r1781: don't crash when xp sp2 sends a fnpcn() without prior ffpcn()

[Samba.git] / WHATSNEW.txt

                 ==============================
                 Release Notes for Samba 2.2.10
                          July 22, 2004
                 ==============================


######################## SECURITY RELEASE ########################

Summary:       Potential Buffer Overrun in Samba 2.2.x
CVE ID:        CAN-2004-0686
               (http://cve.mitre.org/)

This is the latest stable release of the Samba 2.2 code base.
There are no further Samba 2.2.x releases planned at this time.

-------------
CAN-2004-0686
-------------

Affected Versions:      Samba 2.2.0 through 2.2.9

A buffer overrun has been located in the code used to support
the 'mangling method = hash' smb.conf option.   Affected Samba 
2.2 installations can avoid this possible security bug by using 
the hash2 mangling method.  Server installations requiring 
the hash mangling method are encouraged to upgrade to Samba v2.2.10 
or v3.0.5.


Older releases notes for 2.2.x distributions follow

       ------------------------------------------------------

                 =============================
                 Release Notes for Samba 2.2.9
                          May 8, 2004
                 =============================

This is the latest stable release of the Samba 2.2 code base.
This is a maintenance release of Samba 2.2.8a to address the 
problem with user password changes after applying the Microsoft 
hotfix described in KB282741 to Windows NT 4.0/200x/XP clients.  
No other changes have been applied since Samba 2.2.8a.

There are no further Samba 2.2.x releases planned at this time.


       ------------------------------------------------------

            ===========================================
            What's new in Samba 2.2.8a - 7th April 2003
            ===========================================

             ****************************************
             * IMPORTANT: Security bugfix for Samba *
             ****************************************

Summary
-------

Digital Defense, Inc. has alerted the Samba Team to a serious 
vulnerability in all stable versions of Samba currently shipping. 
The Common Vulnerabilities and Exposures (CVE) project has assigned 
the ID CAN-2003-0201 to this defect.

This vulnerability, if exploited correctly, leads to an anonymous 
user gaining root access on a Samba serving system. All versions 
of Samba up to and including Samba 2.2.8 are vulnerable. An active 
exploit of the bug has been reported in the wild. Alpha versions of 
Samba 3.0 and above are *NOT* vulnerable.


Credit
------

The Samba Team would like to thank Erik Parker and the team at
Digital Defense, Inc. for their efforts spent in the responsible 
and timely reporting of this bug.


Patch Availability
------------------

The Samba 2.2.8a release contains only updates to address this 
security issue. A roll-up patch for release 2.2.7a and 2.0.10 
addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained 
from http://www.samba.org/samba/ftp/patches/security/.


            ========================================


Older releases notes for 2.2.x distributions follow

-----------------------------------------------------------------
The release notes for 2.2.8 follow:

            ****************************************
            * IMPORTANT: Security bugfix for Samba *
            ****************************************

Summary
-------

The SuSE security audit team, in particular Sebastian Krahmer
<krahmer@suse.de>, has found an flaw in the Samba main smbd code which
could allow an external attacker to remotely and anonymously gain
Super User (root) privileges on a server running a Samba server.

This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
inclusive.  This is serious problem and all sites should either
upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
and 445. Advice on how to protect an unpatched Samba server created by
Andrew Tridgell, the leader of the Samba Team, is given at the end of
this section.

The SMB/CIFS protocol implemented by Samba is vulnerable to many
attacks, even without specific security holes.  The TCP ports 139 and
the new port 445 (used by Win2k and the Samba 3.0 alpha code in
particular) should never be exposed to untrusted networks.

Description
-----------

A buffer overrun condition exists in the SMB/CIFS packet fragment
re-assembly code in smbd which would allow an attacker to cause smbd
to overwrite arbitrary areas of memory in its own process address
space. This could allow a skilled attacker to inject binary specific
exploit code into smbd.

This version of Samba adds explicit overrun and overflow checks on
fragment re-assembly of SMB/CIFS packets to ensure that only valid
re-assembly is performed by smbd.

In addition, the same checks have been added to the re-assembly
functions in the client code, making it safe for use in other
services.

Credit
------

This security flaw was discovered and reported to the Samba Team by
Sebastian Krahmer <krahmer@suse.de> of the SuSE Security Audit Team.  
The fix was prepared by Jeremy Allison and reviewed by engineers from
the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
on the Linux Vendor security mailing list.

The Samba Team would like to thank SuSE and Sebastian Krahmer for
their excellent auditing work and for drawing attention to this flaw.

Patch Availability
-----------------

As this is a security issue, patches for this flaw specific to earlier
versions of Samba will be and posted on the samba-technical@samba.org
mailing list as requested.


************************************
Protecting an unpatched Samba server
************************************

  Samba Team, March 2003

  This is a note on how to provide your Samba server some
  protection against the recently discovered remote security
  hole if you are unable to upgrade to the fixed version
  immediately. Even if you do upgrade you might like to think
  about the suggestions in this note to provide you with
  additional levels of protection.


  Using host based protection
  ---------------------------

  In many installations of Samba the greatest threat comes for
  outside your immediate network. By default Samba will accept
  connections from any host, which means that if you run an
  insecure version of Samba on a host that is directly
  connected to the Internet you can be especially vulnerable.

  One of the simplest fixes in this case is to use the 'hosts
  allow' and 'hosts deny' options in the Samba smb.conf
  configuration file to only allow access to your server from a
  specific range of hosts. An example might be:

    hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
    hosts deny = 0.0.0.0/0

  The above will only allow SMB connections from 'localhost'
  (your own computer) and from the two private networks
  192.168.2 and 192.168.3. All other connections will be
  refused connections as soon as the client sends its first
  packet. The refusal will be marked as a 'not listening on
  called name' error.


  Using interface protection
  --------------------------

  By default Samba will accept connections on any network
  interface that it finds on your system. That means if you
  have a ISDN line or a PPP connection to the Internet then
  Samba will accept connections on those links. This may not be
  what you want.

  You can change this behavior using options like the
  following:

    interfaces = eth* lo
    bind interfaces only = yes

  that tells Samba to only listen for connections on interfaces
  with a name starting with 'eth' such as eth0, eth1, plus on
  the loopback interface called 'lo'. The name you will need to
  use depends on what OS you are using, in the above I used the
  common name for ethernet adapters on Linux.

  If you use the above and someone tries to make a SMB
  connection to your host over a PPP interface called 'ppp0'
  then they will get a TCP connection refused reply. In that
  case no Samba code is run at all as the operating system has
  been told not to pass connections from that interface to any
  process.


  Using a firewall
  ----------------

  Many people use a firewall to deny access to services that
  they don't want exposed outside their network. This can be a
  very good idea, although I would recommend using it in
  conjunction with the above methods so that you are protected
  even if your firewall is not active for some reason.

