/tests/kcc/graph.py
diff --git a/net/samba4/distinfo b/net/samba4/distinfo
index 8835461..885dd03 100644
--- a/net/samba4/distinfo
+++ b/net/samba4/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.8 2016/01/31 20:28:23 ryoon Exp $
+$NetBSD: distinfo$
-SHA1 (samba-4.3.4.tar.gz) = adb58a4d147da327148784bed1ee7842382a6f28
-RMD160 (samba-4.3.4.tar.gz) = c4dcb392be9d3201a7b02543b4e3ee6f7eeee646
-SHA512 (samba-4.3.4.tar.gz) = 021351534a70cd351934d7f8bfc3c4e9ed9ea3f11f778f6f9d076b3368103f7f478ff1745cb257de0bf2ee38ae76ecba58e01a4db6cbcacbd8a4876e8e1b30f2
-Size (samba-4.3.4.tar.gz) = 20434434 bytes
+SHA1 (samba-4.3.6.tar.gz) = c9fd4f4ea48355e604ee1f40bf5d8e5ff9f2c692
+RMD160 (samba-4.3.6.tar.gz) = 1b332ffeb5aad33738840bcd6576dfc4e15b2e69
+SHA512 (samba-4.3.6.tar.gz) = 2551ece4e17ed855c8faf488e4438229455a063ba7687fd36bf650d72676bab3bef7e2bc9de05a00081285268bf527b9c781024ea31aac493d2fcd5fd2593c21
+Size (samba-4.3.6.tar.gz) = 20445038 bytes
SHA1 (patch-buildtools_wafsamba_wscript) = 5604936a825675647157331df2333f4237c611f5
SHA1 (patch-lib_nss__wrapper_nss__wrapper.c) = c692fa33ec17ed4f1dc1e40c1fadf7846d976824
SHA1 (patch-lib_nss__wrapper_wscript) = 1ce37974f93e791c9e0b1bdc34d26890583fdbfb
--
2.6.4
From ee4a75d1175f3227a5fee1d5b605295b1b16a433 Mon Sep 17 00:00:00 2001
From: John <john@mgs.local>
Date: Mon, 14 Mar 2016 03:49:24 +0000
Subject: [PATCH] Add zfsacl in options.mk to build vfs_zfsacl
---
net/samba4/PLIST | 1 +
net/samba4/options.mk | 27 ++++++++++++++++++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/net/samba4/PLIST b/net/samba4/PLIST
index adbaf59..edcaf02 100644
--- a/net/samba4/PLIST
+++ b/net/samba4/PLIST
@@ -694,6 +694,7 @@ lib/samba/vfs/time_audit.so
lib/samba/vfs/unityed_media.so
lib/samba/vfs/worm.so
lib/samba/vfs/xattr_tdb.so
+${PLIST.zfsacl}lib/samba/vfs/zfsacl.so
lib/winbind_krb5_locator.so
man/man1/pidl.1
man/man3/Parse::Pidl::Dump.3
diff --git a/net/samba4/options.mk b/net/samba4/options.mk
index a68cedc..518eb1b 100644
--- a/net/samba4/options.mk
+++ b/net/samba4/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.2 2015/06/26 16:09:49 jperkin Exp $
+# $NetBSD: options.mk$
PKG_OPTIONS_VAR= PKG_OPTIONS.samba4
PKG_SUPPORTED_OPTIONS= ads fam ldap pam winbind # cups # cups option is broken for me.
@@ -15,8 +15,26 @@ PKG_SUPPORTED_OPTIONS+= acl
PKG_SUGGESTED_OPTIONS+= ads
.endif
+# Suggest zfsacl on SunOS
+.if ${OPSYS} == "SunOS"
+PKG_SUPPORTED_OPTIONS+= zfsacl
+PKG_SUGGESTED_OPTIONS+= zfsacl
+.endif
+
.include "../../mk/bsd.options.mk"
+SAMBA_SHARED_MODULES:= # empty
+
+###
+### Ensure that the zfsacl shared library is generated
+###
+PLIST_VARS+= zfsacl
+.if !empty(PKG_OPTIONS:Mzfsacl)
