File _service:tar_scm_kernel_repo:backport-0006-CVE-... of Package samba

File _service:tar_scm_kernel_repo:backport-0006-CVE-2020-25717-winbindd-allow-idmap-backends-to-mark.patch of Package samba

From 04e10a843187810e97bf565731ddc5d70b0f4245 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Sep 2020 17:26:11 +0200
Subject: [PATCH 027/266] CVE-2020-25717 winbindd: allow idmap backends to mark
 entries with ID_[TYPE_WB_]REQUIRE_TYPE

This must only be used between winbindd parent and child!
It must not leak into outside world.

Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.

This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

(cherry picked from commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87)
---
 librpc/idl/idmap.idl                  | 23 +++++++++++++++++--
 source3/passdb/lookup_sid.c           |  7 ++++++
 source3/winbindd/idmap_autorid.c      |  6 ++---
 source3/winbindd/idmap_ldap.c         | 29 ++++++++++++++++++++++++
 source3/winbindd/idmap_rw.c           | 32 +++++++++++++++++++++++++--
 source3/winbindd/idmap_tdb_common.c   | 22 +++++++++++++++++-
 source3/winbindd/wb_sids2xids.c       | 11 +++++++++
 source3/winbindd/winbindd_dual_srv.c  |  6 +++++
 source3/winbindd/winbindd_getgroups.c |  7 ++++++
 9 files changed, 135 insertions(+), 8 deletions(-)

Conflict:only remain the first chunk
Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=04e10a843187810e97bf565731ddc5d70b0f4245

diff --git a/librpc/idl/idmap.idl b/librpc/idl/idmap.idl
index 54fd888dcab..e58e39210c7 100644
--- a/librpc/idl/idmap.idl
+++ b/librpc/idl/idmap.idl
@@ -11,7 +11,18 @@ interface idmap
 		ID_TYPE_NOT_SPECIFIED,
 		ID_TYPE_UID,
 		ID_TYPE_GID,
-		ID_TYPE_BOTH
+		ID_TYPE_BOTH,
+		/*
+		 * This are internal between winbindd
+		 * parent and child.
+		 *
+		 * It means the idmap backend/child requires a valid type_hint
+		 * for wbint_Sids2UnixIDs():
+		 *
+		 * - ID_TYPE_UID or ID_TYPE_GID means the user/group exists
+		 * - ID_TYPE_BOTH means that only the domain exist
+		 */
+		ID_TYPE_WB_REQUIRE_TYPE
 	} id_type;
 
 	typedef [public] struct {
@@ -23,7 +34,15 @@ interface idmap
 		ID_UNKNOWN,
 		ID_MAPPED,
 		ID_UNMAPPED,
-		ID_EXPIRED
+		ID_EXPIRED,
+		/*
+		 * This means the idmap backend requires a valid type_hint
+		 * in order to map a sid to a unix id.
+		 *
+		 * - ID_TYPE_UID or ID_TYPE_GID means the user/group exists
+		 * - ID_TYPE_BOTH means that only the domain exist
+		 */
+		ID_REQUIRE_TYPE
 	} id_mapping;
 
 	typedef [public] struct {
-- 
2.23.0