  If you are setting up a firewall then you need to know what
  TCP and UDP ports to allow and block. Samba uses the
  following:

    UDP/137    - used by nmbd
    UDP/138    - used by nmbd
    TCP/139    - used by smbd
    TCP/445    - used by smbd

  The last one is important as many older firewall setups may
  not be aware of it, given that this port was only added to
  the protocol in recent years.


  Using a IPC$ share deny
  -----------------------

  If the above methods are not suitable, then you could also
  place a more specific deny on the IPC$ share that is used in
  the recently discovered security hole. This allows you to
  offer access to other shares while denying access to IPC$
  from potentially untrustworthy hosts.

  To do that you could use:

    [ipc$]
        hosts allow = 192.168.115.0/24 127.0.0.1
        hosts deny = 0.0.0.0/0

  this would tell Samba that IPC$ connections are not allowed
  from anywhere but the two listed places (localhost and a
  local subnet). Connections to other shares would still be
  allowed. As the IPC$ share is the only share that is always
  accessible anonymously this provides some level of protection
  against attackers that do not know a username/password for
  your host.

  If you use this method then clients will be given a 'access
  denied' reply when they try to access the IPC$ share. That
  means that those clients will not be able to browse shares,
  and may also be unable to access some other resources.

  I don't recommend this method unless you cannot use one of
  the other methods listed above for some reason.


  Upgrading Samba
  ---------------

  Of course the best solution is to upgrade Samba to a version
  where the bug has been fixed. If you wish to also use one of
  the additional measures above then that would certainly be a
  good idea.

  Please check regularly on http://www.samba.org/ for updates
  and important announcements.


            ****************************************
            ****************************************


Changes since 2.2.7a
---------------------

New Parameters

    * acl compatibility

Additional Changes:
    See the cvs log for SAMBA_2_2 for more details

1)  smbumount lazy patch from Mandrake
2)  Check for too many processes *before* the fork.
3)  make sure we don't run over the end of 'name' in unix_convert()
4)  set umask to 0 before creating socket directory.
5)  Fix the LARGE_SMB_OFF_T problems and allow smbd to do the right 
    thing in interactive mode when a log file dir is also specified.
6)  Fix delete on close semantics to match W2K.
7)  Correctly return access denied on share mode deny when we can't 
    open the file.
8)  Always use safe_strcpy not pstrcpy for malloc()'d strings
9)  Fixes for HP-UX only having limited POSIX lock range
10) Added uid/gid caching code. Reduces load on winbindd.
11) Removed extra copy of server name in the printername field (it was
    mangling the the name to be \\server\\\server\printer
12) Fix dumb perror used without errno being set.
13) Do retries correctly if the connection to the DC has failed.
14) Correctly check for inet_addr fail.
15) Ensure we use getgrnam() unless BROKEN_GETGRNAM is defined.
16) Fix for missing if (setting_acls) on default perms.
17) Fix to cache the sidtype
18) fix printer settings on Solaris (big-endian) print servers.
    ASCII -> UNICODE conversion bug.
19) Small fix check correct error return.
20) Ensure space_avail is unsigned.
21) patch to check for a valid [f]chmod_acl function pointer
    before calling it.  Fixes seg fault in audit VFS module
22) When checking is_locked() new WRITE locks conflict with existing
    READ locks even if the context is the same.
23) Merge off-by-one crash fixes from HEAD
24) Move off-by-one buggy malloc()/safe_strcpy() combination to 
    strdup() instead.
25) Merge from HEAD. Use pstrcpy not safe_strcpy.
26) Fix to allow blocking lock notification to be done rapidly (no wait
    for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
    (does not interfere with existing locks).
27) Doxygen cleanups for code documentation
28) limit the unix domain sockets used by winbindd  by adding a
    "last_access" field to winbindd connections, and will close
    the oldest idle connection once the number of open connections goes
    over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
    currently)
29) Fix a couple of string handling errors in smbd/dir.c that would
    cause smbd to crash
30) Fix seg fault in smbpasswd when specifying the new password
    as a command line argument
31) Correct 64-but file sizes issues with smbtar and smbclient
32) Add batch mode option to pdbedit
33) Add protection in nmbd against malformed reply packets
34) Fix bug with sendfile profiling support in smbstatus output
35) Correct bug in "hide unreadable" smb.conf parameter that
    resulted in incorrect directory listings
36) Fix bug in group enumeration in winbindd
37) Correct build issues with libsmbclient on Solaris
38) Fix memory leak and bad pointer dereference in password
    changing code in smbd
39) Fix for changing attributes on a file truncate
40) Ensure smbd process count never gets to -1 if limiting number
    of processes
41) Ensure we return disk full by default on short writes
42) Don't delete jobs submitted after the lpq time
43) Fix reference count bug where smbds would not terminate
    with no open resources
44) Performance fix when using quota support on HP-UX
45) Fixes for --with-ldapsam
    * Default to port 389 when "ldap ssl != on"
    * add support for rebinding to the master directory server
      for password changes when "ldap server" points to a read-only
      slave
46) Add -W and -X command line flags to smbpasswd for extracting and
    setting the machine/domain SID in secrets.tdb.  See the
    smbpasswd(8) man page for details.
47) Added (c) Luke Howard to winbind_nss_solaris.c for coded
    obtained from PADL's nss_ldap library.
48) Fix bug in samr_dispinfo query in winbindd
49) Fix segfault in NTLMSSP password changing code for
    guest connections
50) Correct pstring/fstring mismatches
51) Send level II oplock break requests synchronously to prevent
    condition where one smbd would continually lock a share entry
    in locking.tdb
52) Miscellaneous cleanups for tdb error conditions and appending
    data in a record
53) Implement correct open file truncate semantics with DOS
    attributes
54) Enforce wide links = no on files as well as directories
55) Include shared library checks for Stratus VOS
56) Include support for CUPS printer classes and logging the remote
    client name
57) Include  "WinXP" (Windows XP) and "Win2K3" (Windows .NET) values
    for %a
58) Increase the max PDU size to deal with some troublesome printer 
    drivers and Windows NT 4.0 clients
59) increment the process counter immediately after the fork   
    (not just when we receive the first smb packet)
60) Ensure rename sets errno correctly
61) Unify ACL code (back-port from 3.0)
62) Fix some further issues around off_t and large offsets


Changes since 2.2.7
--------------------

See the cvs log for SAMBA_2_2 for more details

1)  Fix for smbclient reporting negative file sizes on dir command
    and negative statistics being reported when using put or get
    on large files.
2)  Fix bug in determination of allocation size
3)  Fix 64bit size problems which prevented copying of files larger
    than 2 GBytes.
4)  Fix for xcopy /s problem with old DOS clients not sending correct
    attributes on subsequent SMBsearch calls.
5)  Fix bug in call to standard_sub_advanced giving a 0 length. This
    fixes the string overflow in string_sub errors.
6)  Correctly handle querygroup rpcclient command
7)  fix broken incremental tar in smbtar command


The release notes for 2.2.7 follow :

IMPORTANT: Security bugfix for Samba
------------------------------------

Summary
-------

A security hole has been discovered in versions 2.2.2 through 2.2.6 
of Samba that could potentially allow an attacker to gain root access
on the target machine.  The word "potentially" is used because there 
is no known exploit of this bug, and the Samba Team has not been able to
craft one ourselves. However, the seriousness of the problem warrants
this immediate 2.2.7 release.