+PKG_OPTIONS+= acl
+SAMBA_SHARED_MODULES:= ${SAMBA_SHARED_MODULES},vfs_zfsacl
+PLIST.zfsacl= yes
+.endif
+
###
### Access Control List support.
###
@@ -108,3 +126,10 @@ PLIST.winbind= yes
.else
CONFIGURE_ARGS+= --without-winbind
.endif
+
+###
+### Add the optional shared modules to the configuration
+###
+.if !empty(SAMBA_SHARED_MODULES)
+CONFIGURE_ARGS+= --with-shared-modules=${SAMBA_SHARED_MODULES:S/^,//}
+.endif
--
2.6.4
From cdc72c4d4b1f9d29c3817920703a1de22f385fd7 Mon Sep 17 00:00:00 2001
From: John <john@mgs.local>
Date: Mon, 14 Mar 2016 02:55:26 +0000
Subject: [PATCH] Add winbindd to SMF
---
net/samba4/files/smf/manifest.xml | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/samba4/files/smf/manifest.xml b/net/samba4/files/smf/manifest.xml
index d4c20ef..0891a52 100644
--- a/net/samba4/files/smf/manifest.xml
+++ b/net/samba4/files/smf/manifest.xml
@@ -37,6 +37,20 @@
</template>
</instance>
+ <instance name='winbindd' enabled='false'>
+ <exec_method name='start' type='method' exec='@PREFIX@/sbin/winbindd -D' timeout_seconds='0'/>
+ <exec_method name='stop' type='method' exec=':kill' timeout_seconds='30'/>
+ <exec_method name='refresh' type='method' exec=':kill -HUP' timeout_seconds='0'/>
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>Samba Name Service Switch daemon for resolving names from NT servers</loctext>
+ </common_name>
+ <documentation>
+ <manpage title='winbindd' section='8' manpath='man'/>
+ </documentation>
+ </template>
+ </instance>
+
<stability value='Unstable'/>
</service>
</service_bundle>
--
2.6.4
From 6df77db200b2e22dfaffe32ce6174c39da8fc4db Mon Sep 17 00:00:00 2001
From: John <john@mgs.local>
Date: Mon, 14 Mar 2016 07:19:40 +0000
Subject: [PATCH] Add patch for Samba SmartOS docbook-xsl catalog location
---
net/samba4/distinfo | 1 +
net/samba4/patches/patch-buildtools_wafsamba_wafsamba.py | 15 +++++++++++++++
2 files changed, 16 insertions(+)
create mode 100644 net/samba4/patches/patch-buildtools_wafsamba_wafsamba.py
diff --git a/net/samba4/distinfo b/net/samba4/distinfo
index 885dd03..47fec73 100644
--- a/net/samba4/distinfo
+++ b/net/samba4/distinfo
@@ -4,6 +4,7 @@ SHA1 (samba-4.3.6.tar.gz) = c9fd4f4ea48355e604ee1f40bf5d8e5ff9f2c692
RMD160 (samba-4.3.6.tar.gz) = 1b332ffeb5aad33738840bcd6576dfc4e15b2e69
SHA512 (samba-4.3.6.tar.gz) = 2551ece4e17ed855c8faf488e4438229455a063ba7687fd36bf650d72676bab3bef7e2bc9de05a00081285268bf527b9c781024ea31aac493d2fcd5fd2593c21
Size (samba-4.3.6.tar.gz) = 20445038 bytes
+SHA1 (patch-buildtools_wafsamba_wafsamba.py) = 0b180d9690fbb21433e14a46ac39ebb1ab1a0ef7
SHA1 (patch-buildtools_wafsamba_wscript) = 5604936a825675647157331df2333f4237c611f5
SHA1 (patch-lib_nss__wrapper_nss__wrapper.c) = c692fa33ec17ed4f1dc1e40c1fadf7846d976824
SHA1 (patch-lib_nss__wrapper_wscript) = 1ce37974f93e791c9e0b1bdc34d26890583fdbfb
diff --git a/net/samba4/patches/patch-buildtools_wafsamba_wafsamba.py b/net/samba4/patches/patch-buildtools_wafsamba_wafsamba.py
new file mode 100644
index 0000000..06b616b
--- /dev/null
+++ b/net/samba4/patches/patch-buildtools_wafsamba_wafsamba.py
@@ -0,0 +1,15 @@
+$NetBSD$
+
+Include docbook-xsl xml catalog location for SmartOS
+
+--- buildtools/wafsamba/wafsamba.py.orig 2015-07-21 09:47:48.000000000 +0000
++++ buildtools/wafsamba/wafsamba.py
+@@ -892,7 +892,7 @@ def SAMBAMANPAGES(bld, manpages, extra_s
+ bld.env.SAMBA_EXPAND_XSL = bld.srcnode.abspath() + '/docs-xml/xslt/expand-sambadoc.xsl'
+ bld.env.SAMBA_MAN_XSL = bld.srcnode.abspath() + '/docs-xml/xslt/man.xsl'
+ bld.env.SAMBA_CATALOG = bld.srcnode.abspath() + '/bin/default/docs-xml/build/catalog.xml'
+- bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file:///usr/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG
++ bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file:///usr/local/share/xml/catalog file:///opt/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG
+
+ for m in manpages.split():
+ source = m + '.xml'
--
2.6.4
From 6e673a44a7daa4712023e5e3729067537e079753 Mon Sep 17 00:00:00 2001
From: John <john@mgs.local>
Date: Mon, 14 Mar 2016 10:20:35 +0000
Subject: [PATCH] Add option man to build man pages
With option man, DEPENDS textproc/libxslt and testproc/docbook-xsl
Patches Samba/docs-xml/wscript_build to include the vfs_zfsacl man page
Uses GENERATE_PLIST to include man pages in package
---
net/samba4/Makefile | 1 -
net/samba4/distinfo | 1 +
net/samba4/options.mk | 17 ++++++++++++++++-
net/samba4/patches/patch-docs-xml_wscript__build | 14 ++++++++++++++
4 files changed, 31 insertions(+), 2 deletions(-)
create mode 100644 net/samba4/patches/patch-docs-xml_wscript__build
diff --git a/net/samba4/Makefile b/net/samba4/Makefile
index 6084593..dd3969f 100644
--- a/net/samba4/Makefile
+++ b/net/samba4/Makefile
@@ -61,7 +61,6 @@ BROKEN_GETTEXT_DETECTION=yes
#CONFIGURE_ARGS+= --fatal-errors
HAS_CONFIGURE= yes
-CONFIGURE_ENV+= XSLTPROC=${FALSE} # suppress generation of man pages
CONFIGURE_ARGS+= --libdir=${SAMBA_LIB}
CONFIG_SHELL= ${PYTHONBIN}
CONFIGURE_SCRIPT= ${WRKSRC}/buildtools/bin/waf
diff --git a/net/samba4/distinfo b/net/samba4/distinfo
index 47fec73..f8d51c4 100644
--- a/net/samba4/distinfo
+++ b/net/samba4/distinfo
@@ -6,6 +6,7 @@ SHA512 (samba-4.3.6.tar.gz) = 2551ece4e17ed855c8faf488e4438229455a063ba7687fd36b
Size (samba-4.3.6.tar.gz) = 20445038 bytes
SHA1 (patch-buildtools_wafsamba_wafsamba.py) = 0b180d9690fbb21433e14a46ac39ebb1ab1a0ef7
SHA1 (patch-buildtools_wafsamba_wscript) = 5604936a825675647157331df2333f4237c611f5
+SHA1 (patch-docs-xml_wscript__build) = bfb11e5765b11235c1e0668b92831b605d502584
SHA1 (patch-lib_nss__wrapper_nss__wrapper.c) = c692fa33ec17ed4f1dc1e40c1fadf7846d976824
SHA1 (patch-lib_nss__wrapper_wscript) = 1ce37974f93e791c9e0b1bdc34d26890583fdbfb
SHA1 (patch-lib_param_loadparm.h) = d1c9df37bb9969d2788dd70e613067df6bb64f26
diff --git a/net/samba4/options.mk b/net/samba4/options.mk
index 5f8c9d0..cd37d3ec 100644
--- a/net/samba4/options.mk
+++ b/net/samba4/options.mk
@@ -1,7 +1,7 @@
# $NetBSD: options.mk$
PKG_OPTIONS_VAR= PKG_OPTIONS.samba4
-PKG_SUPPORTED_OPTIONS= ads fam ldap pam winbind # cups # cups option is broken for me.
+PKG_SUPPORTED_OPTIONS= ads fam ldap pam winbind man # cups # cups option is broken for me.
PKG_SUGGESTED_OPTIONS= ldap pam winbind
.include "../../mk/bsd.fast.prefs.mk"
@@ -133,3 +133,18 @@ CONFIGURE_ARGS+= --without-winbind
.if !empty(SAMBA_SHARED_MODULES)
CONFIGURE_ARGS+= --with-shared-modules=${SAMBA_SHARED_MODULES:S/^,//}
.endif
+
+###
+### Build man pages if wanted
+###
+PLIST_VARS+= man
+.if !empty(PKG_OPTIONS:Mman)
+PLIST.man= yes
+DEPENDS+= docbook-xsl-[0-9]*:../../textproc/docbook-xsl
+. include "../../textproc/libxslt/buildlink3.mk"
+GENERATE_PLIST+= \
+ cd ${DESTDIR}${PREFIX} && \
+ ${FIND} man \( -type f -print \) | ${SORT} -du;
+.else
+CONFIGURE_ENV+= XSLTPROC=${FALSE:Q}
+.endif
diff --git a/net/samba4/patches/patch-docs-xml_wscript__build b/net/samba4/patches/patch-docs-xml_wscript__build
new file mode 100644
index 0000000..8fafdd0
--- /dev/null
+++ b/net/samba4/patches/patch-docs-xml_wscript__build
@@ -0,0 +1,14 @@
+$NetBSD$
+
+Include ZFSACL man
+
+--- docs-xml/wscript_build.orig 2016-02-22 09:36:15.000000000 +0000
++++ docs-xml/wscript_build
+@@ -88,6 +88,7 @@ manpages='''
+ manpages/vfs_unityed_media.8
+ manpages/vfs_worm.8
+ manpages/vfs_xattr_tdb.8
++ manpages/vfs_zfsacl.8
+ manpages/vfstest.1
+ manpages/wbinfo.1
+ manpages/winbindd.8
--
2.6.4
Home |
Main Index |
Thread Index |
Old Index