From d08b1279ebb90460fce65b56d91b8fc434fa759c Mon Sep 17 00:00:00 2001 From: Andy Walsh Date: Fri, 8 Nov 2019 13:21:45 +0100 Subject: [PATCH] samba4: update to 4.9.15 * update to 4.9.15 * fixes CVE-2019-10218, CVE-2019-14833, CVE-2019-14847 * update smb.conf.template (aio, sendfile) Signed-off-by: Andy Walsh --- net/samba4/Makefile | 4 +- net/samba4/files/smb.conf.template | 66 ++++++++++++++++++------------ 2 files changed, 42 insertions(+), 28 deletions(-) diff --git a/net/samba4/Makefile b/net/samba4/Makefile index faa9abc12..966596dbb 100644 --- a/net/samba4/Makefile +++ b/net/samba4/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=samba -PKG_VERSION:=4.9.13 +PKG_VERSION:=4.9.15 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -12,7 +12,7 @@ PKG_SOURCE_URL:=https://ftp.heanet.ie/mirrors/ftp.samba.org/stable/ \ http://www.nic.funet.fi/index/samba/pub/samba/stable/ \ http://samba.mirror.bit.nl/samba/ftp/stable/ \ https://download.samba.org/pub/samba/stable/ -PKG_HASH:=ab18331e37766b13dbb07d1f115bda3d794917baf502d0ca2b2b8fff014b88f2 +PKG_HASH:=377102b80b97941bf0d131b828cae8415190e5bdd2928c2e2c954e29f1904496 PKG_MAINTAINER:=Andy Walsh PKG_LICENSE:=GPL-3.0-only diff --git a/net/samba4/files/smb.conf.template b/net/samba4/files/smb.conf.template index 9c18184b3..162559820 100644 --- a/net/samba4/files/smb.conf.template +++ b/net/samba4/files/smb.conf.template @@ -7,73 +7,87 @@ ## This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. bind interfaces only = yes - + ## time for inactive connections to-be closed in minutes deadtime = 15 - + ## disable core dumps enable core files = no - + ## set security (auto, user, domain, ads) security = user - + ## This parameter controls whether a remote client is allowed or required to use SMB encryption. ## It has different effects depending on whether the connection uses SMB1 or SMB2 and newer: ## If the connection uses SMB1, then this option controls the use of a Samba-specific extension to the SMB protocol introduced in Samba 3.2 that makes use of the Unix extensions. ## If the connection uses SMB2 or newer, then this option controls the use of the SMB-level encryption that is supported in SMB version 3.0 and above and available in Windows 8 and newer. - ##(default/auto,desired,required,off) + ## (default/auto,desired,required,off) #smb encrypt = default - + ## set invalid users invalid users = root - + ## map unknow users to guest map to guest = Bad User ## allow client access to accounts that have null passwords. null passwords = yes - + ## The old plaintext passdb backend. Some Samba features will not work if this passdb backend is used. (NOTE: enabled for size reasons) ## (tdbsam,smbpasswd,ldapsam) passdb backend = smbpasswd - + ## Set location of smbpasswd ('smbd -b' will show default compiled location) #smb passwd file = /etc/samba/smbpasswd - + ## LAN/WAN options (IPTOS_LOWDELAY TCP_NODELAY) WAN (IPTOS_THROUGHPUT) socket options = IPTOS_LOWDELAY TCP_NODELAY - - ## lower CPU useage if supported - use sendfile = yes - + + ## If this integer parameter is set to a non-zero value, Samba will read from files asynchronously when the request size is bigger than this value. + ## Note that it happens only for non-chained and non-chaining reads and when not using write cache. + ## The only reasonable values for this parameter are 0 (no async I/O) and 1 (always do async I/O). + ## (1/0) + #aio read size = 0 + #aio write size = 0 + + ## If Samba has been built with asynchronous I/O support, Samba will not wait until write requests are finished before returning the result to the client for files listed in this parameter. + ## Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not. + ## This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged. + #aio write behind = /*.tmp/ + + ## lower CPU useage if supported and aio is disabled (aio read size = 0 ; aio write size = 0) + ## currently broken (NOTE: see https://bugzilla.samba.org/show_bug.cgi?id=14095 ) + ## (no, yes) + #use sendfile = yes + ## samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained. #blocking locks = No - + ## disable loading of all printcap printers by default (iprint, cups, lpstat) load printers = No printcap name = /dev/null ## Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's. disable spoolss = yes - + ## This parameters controls how printer status information is interpreted on your system. ## (BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ) printing = bsd - + ## Disable that nmbd is acting as a WINS server for unknow netbios names #dns proxy = No - + ## win/unix user mapping backend #idmap config * : backend = tdb - + ## Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name. ## This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals. ## (netbios, mdns) mdns name = mdns - + ## Clients that only support netbios won't be able to see your samba server when netbios support is disabled. #disable netbios = Yes - + ## Setting this value to no will cause nmbd never to become a local master browser. #local master = no @@ -83,21 +97,21 @@ ## (445 139) Specifies which ports the server should listen on for SMB traffic. ## 139 is netbios/nmbd #smb ports = 445 139 - + ## This is a list of files and directories that are neither visible nor accessible. ## Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards. veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/ - + ## If a directory that is to be deleted contains nothing but veto files this deletion will fail unless you also set the delete veto files parameter to yes. delete veto files = yes - + ################ Filesystem and creation rules ################ ## reported filesystem type (NTFS,Samba,FAT) #fstype = FAT - + ## Allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it. #dos filemode = Yes - + ## file/dir creating rules #create mask = 0666 #directory mask = 0777