In addition to addressing this security issue, Samba 2.2.7 also includes
thirteen unrelated improvements. These improvements result from our
process of continuous quality assurance and code review, and are part of
the Samba team's commitment to excellence.

Details
-------

There was a bug in the length checking for encrypted password change
requests from clients. A client could potentially send an encrypted
password, which, when decrypted with the old hashed password could be
used as a buffer overrun attack on the stack of smbd. The attach would
have to be crafted such that converting a DOS codepage string to little
endian UCS2 unicode would translate into an executable block of code.

All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
to this problem. This version of Samba 2.2.7 contains a fix for this
problem.

Earlier versions of Samba are not vulnerable.

There is no known exploit or exploit code for this vulnerability,
it was discovered by a code audit by Debian Samba maintainers.

Credit
------

Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris
<peloy@debian.org> for bringing this vulnerability to our notice.

Patch for Samba versions 2.2.2 to 2.2.6
---------------------------------------

The following patch applies cleanly to the above Samba versions
and will fix the vulnerability for sites that do not wish to upgrade
to 2.2.7 at this time.


-------------------------------cut here---------------------------------
--- libsmb/smbencrypt.c.orig    Tue Nov 19 17:21:57 2002
+++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
@@ -63,7 +63,7 @@
        if(len > 128)
                len = 128;
        /* Password must be converted to NT unicode - null terminated. */
-       dos_struni2((char *)wpwd, (const char *)passwd, 256);
+       dos_struni2((char *)wpwd, (const char *)passwd, len);
        /* Calculate length in bytes */
        len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
-------------------------------cut here---------------------------------



Changes since 2.2.6
--------------------

See the cvs log for SAMBA_2_2 for more details

1)  ensure we send the notify message in the same way it is expected
    to be received by srv_spoolss_receive_message().
2)  attribute matching on truncate only matters when opening truncate
    with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
    with current NONE -> SYSTEM | HIDDEN.
3)  Fix bug in rpcclient's deldriver command
4)  Don't set global_machine_password_needs_changing if
    lp_machine_password_timeout() is set to zero
5)  don't parse the BUFFER5 if the buffer length is zero
6)  fix core dump if pdbedit is run as non-root or smbpasswd file does
    not exist
7)  Ensure can_delete() returns correct error code
8)  correctly return NT_STATUS_DELETE_PENDING from open code
9)  fix bug that assumed dos_unistr2 length was in ucs2 units, not 
    bytes
10) check the long_archi name is not null when deleting a printer 
    driver.  fixes core dump in smbd when using rpcclient's deldriver
11) fix fd leak with kernel change notify on Linux 2.4 kernels
12) must add one to the extra_data size to transfer the 0 string
    terminator.  This was causing "wbinfo --sequence" to access past 
    the end of malloced memory
13) fix for large systems allowing more than 65536 files open in
    NTcreate&X
14) Fix bug in %U expansion



----------------------------------------------------------------------
The release notes for 2.2.6 follow :

There have been several fixes and internal enhancements which include:

 * Fixes for MS-RPC printing issues affecting Windows 2000 clients
 * New support for smb.conf generation in SWAT
 * Inclusion of several performance enhancements (See --with-sendfile
   & and the modified smb.conf(5) parameters in these Release Notes)
 * Fixes for several file locking bugs and returned status codes


New Parameters
--------------

Refer to the smb.conf(5) man page for complete descriptions of new 
parameters.

  * profile acls (S)            workaround for issue with WinXP SP1
                                and roaming user profiles

Removed Parameters
------------------

  * max packet (G)
  * packet size (G)

Modified Parameters
-------------------

  * max xmit (G)                new default value
  * large readwrite (G)         new default value

New ./configure Options
-----------------------

  --with-sendfile               Enable experimental sendfile support
  --with-winbind-ldap-hack      Enable winbindd_ldap_hack() functionality
                                for Windows 2000 native mode domains


