From 06b038c017234f1eae35f4c316a0d105cc4d1061 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Mar 2016 17:03:59 +0100 Subject: CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We sadly need to allow this for now by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- .../security/allowdcerpcauthlevelconnect.xml | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml (limited to 'docs-xml') diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml new file mode 100644 index 00000000000..27a9733475e --- /dev/null +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -0,0 +1,29 @@ + + + This option controls whether DCERPC services are allowed to + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, + but no per message integrity nor privacy protection. + + Some interfaces like samr, lsarpc and netlogon have a hard-coded default of + no and epmapper, mgmt and rpcecho have a hard-coded default of + yes. + + + The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. + + This option yields precedence to the implementation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. + + + Note the default will very likely change to no for Samba 4.5. + + +yes +no + + -- cgit v1.2.1