diff options
| author | Volker Lendecke <vl@samba.org> | 2021-11-28 16:19:56 +0100 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2021-12-10 14:02:30 +0000 |
| commit | d5fa62639489a97407ac53fcedbded2246328407 (patch) | |
| tree | 0e0d866004d8f7edb5c764801541ddbdde66a103 /source3/rpc_server | |
| parent | 00e41d198d2972dddf075f79747f257f81c8e3b8 (diff) | |
| download | samba-d5fa62639489a97407ac53fcedbded2246328407.tar.gz | |
rpc_server: Check info5->transport
Eventually, this new mechanism might replace the ncalrpc_as_system mechanism: I
think with this we're much more flexible and even more secure: We rely on the
direct permissions on "np/" and don't have to pretend that the local client
came from a file on /root. We are more flexible because with this mechanism we
can easily fake arbitrary tokens and play with session keys.
However, this would require that the source4 librpc code needs to learn about
this mechanism, which I was not able to complete.
The source3 rpc_server side of this will go away soon, so for now only
allow NCACN_NP there. The check in source4 will stay with us for a
while, so allow NCACN_NP and NCALRPC to be set remotely here. With
NCACN_NP (the case for a client to connect on a named pipe), protect
against accidentially connecting as system.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/rpc_server.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index 1919fcd3650..a30565d8593 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -34,6 +34,7 @@ #include "rpc_server/rpc_ncacn_np.h" #include "rpc_server/srv_pipe_hnd.h" #include "rpc_server/srv_pipe.h" +#include "libcli/security/security_token.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -363,13 +364,14 @@ static void dcesrv_ncacn_np_accept_done(struct tevent_req *subreq) struct dcerpc_ncacn_conn *ncacn_conn = tevent_req_callback_data( subreq, struct dcerpc_ncacn_conn); struct auth_session_info_transport *session_info_transport = NULL; + enum dcerpc_transport_t transport; int error; int ret; ret = tstream_npa_accept_existing_recv(subreq, &error, ncacn_conn, &ncacn_conn->tstream, NULL, - NULL, + &transport, &ncacn_conn->remote_client_addr, &ncacn_conn->remote_client_name, &ncacn_conn->local_server_addr, @@ -378,6 +380,21 @@ static void dcesrv_ncacn_np_accept_done(struct tevent_req *subreq) ncacn_conn->session_info = talloc_move(ncacn_conn, &session_info_transport->session_info); + if (transport != NCACN_NP) { + ncacn_terminate_connection( + ncacn_conn, + "Only allow NCACN_NP transport on named pipes\n"); + return; + } + + if (security_token_is_system( + ncacn_conn->session_info->security_token)) { + ncacn_terminate_connection( + ncacn_conn, + "No system token via NCACN_NP allowed\n"); + return; + } + TALLOC_FREE(subreq); if (ret != 0) { DBG_ERR("Failed to accept named pipe connection: %s\n", |