Changes since 2.2.5
--------------------

See the cvs log for SAMBA_2_2 for more details

1)  Fixed several compiler warnings caused by the use of const parameters
2)  Fixed a hang in the main smbd process caused by an EINTR in the
    wrong place
3)  Fixed string substitutions to accept a length for sanity checks
4)  Fixed 17-bit length field in nmb header
5)  Removed non-portable inline declaration for functions
6)  Performance fix for including files with an smb.conf variable in the
    path name
7)  Fix for parsing LPRng lpq output
8)  Parsing fix for PRINTER_INFO_2 structure which was causing viewing
    printer properties to fail
9)  Fix for printer change notification and Windows NT clients which caused
    the client to go into an infinite loop of refreshing the local printers
    folder
10) Allow trans2 and nttrans messages to be processed in oplock break state
    which fixes a problem with oplock break requests and Win2k clients
11) Don't crash on setfileinfo on printer fsp
12) Memory fixes caught by Valgrind
13) Updates to stop spurious error message in tdb
14) Fix silly logic bug in 'make smbd processes' and 'status = no' check
15) Fix compilation of pam_smbpass and --with-ldap
16) Fix compilation of smbwrapper on Solaris hosts
17) fix logic error in a check for enabling the winbind_pam_auth_crap() code
    & fix formatting typo in --with-winbind-auth-challenge
18) Correcting check for ldap_start_tls()
19) Fixed a problem with getgroups() where it could include our current
    effective gid
20) fix incorrect semantics in the DeletePrinterDriver() spoolss rpc
    to only attempt to delete the architecture specified by the client
21) Don't allow TEMP attribute on directory open
22) Restore VxFS quotas to the 2.2 branch
23) Added basic "Wizard" functionality to SWAT
24) Fix initial "allocation size" in NTcreate&X call
25) Fix for open fid, "nametoolong"
26) Exit server on receipt of a non-SMB packet.  Ensure we have
    at least smb_size bytes before processing a packet
27) Replace inet_aton with inet_addr() to correct compile problems on Solaris
28) Include the "account" objectclass when adding a new account to --with-ldapsam
    in order to comply with the data model implemented by OpenLDAP 2.1.x
29) Various fixes for POSIX compliance
30) Correct alignment & offset bug in EnumPrinterDataEx()
31) Fix access checks when modifying forms using a print server handle
    (not just a printer handle)
32) Account for case data_len == 0 in EnumPrinterDataEx()
33) Fix logic error in blocking lock code
34) Fixed various incorrect return codes to clients
35) Add RESOLVE_DFSPATH to mkdir operations
36) Fix longstanding bug in Win2k clients by clearing the shortname
    buffer before returning ASCII short name
37) added -t option to smbpasswd for explicitly changing a trust
    account password when operating in security = domain
38) installed -x option to testparm to eXclude printing all parameter
    values that are at default settings.
39) Fix shares/printers view in SWAT so that only Basic options are exposed
    upon initial entry.
40) Added 1125 & KOI8-U to codepage list in Makefile.in
41) Include separate configure checks for *openbsd* & *freebsd* when
    determining flags used to compile shared libraries.
42) Merge in free list unlock on error fix
43) Correctly fail opens with mismatching SYSTEM or HIDDEN attributes
    if we are mapping system or hidden
44) Fix bug with stat mode open being done on read-only open with truncate
45) Fix crash bug discovered where cli struct was being deallocated in a
    called function
46) Ensure we open UNIX fifo's non-blocking
47) Fix DeletePrinterDriver() (hopefully for the last time...yeah right....)
48) only lowercase global_myname in the %L substitution, not the whole string
49) Merged Steve French's fix for OS/2 EA return error being removed
50) Patch from Steve French to fix difference in responses to smbclient
    //server/share ls / on Samba and Windows 2000
51) Print error and exit if smb.conf doesn't have security=domain and
    encrypt passwords=yes when joining domain
52) Added final Steve French patch for "required" attributes with old dir
    listings
53) Initialize user_rid value in WINBIND_USERINFO structure returned by
    the rpc version of query_user()
54) Ensure we've failed a lock with a lock denied message before automatically
    pushing it onto the blocking queue
55) Add experimental --with-sendfile code
56) alignment fix in printing code merged from HEAD
57) Merge fix for other sids in token from HEAD
58) Merge winbindd with current (more advanced) state of play in APPLIANCE_HEAD
59) fix smbclient / Win98 off by one bug
60) Never, *ever* hold a mutex lock in the message database where there may be
    traversals being attempted
61) Add LDAP hack for retrieving the SAM sequence number when a member of a
    Windows 2000 native mode domain
62) Fix race condition when changing a machine account password as we were
    no longer locking the secrets entry
63) Allow '@' as a valid character in domain names
64) remove jobs from the spool directory when using cups
65) removed -lresolv for --enable-ldapsam
66) Memory leak fix and correct use of negative caching in winbindd
67) Updated spoolss parsing code with known good state of APPLIANCE_HEAD
68) Delete printer security check was reversed
69) Windows allows delete printer on a handle opened by an admin user, then
    used on a pipe handle created by an anonymous user...We do to now...
70) Make explicit the difference between a tdb key with no data attached, and
    a non existent entry
71) Ensure we register the 1c name on the unicast subnet.
72) Fix inheritance problem when recursively setting ACLs on directories
73) prevent ACL set on read-only share
74) Ensure we never have more than MAX_PRINT_JOBS in a queue
75) Added timeout to tdb_lock_bystring()
76) Ensure we set FIRST+LAST flags on a bind request
77) Add version strings to the usage message for smbcacls and smbpasswd
78) Fix bug in the write cache code
79) make the default printed values for boolean the same for all parameters
80) Default all LDAP connections to v3 with compiling with --with-ldapsam
81) Fix memory leak in smbspool
82) Fix bug in mangling code that resulted in Win9x clients not being
    able to execute batch files in deep, non 8.3  directory paths
83) Fix infinite looping bug in winbindd_getgrent()
84) Fix crash bug on 64-bit systems (merge from HEAD)
85) Fix extended character bug when setting LanMan/NT password
86) Negotiate same SMB read size as a Windows 2000 file server
    to fix performance bug with NT4 clients



-----------------------------------------------------------------------------
The release notes for 2.2.5 follow :

There have been several fixes and internal enhancements which include:

* Several compile fixes for Solaris and HP-UX
* More printing fixes for Windows NT/2k/XP clients
* New options for the VFS recycle bin library
* New internal signal handling semantics relating to directory change
  notification and oplocks

New/Changed parameters in 2.2.5
--------------------------------

For more information on these parameters, see the man pages for
smb.conf(5).

Added/changed parameters
------------------------

* block size = <INTEGER>
* force unknown acl user = <boolean>
* mangling method = [hash|hash2]


Deprecated Parameters
---------------------

The following parameters have been marked as deprecated and will be removed
in Samba 3.0

* strip dot
* status


Removed Parameters
------------------

  none


Changes in 2.2.5
----------------

See the cvs log for SAMBA_2_2 for more details

1)  Removal of several compiler warnings, incorrect Makefile dependencies,
    and wrong autoconf tests on various platforms--Solaris & HP-UX 10.20
    being the predominantly reported platforms
2)  Fixed winbindd crash bug on the IBM s390 running Linux
3)  Inclusion of enhanced Linux quota support
4)  Correctly link against Sun LDAP libraries on Solaris 8 (even through
    there is no apparent SSL support there)
5)  POSIX conformance patches
6)  Include new configure --enable-cups option (can also be disabled even
    if CUPS libraries are installed on the system)
7)  Set reasonable default for the "passwd program" parameter using an
    autoconf test
8)  Added --with-winbind-auth for enabling winbindd_pam_auth_crap() code
9)  fixed bug to prevent root account from being deleted by the
    "delete user script"
10) Inclusion of autoconf script for building VFS modules
11) Add new run time options to the VFS recycle bin library (see
    examples/VFS/recycle/README for details)
12) Include findsmb perl script as part of the "make install" process
13) Return correct error code for EnumPrinters(PRINTER_ENUM_REMOTE, InfoLevel1)
    to fix a bug where printers appear at the workgroup level in the Windows
    NT/2k APW browse list
14) Added support to nmblookup to return NMB flags (See nmblookup(8) for
    details)
15) Fix length bug that caused password changes from Windows NT/2k clients to
    occasionally fail
16) Correct false password expiration when using --with-ldapsam caused by
    missing attributes in the directory
17) added -S option to smbpasswd for storing the SID of a domain controller
    as the local machine SID in secrets.tdb.  See the smbpasswd(8) man page
    for details.
18) Various fixes for UNIX CIFS extensions commands
19) Fixed CIDR notation in "hosts allow/deny"
20) Change semantics of an idle connection to mean "no open files and no
    open handles".  We cannot idle a connection if there are open named
    pipe handles.  This fixes scalability problem on Samba print servers
    and NT/2k clients introduced in 2.2.4
21) Fix germam umlaut problem when returning ACL entries
22) Return NT_STATUS_OBJECT_NAME_NOT_FOUND for ENOENT.  This fixes the bug
    of running the Microsoft Access executable (msaccess.exe) and database
    files from a Samba share documented in the 2.2.4 release
23) Corrected signal handling relating to directory change notification and
    kernel oplocks
24) Fix bug in unix_to_nt_time() that appeared on files dated close to Daylight
    Savings Time
25) Corrected alignment bug in spoolss parsing code which caused Win2k/XP
    clients not to be able to view printer properties from a Samba host
26) Fixed spoolss parsing bug causing printing from ACT! 2000 running on
    Windows 2k/XP clients to fail
27) Fixed incorrect error check in mod_share_entry()
28) Allow %S variable in MS-DFS root paths
29) Correct a bug regarding the use of 'wbinfo -A'
30) Fixed libnss_wins.so to correctly work on RedHat 7.3 systems
31) Store the key for a name-to-sid cache entry in upper case rather than
    whatever case the request was made in.  This gets rid of duplicate
    cache entries.
32) Fix bug causing the pid stored in winbindd's pid file to be the wrong id
33) Enhanced error reporting messages of wbinfo
34) Parameterize block size on disk size return
35) Added new parameter to allow incoming ACLs to have owner and group forced
    to the currently logged in user. This fixes the XCOPY /O problem
36) Fixed bug in local_change_password() caused by reusing a struct
    passwd* pointer
37) Change default value for "ldap port" to 389 if "ldap ssl = no"
38) Updated HOWTO's, manpages, and general documentation....
39) Allow root as well as domain admins to open an LDAP connection
40) Fixed veto files bug with ".*"
41) Fixed uninitialized variable bug in smbpasswd that was causing a random
    IP address to be used in the connection when joining a domain
42) Fix for joining a domain with a netbios name of 15 characters and
    pre-creating the account on the DC
43) Added links to new documentation on SWAT welcome page



