samba: Add helper script to pipe password

It is complicated to set the password in the C helper binary. Therefore it is being set by a helper script. This is still not an optimal solution since the password might be exposed to the shell environment, but has the advantage that shell command injection is no longer possible. Fixes: #12562 Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2021-01-06 14:38:03 +00:00
parent 354c3e2b45
commit 37fe3658a0
7 changed files with 46 additions and 10 deletions
--- a/config/rootfiles/packages/aarch64/samba
+++ b/config/rootfiles/packages/aarch64/samba
@@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so
 usr/libexec/samba/smbspool_krb5_wrapper
 usr/sbin/eventlogadm
 usr/sbin/nmbd
+usr/sbin/samba-change-password
 usr/sbin/samba-gpupdate
 usr/sbin/smbd
 usr/sbin/winbindd
--- a/config/rootfiles/packages/armv5tel/samba
+++ b/config/rootfiles/packages/armv5tel/samba
@@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so
 usr/libexec/samba/smbspool_krb5_wrapper
 usr/sbin/eventlogadm
 usr/sbin/nmbd
+usr/sbin/samba-change-password
 usr/sbin/samba-gpupdate
 usr/sbin/smbd
 usr/sbin/winbindd
--- a/config/rootfiles/packages/i586/samba
+++ b/config/rootfiles/packages/i586/samba
@@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so
 usr/libexec/samba/smbspool_krb5_wrapper
 usr/sbin/eventlogadm
 usr/sbin/nmbd
+usr/sbin/samba-change-password
 usr/sbin/samba-gpupdate
 usr/sbin/smbd
 usr/sbin/winbindd
--- a/config/rootfiles/packages/x86_64/samba
+++ b/config/rootfiles/packages/x86_64/samba
@@ -788,6 +788,7 @@ usr/lib/security/pam_winbind.so
 usr/libexec/samba/smbspool_krb5_wrapper
 usr/sbin/eventlogadm
 usr/sbin/nmbd
+usr/sbin/samba-change-password
 usr/sbin/samba-gpupdate
 usr/sbin/smbd
 usr/sbin/winbindd
--- a/config/samba/samba-change-password
+++ b/config/samba/samba-change-password
@@ -0,0 +1,37 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2021 IPFire Team <info@ipfire.org>                         #
+#                                                                          #
+############################################################################
+
+main() {
+	local username="${1}"
+	local password="${2}"
+
+	# Change password UNIX account
+	printf -- "${username}:${password}\n" | chpasswd
+
+	# Change SMB password
+	printf -- "${password}\n${password}\n" | smbpasswd -as "${username}"
+
+	return 0
+}
+
+main "$@" || exit "$?"
--- a/lfs/samba
+++ b/lfs/samba
@@ -114,6 +114,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mkdir -p /var/spool/samba
 	chmod -v 1777 /var/spool/samba/

+	# Install password change helper script
+	install -m 755 $(DIR_SRC)/config/samba/samba-change-password /usr/sbin/samba-change-password
+
 	#install initscripts
 	$(call INSTALL_INITSCRIPT,samba)

--- a/src/misc-progs/sambactrl.c
+++ b/src/misc-progs/sambactrl.c
@@ -82,11 +82,7 @@ int main(int argc, char *argv[]) {
 		snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -m -g sambauser -s /bin/false %s >/dev/null", argv[2]);
 		safe_system(command);

-		snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]);
-		safe_system(command);
-
-		snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]);
-		safe_system(command);
+		run("/usr/sbin/samba-change-password", argv + 1);

 	} else if (strcmp(argv[1], "smbchangepw") == 0) {
 		if (!is_valid_argument_alnum(argv[2])) {
@@ -94,11 +90,7 @@ int main(int argc, char *argv[]) {
 			exit(2);
 		}

-		snprintf(command, BUFFER_SIZE-1, "echo %s:%s | chpasswd", argv[2], argv[3]);
-		safe_system(command);
-
-		snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s >/dev/null", argv[3], argv[3], argv[2]);
-		safe_system(command);
+		run("/usr/sbin/samba-change-password", argv + 1);

 	} else if (strcmp(argv[1], "readsmbpasswd") == 0) {
 		safe_system("/bin/chown root:nobody /var/ipfire/samba/private >/dev/null");