net-fs/samba/files/samba-4.11.13-machinepass_stdin.patch - third_party/overlays/chromiumos-overlay - Git at Google

 net_ads.c: Add ability to read machine password from stdin

 Adds a way to read the machine password from stdin during net ads join. Sending
 the password through a command line argument is a security issue since the
 password is then visible in ps.

 crbug.com/777979.


 diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
 index c83aced..ea67432 100644
 --- a/source3/utils/net_ads.c
 +++ b/source3/utils/net_ads.c
 @@ -1352,6 +1352,7 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
  		   "                             quadrupled. It is not used as a separator.\n"));
  	d_printf(_("   machinepass=PASS      Set the machine password to a specific value during\n"
  		   "                         the join. The default password is random.\n"));
 +-	d_printf(_("   machinepassStdin      Reads the machine password from stdin.\n"));
  	d_printf(_("   osName=string         Set the operatingSystem attribute during the join.\n"));
  	d_printf(_("   osVer=string          Set the operatingSystemVersion attribute during join.\n"
  		   "                         NB: osName and osVer must be specified together for\n"
 @@ -1533,7 +1534,43 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
  				goto fail;
  			}
  		}
 +		else if ( !strcasecmp_m(argv[i], "machinepassStdin") ) {
 +			/* Read from stdin. Must be before 'machinepass' case. */
 +			if ( machine_password ) {
 +				d_fprintf(stderr,
 +					  _("Machine password already "
 +					    "specified.\n"));
 +				werr = WERR_INVALID_PARAMETER;
 +				goto fail;
 +			}
 +			int ret = 0;
 +			char *buf = talloc_zero_array(ctx, char, 1024);
 +			if (buf == NULL) {
 +				werr = WERR_NOT_ENOUGH_MEMORY;
 +				goto fail;
 +			}
 +			ret = samba_getpass("Enter machine password:",
 +				buf,
 +				talloc_get_size(buf),
 +				false,
 +				false);
 +			if (ret != 0) {
 +				d_fprintf(stderr,
 +					_("Failed to read "
 +					"machine password.\n"));
 +				werr = WERR_INVALID_PARAMETER;
 +				goto fail;
 +			}
 +			machine_password = buf;
 +		}
  		else if ( !strncasecmp_m(argv[i], "machinepass", strlen("machinepass")) ) {
 +			if ( machine_password ) {
 +				d_fprintf(stderr,
 +					  _("Machine password already "
 +					    "specified.\n"));
 +				werr = WERR_INVALID_PARAMETER;
 +				goto fail;
 +			}
  			if ( (machine_password = get_string_param(argv[i])) == NULL ) {
  				d_fprintf(stderr, _("Please supply a valid password to set as trust account password.\n"));
  				werr = WERR_INVALID_PARAMETER;
	net_ads.c: Add ability to read machine password from stdin

	Adds a way to read the machine password from stdin during net ads join. Sending
	the password through a command line argument is a security issue since the
	password is then visible in ps.

	crbug.com/777979.



	diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
	index c83aced..ea67432 100644
	--- a/source3/utils/net_ads.c
	+++ b/source3/utils/net_ads.c
	@@ -1352,6 +1352,7 @@ static int net_ads_join_usage(struct net_context c, int argc, const char *argv
	" quadrupled. It is not used as a separator.\n"));
	d_printf(_(" machinepass=PASS Set the machine password to a specific value during\n"
	" the join. The default password is random.\n"));
	+- d_printf(_(" machinepassStdin Reads the machine password from stdin.\n"));
	d_printf(_(" osName=string Set the operatingSystem attribute during the join.\n"));
	d_printf(_(" osVer=string Set the operatingSystemVersion attribute during join.\n"
	" NB: osName and osVer must be specified together for\n"
	@@ -1533,7 +1534,43 @@ int net_ads_join(struct net_context c, int argc, const char *argv)
	goto fail;
	}
	}
	+ else if ( !strcasecmp_m(argv[i], "machinepassStdin") ) {
	+ /* Read from stdin. Must be before 'machinepass' case. */
	+ if ( machine_password ) {
	+ d_fprintf(stderr,
	+ _("Machine password already "
	+ "specified.\n"));
	+ werr = WERR_INVALID_PARAMETER;
	+ goto fail;
	+ }
	+ int ret = 0;
	+ char *buf = talloc_zero_array(ctx, char, 1024);
	+ if (buf == NULL) {
	+ werr = WERR_NOT_ENOUGH_MEMORY;
	+ goto fail;
	+ }
	+ ret = samba_getpass("Enter machine password:",
	+ buf,
	+ talloc_get_size(buf),
	+ false,
	+ false);
	+ if (ret != 0) {
	+ d_fprintf(stderr,
	+ _("Failed to read "
	+ "machine password.\n"));
	+ werr = WERR_INVALID_PARAMETER;
	+ goto fail;
	+ }
	+ machine_password = buf;
	+ }
	else if ( !strncasecmp_m(argv[i], "machinepass", strlen("machinepass")) ) {
	+ if ( machine_password ) {
	+ d_fprintf(stderr,
	+ _("Machine password already "
	+ "specified.\n"));
	+ werr = WERR_INVALID_PARAMETER;
	+ goto fail;
	+ }
	if ( (machine_password = get_string_param(argv[i])) == NULL ) {
	d_fprintf(stderr, _("Please supply a valid password to set as trust account password.\n"));
	werr = WERR_INVALID_PARAMETER;