-----------------------------------------------------------------------------
The release notes for 2.2.4 follow :

There have been several fixes and internal enhancements which include:

 * More/better SPOOLSS printing functionality for Windows
   NT/2k/XP clients.
 * Several fixes relating to serving PC database files such
   as (Access and FoxPro) from a Samba file share.
 * Several improves in Samba's VFS layer which can be seen
   in the inclusion of a "Recycle Bin" vfs module.  See
   examples/VFS/README for more details on this.
 * Addition of a tool (tdbbackup) for backup/restore of Samba's
   tdb's
 * Continued improvements to winbind for greater scalability
   and stability
 * Several fixes related to Samba's MS-DFS support
 * Rpcclient's various printer commands now work (again)


New/Changed parameters in 2.2.4
--------------------------------

For more information on these parameters, see the man pages for
smb.conf(5).

Added/changed parameters
------------------------

* csc policy
* inherit acls
* nt status support
* lock spin count
* lock spin time
* pid directory
* winbind use default domain


Deprecated parameters
---------------------

The following parameters have been marked as deprecated
and will be removed in Samba 3.0

* postscript
* printer driver
* printer driver file
* printer driver location


Removed Parameters
------------------

  none


Changes in 2.2.4
----------------

See the cvs log for SAMBA_2_2 for more details

1)  added -c option to smbpasswd
2)  reworked smbpasswd internal command line option parsing
3)  small various bug fixes to experimental pdb_tdb.c
4)  Enforce spoolss RPCs based on the access granted at PrinterOpen()
5)  Added missing access checks to [add/delete/set]form
6)  Compile fixes for pam_smbpass
7)  fix smbd crash when netbios session request fails from
    spoolss_connect_to_client().
8)  fixed logic bug that prevent SetPrinter() from storing devmode
9)  Removed extra get_printer_snum() calls from set_printer_hnd_name()
10) fix joining domain on big endian machine when using -U to smbpasswd
11) allow command line arg to override smb.conf log level
12) continue to retry to register 1b name with wins server if there is an old IP there
13) fix smbclient print crash bug
14) 9x pnp fix when the config file and driver file are different
15) force testparm to print the correct value for log level
16) fix swat to show full log level info
17) fix server GetPrinterData() fields to be more sensible
18) fix logic error in SetPrinterDataEx()
19) Only set smb_read_error if not already set
20) Fix string returns that require unicode
21) Merge of printing performance fixes from appliance
22) lpq parsing fixes
23) Back port tridge's xcopy /o fix from HEAD
24) Fix the printer change notify code (unfinished)
25) Patch for Domain users not showing up
26) Fixed SetPrinterData(magic key) to support zero length DEVMODE
27) Ensure that all methods of looking up and connecting to DC's work
    using identical logic.
28) Merge in the mutex code to stop multiple domain logon failure
29) Ignore 0/0 lock
30) Fix winbindd to respect command line debuglevel as nmbd/smbd
31) Update with tdbbackup from HEAD
32) Fix for typo on solaris nss
33) Merge in the locking changes from HEAD
34) Added POSIX ACL layer into the vfs
35) Fix the returning of domain enum
36) Fix the generation of the MACHINE.SID file into the secrets.tdb.
37) Enable test for -rdynamic when building binaries
38) Remove the "stat open" code - make it inline
39) Fix the mp3 rename bug
40) Fix for Explorer DFS problems on older Windows 9X machines
41) implement OpenPrinter() opnum == 0x01
42) Matched W2K *insane* open semantics....
43) small fix that will prevent the "failed to marshall
    R_NET_SAMLOGON" message in the logs
42) don't do checking of local passdb in smbpasswd if using -r option
43) fix "smbpasswd -j DOMAIN -r * -U Admin%XXXX" so that it doesn't
    try to connect to a server named '*'
44) merge rpcclient code from HEAD
45) Ensure MACHINE.SID update done before child spawns
46) Fix the bad path errors for mkdir so mkdir \a\b\c\d works
47) Removed --with-vfs - always built if available
48) Fixed psec for 2.2
49) Fixed the handle leak in the connection management code
50) fix disable spoolss after the switch to nt status codes
51) Added Shirish's client side caching policy change
52) Honor the specversion when parsing the the DEVICEMODE
53) fix parsing bug when DEVICEMODE's private data does not end
    on a 4 byte boundary
54) do not idle an smbd when there is an open pipe
55) when a new driver is added to a Samba server, cycle through
    all printers and bump the change_id for each one bound to the driver
56) allow smbclient to work with a FIFO as well (needed for KDE
    ioslave)
57) various updates to pdb_nisplus.c
58) many small documentation updates
59) removed many compiler warnings


-----------------------------------------------------------------------------
The release notes for 2.2.3a follow :

This is a minor bugfix release for the 2.2.3 release. The 2.2.3
release had a problem that was visible to Windows 2000 Explorer
users in that copying files into a share that already existed
failed with "Access Denied" rather than asking the user if an
overwrite was required. This was due to an incorrect error mapping
between the UNIX EXIST error code and the NT status error.

As Windows Explorer is a highly visible end user application a quick
bugfix release was required, hence 2.2.3a.

Compilation on HP-UX versions earlier than HP-UX 11 has also been
corrected.

The cvs.log file is no longer included with this release, as it adds
13Mb to the size of the release, and is easily available on the Web.

-----------------------------------------------------------------------------
The release notes for 2.2.3 follow :

There are several important scaling bugs that have been fixed in this release
for large server systems so an upgrade is recommended.

LDAP update
-----------

Much work has been done on the LDAP backend code. The configure
option --with-ldapsam is now considered to be stable. The schema
used has changed, see the file examples/LDAP/samba.schema for the
new schema.

New documentation explaining how to set up a Samba only PDC/BDC
setup has been added in the files Samba-LDAP-HOWTO and Samba-BDC-HOWTO
in the documentation tree.

winbindd daemon extended
------------------------

Samba 2.2.2 was the first release to include the winbind daemon.
This code allows UNIX systems that implement the name service
switch (nss) to be entered into a Windows NT/2000 domain and
use the Domain controller for all user and group enumeration.

Samba 2.2.3 fixes the known memory leaks in winbindd and has
been extended to work with SGI IRIX and HP-UX (11.x) in addition
to the earlier targets of Linux and Solaris.

For more information on using winbind, see the man pages for
winbindd and wbinfo.

Note that winbindd is not installed by default.

New/Changed parameters in 2.2.3
--------------------------------

For more information on these parameters, see the man pages for
smb.conf.

Added/changed parameters.
-------------------------

unix extensions

Enables the experimental UNIX CIFS extensions in smbd. See the manpage
for more details.

default devmode

Some printer drivers will crash the Windows NT/2000 spooler service
if they are given a default devmode, some require it. This parameter
allows the administrator a choice of whether smbd returns such a
default devmode for a driver.

share modes

This parameter has been restored to allow people who wish smbd to ignore
client share modes. This is *very dangerous* and should not be set without
full knowledge of what this is designed for.

Changes in 2.2.3
-----------------

1). Fixed shared library compile for Solaris with native compiler.
2). UNIX CIFS extensions code added (donated by HP).
3). Changed to using NT status codes on the wire if the client can support
this.
4). altname command to show 8.3 name added to smbclient.
5). const-safe endian macros now used.
6). client code now uses UNICODE on the wire.
7). Correctly return fault PDU's on bad handle.
8). Improved NT error code mapping table.
9). Many new point and print RPC calls added.
10). Win9x clients can now see full user list.
11). field added to identify simultaneous open files (no longer
use dev/inode/time as unique value).
12). HP-UX ACL code added (donated by HP).
13). vfs interfaces updated (again !).
14). MSDOS Code Page 866 -> 1251 mapping added.
15). winbindd now processes quit/hup signals correctly.
16). No tdb traversal done on startup/shutdown - ensures scalability.
17). Fix bug with paths for homes share.
18). Fixed copyfile for OS/2.
19). Fix group membership when groups are on more than one line.
20). Fixed core dumps in posix ACL mapping code.
21). Tidyup of UNICODE functions (put/get).
22). Move rpcclient to the new libsmb code.
23). Add missing Windows 2000 passthough trans2 calls.
24). Return check all tdb calls.
25). Make local name lookup work even if wins server is down.
26). pam session code added to winbind.
27). Added winbindd cache to all lookups.
28). Fix allocate bugs that caused file sizes to be incorrect.
29). Fixed write cache code - now safe to use.
30). Fixed winbindd memory leaks.
31). winbindd will now do name lookups (to allow non Open Source
systems to do the nsswitch WINS lookup). Fixed by SGI.
32). passdb memory leaks fixed.
33). LDAP code updates and now properly maintained.
34). Finally figured out how changeid is meant to work.
35). Downlevel printing now looks as NT does in print monitor window.
36). Many fixups in spoolss printing RPC parsing.
37). Speed up password enumeration as a PDC.
38). Fix printer changed notify messages (work from HP).
39). Fix modify timestamp on close code.
40). Fix long standing mangled names bug.
41). Fix delete on close semantics.
42). Stop opening all files with O_NONBLOCK !
43). Use O_NOFOLLOW for systems that have it and don't want symlinks.
44). Ensure NT supplementary groups get added to user token.
45). Try and mitigate effects of DNS timeout (do less lookups).
46). Added current user connection context stack.
47). Fixes to utmp code.
48). smbw code tidyups.
49). Added tdb open log code. Several tdb fixes.

-----------------------------------------------------------------------------
The release notes for 2.2.2 follow :

New daemon included - winbindd
------------------------------
 
Samba 2.2.2 is the first release to include the winbind daemon.
This code allows UNIX systems that implement the name service
switch (nss) to be entered into a Windows NT/2000 domain and
use the Domain controller for all user and group enumeration.
 
This allows a Samba server added to a Windows domain to serve
file and print services with *NO* local users needed in /etc/passwd
and /etc/group - all users and groups are read directly from the
Windows domain controller. In addition with pam_winbind which allows
a PAM enabled UNIX system to use a Windows domain for authentication
service this allows single sign on and account control across
UNIX and Windows systems.
 
The current version of winbindd shipped in 2.2.2 does have some
memory leaks, which will be addressed for the next Samba release,
so it is advisable to monitor the winbind process. This code is
being used in production by several vendors, so the leaks are
manageable. In addition, this version of winbind does not work
correctly against a Samba PDC, due to some missing calls on the
PDC side. These problems are being addressed for the next Samba
release, but it was thought better to release the code now rather
than delay the main Samba code to match the winbind release schedule.
 
For more information on using winbind, see the man pages for
winbindd and wbinfo.
 
Note that winbindd is not installed by default.

New/Changed parameters in 2.2.2
-------------------------------

For more information on these parameters, see the man pages for
smb.conf.

Added/changed parameters.
-------------------------

strict allocate

Causes Samba not to create UNIX 'sparse' files, but to follow the
Windows behavior of always allocating on-disk space.

use mmap

Set to 'on' by default, only set to 'off' on HP-UX 11.x or below or other
UNIX systems that don't have coherent mmap/read-write internal caches.
You should not need to set this parameter.

nt acl support

This parameter has been changed to a per-share option, and is very
useful in enabling Windows 2000 SP2 to load/save profiles from a 
Samba share.

New printing parameters.
------------------------

disable spoolss

Setting this parameter causes Samba to go back to the old 2.0.x
LANMAN printing behavior, for people who wish to disable the
new SPOOLSS pipe.

use client driver

Causes Windows NT/2000 clients to need have a local printer driver
installed and to treat the printer as local.

New LDAP parameters.
--------------------

Samba 2.2.2 contains new code to maintain a Samba SAM database
on a remote LDAP server. These parameters have been added as
part of this code. These parameters are only available when Samba
has been compiled with the --with-ldapsam option.

ldap admin dn
ldap ssl

New SSL parameters.
-------------------

The SSL support in Samba has been fixed. These new parameters
are part of the changes added. These parameters are only available
when Samba has been compiled with the --with-ssl option. 
Please see the smb.conf man page for details.

ssl egd socket
ssl entropy file
ssl entropy bytes

New winbindd parameters.
------------------------

These parameters are used by winbindd. See the man page for
winbindd for details.

winbind separator
winbind uid
winbind gid
winbind cache time
winbind enum users
winbind enum groups
template homedir
template shell

Removed parameters.
-------------------

share modes
ldap root
ldap root passwd

New Documentation.
------------------

Some new README's have been added in the docs/ directory. These cover
using roving profiles with Windows 2000 SP2 (docs/README.Win2kSP2),
and how to use Samba to help prevent Windows virus spread
(docs/README.Win32-Viruses).

Quota problems on a Linux 2.4 kernel.
-------------------------------------

Currently the quota interfaces have diverged between the Linus
2.4.x kernels and the Alan Cox 2.4.x kernels (the Alan Cox variants
are shipped with RedHat). Running quota-enabled Samba compiled on
an Alan Cox kernel works correctly on an Alan Cox kernel (the one
shipped by default with RedHat 7.x) but fails on a Linus kernel.

This is a mess, and hopefully Alan and Linus will sort it out soon.
In the meantime we need to ship.....

Changes in 2.2.2
-----------------

1). mmap tdb code disabled on HP-UX. This should prevent the reports of
tdb corruption on HUPX.
2). Large file support set to off in Solaris 5.5 and below.
3). Better CUPS detection.
4). New SAM (password database) backends - smbpasswd (traditional),
LDAP, NIS+ and Samba TDB.
5). Quota fixups on Linux.
6). libsmbclient stand-alone code added. Can be built as a shared library
under Linux.
7). Tru64 ACL support added.
8). winbindd option added.
9). Realloc fail tidyup fixes all over the code.
10). Large improvement in hash table code efficiency - would be found with
large stat caches.
11). Error code consistency improved (still needs more work).
12). Profile shared memory support added to nmbd.
13). New Windows 2000/NT passthrough info levels added.
14). readraw/writeraw code rewritten - many bugs fixed.
15). UNIX password sync (non pam) code fixed, use correct wildcard matcher.
16). Reverse DNS lookup avoided on socket open.
17). Bug preventing nmbd re-registering names on WINS server timeout fixed.
18). Zero length byte range lock code added. Much closer to Windows semantics.
19). Alignment fault fixes for Linux/Alpha.
20). Error checking on tdb returns vastly improved.
21). Handling of delete on close fixed. No longer possible to leave 'dead'
file entries.
22). Handling of oplock break failure cleanups improved. Should not be
able to leave 'dead' entries.
23). Fix handling of errors trying to set 64 bit locks on 32 bit NFS mounts.
24). Misc. MS-DFS code fixes.
25). Ignore logon packets if not a PDC (needed for PDC/BDC failover).
26). winbind pam module added.
27). Order N^^2 enumeration of printers problem fixed.
28). Password backend database code re-ordered to allow different password
backends (at compile time currently).
29). Improved print driver version detection for Windows 2000.
30). Driver DEVMODE initialization fixes.
31). Improved SYSV print parse code.
32). Fixed enumeration of large numbers of users/groups from Windows clients.
Code still too slow.
33). Fix for buggy NetApp RPC pipe clients.
34). Fix for NT sending multiple SetPrinterDataEx calls.
35). Fix for logic bug where smbd could delay oplock break request messages
from other smbd daemons whilst client kept us busy.
36). Fix deadlock problem with connections tdb on enumeration.
37). Fixes for setting/getting NT ACLs - improved POSIX mapping both ways.
38). Removed unused readbmpx/writebmpx code.
39). Attempt to fix Linux 2.4.x quota mess.
40). Improved ctemp code for Windows 2000 compatibility.
41). Finally understood difference between set EOF and set allocation requests.
Added strict allocate parameter to help.
42). Correctly return name types on name to SID lookups.
43). tdb spinlock code update.
44). Use pread/pwrite on systems that have it to fix race condition in tdb code.

-----------------------------------------------------------------------------
The release notes for 2.2.1a follow :

This is a minor bugfix release for 2.2.1, *NOT* security related.

1). 2.2.1 had a bug where using smbpasswd -m to add a Windows NT or
Windows2000 machine into a Samba hosted PDC would fail due to our
stricter user name checking. We were disallowing user names
containing '$', which is needed when using smbpasswd to add a
machine into a domain. Automatically adding machines (using the
native Windows tools) into a Samba domain worked correctly.

2.2.1a fixes this single problem.

-----------------------------------------------------------------------------
The release notes for 2.2.1 follow :

New/Changed parameters in 2.2.1
-------------------------------

Added parameters.
-----------------

obey pam restrictions

When Samba is configured to use PAM, turns on or off Samba checking
the PAM account restrictions. Defaults to off.

pam password change

When Samba is configured to use PAM, turns on or off Samba passing
the password changes to PAM. Defaults to off.

large readwrite

New option to allow new Windows 2000 large file (64k) streaming
read/write options. Needs a 64 bit underlying operating system
(for Linux use kernel 2.4 with glibc 2.2 or above). Can improve performance
by 10% with Windows 2000 clients. Defaults to off. Not as tested
as some other Samba code paths.

hide unreadable

Prevents clients from seeing the existence of files that cannot
be read. Off by default.

enhanced browsing

Turn on/off the enhanced Samba browsing functionality (*1B names).
Default is "on". Can prevent eternal machines in workgroups when
WINS servers are not synchronized.

Removed parameters.
-------------------

domain groups
domain admin users
domain guest users

Changes in 2.2.1
-----------------

1). "find" command removed for smbclient. Internal code now used.
2). smbspool updates to retry connections from Michael Sweet.
3). Fix for mapping 8859-15 characters to UNICODE.
4). Changed "security=server" to try with invalid username to prevent
    account lockouts.
5). Fixes to allow Windows 2000 SP2 clients to join a Samba PDC.
6). Support for Windows 9x Nexus tools to allow security changes from Win9x.
7). Two locking fixes added. Samba 2.2.1 now passes the Clarion network
    lock tester tool for distributed databases.
8). Preliminary support added for Windows 2000 large file read/write SMBs.
9). Changed random number generator in Samba to prevent guess attacks.
10). Fixes for tdb corruption in connections.tdb and file locking brlock.tdb.
     smbd's clean the tdb files on startup and shutdown.
11). Fixes for default ACLs on Solaris.
12). Tidyup of password entry caching code.
13). Correct shutdowns added for send fails. Helps tdb cleanup code.
14). Prevent invalid '/' characters in workgroup names.
15). Removed more static arrays in SAMR code.
16). Client code is now UNICODE on the wire.
17). Fix 2 second timestamp resolution everywhere if dos timestamp set to yes.
18). All tdb opens now going through logging function.
19). Add pam password changing and pam restrictions code.
20). Printer driver management improvements (delete driver).
21). Fix difference between NULL security descriptors and empty
     security descriptors.
22). Fix SID returns for server roles.
23). Allow Windows 2000 mmc to view and set Samba share security descriptors.
24). Allow smbcontrol to forcibly disconnect a share.
25). tdb fixes for HP-UX, OpenBSD and other OS's that don't have a coherent
     mmap/file read/write cache.
26). Fix race condition in returning create disposition for file create/open.
27). Fix NT rewriting of security descriptors to their canonical form for
     ACLs.
28). Fix for Samba running on top of Linux VFAT ftruncate bug.
29). Swat fixes for being run with xinetd that doesn't set the umask.
30). Fix for slow writes with Win9x Explorer clients. Emulates Microsoft
     TCP stack early ack specification error.
31). Changed lock & persistent tdb directory to /var/cache/samba by default on
     RedHat and Mandrake as they clear the /var/lock/samba directory on reboot.

-----------------------------------------------------------------------------
The release notes for 2.2.0a follow :

SECURITY FIX
============

This is a security bugfix release for Samba 2.2.0. This release provides the
following two changes *ONLY* from the 2.2.0 release.

1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
    and described in the security advisory below.
2). Fix for the hosts allow/hosts deny parameters not being honoured.

No other changes are being made for this release to ensure a security fix only.
For new functionality (including these security fixes) download Samba 2.2.1
when it is available.

The security advisory follows :


                IMPORTANT: Security bugfix for Samba
                ------------------------------------

June 23rd 2001


Summary
-------

A serious security hole has been discovered in all versions of Samba
that allows an attacker to gain root access on the target machine for
certain types of common Samba configuration.

The immediate fix is to edit your smb.conf configuration file and
remove all occurances of the macro "%m". Replacing occurances of %m
with %I is probably the best solution for most sites.

Details
-------

A remote attacker can use a netbios name containing unix path
characters which will then be substituted into the %m macro wherever
it occurs in smb.conf. This can be used to cause Samba to create a log
file on top of an important system file, which in turn can be used to
compromise security on the server.

The most commonly used configuration option that can be vulnerable to
this attack is the "log file" option. The default value for this
option is VARDIR/log.smbd. If the default is used then Samba is not
vulnerable to this attack.

The security hole occurs when a log file option like the following is
used:

  log file = /var/log/samba/%m.log

In that case the attacker can use a locally created symbolic link to
overwrite any file on the system. This requires local access to the
server.

If your Samba configuration has something like the following:

  log file = /var/log/samba/%m

Then the attacker could successfully compromise your server remotely
as no symbolic link is required. This type of configuration is very
rare.

The most commonly used log file configuration containing %m is the
distributed in the sample configuration file that comes with Samba:

  log file = /var/log/samba/log.%m

in that case your machine is not vulnerable to this attack unless you
happen to have a subdirectory in /var/log/samba/ which starts with the
prefix "log."

Credit
------

Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
vulnerability.


New Release
-----------

While we recommend that vulnerable sites immediately change their
smb.conf configuration file to prevent the attack we will also be
making new releases of Samba within the next 24 hours to properly fix
the problem. Please see http://www.samba.org/ for the new releases.

Please report any attacks to the appropriate authority.

        The Samba Team
        security@samba.org

---------------------------------------------------------------------------

The release notes for 2.2.0 follow :

This is the official Samba 2.2.0 release. This version of Samba provides
the following new features and enhancements.

Integration between Windows oplocks and NFS file opens (IRIX and Linux
2.4 kernel only). This gives complete data and locking integrity between
Windows and UNIX file access to the same data files.

Ability to act as an authentication source for Windows 2000 clients as
well as for NT4.x clients.

Integration with the winbind daemon that provides a single
sign on facility for UNIX servers in Windows 2000/NT4 networks
driven by a Windows 2000/NT4 PDC. winbind is not included in
this release, it currently must be obtained separately. We are
committed to including winbind in a future Samba 2.2.x release.

Support for native Windows 2000/NT4 printing RPCs. This includes
support for automatic printer driver download.

Support for server supported Access Control Lists (ACLs).
This release contains support for the following filesystems: 

    Solaris 2.6+ 
    SGI Irix 
    Linux Kernel with ACL patch from http://acl.bestbits.at
        Linux Kernel with XFS ACL support.
        Caldera/SCO UnixWare
        IBM AIX
        FreeBSD (with external patch)

Other platforms will be supported as resources are
available to test and implement the necessary modules. If
you are interested in writing the support for a particular
ACL filesystem, please join the samba-technical mailing
list and coordinate your efforts. 
 
On PAM (Pluggable Authentication Module) based systems - better debugging
messages and encrypted password users now have access control verified via
PAM - Note: Authentication still uses the encrypted password database.
 
Rewritten internal locking semantics for more robustness.
This release supports full 64 bit locking semantics on all
(even 32 bit) platforms. SMB locks are mapped onto POSIX
locks (32 bit or 64 bit) as the underlying system allows.

Conversion of various internal flat data structures to use
database records for increased performance and
flexibility.

Support for acting as a MS-DFS (Distributed File System) server.

Support for manipulating Samba shares using Windows client tools
(server manager). Per share security can be set using these tools
and Samba will obey the access restrictions applied.

Samba profiling support (see below).

Compile time option for enabling a (Virtual file system) VFS layer 
to allow non-disk resources to be exported as Windows filesystems
(such as databases etc.).

The documentation in this release has been updated and converted
from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
and some defaults have changed.

Profiling support.
------------------
Support for collection of profile information. A shared 
memory area has been created which contains counters for
the number of calls to and the amount of time spent in
various system calls, smb transactions and nmbd activity. See 
the file profile.h for a complete listing of the information 
collected. Sample code for a samba pmda (collection agent
for Performance Co-Pilot) has been included in the pcp
directory. 

To enable the profile data collection code in samba, you must 
compile samba with profile data support (run configure with 
the --with-profiling-data option). On startup, collection of 
data is disabled. To begin collecting data use the smbcontrol
program to turn on profiling (see the smbcontrol man page).
Profile information collection can be enabled for nmbd, all smbd
processes or one or more selected processes. The profiling
data collected is the aggregate for all processes that have
profiling enabled.

With samba compiled for profile data collection, you may see
a very slight degradation in performance even with profiling
collection turned off. On initial tests with NetBench on an
SGI Origin 200 server, this degradation was not measurable 
with profile collection off compared to no profile collection
compiled into samba.

With count profile collection enabled on all clients, the 
degradation was less than 2%. With full profile collection 
enabled on all clients, the degradation was about 8.5%. 

=====================================================================

If you think you have found a bug please email a report to :

        samba@samba.org

As always, all bugs are our responsibility.

Regards,

        The Samba Team.