9 files changed, 63 insertions, 79 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 42341d0713..80589c77a7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,54 @@
                    =============================
+                   Release Notes for Samba 3.4.7
+			    March 8, 2010
+                   =============================
+
+
+This is a security release in order to address CVE-2010-0728.
+
+
+o  CVE-2010-0728:
+   In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
+   was added to fix a problem with Linux asynchronous IO handling.
+   This code introduced a bad security flaw on Linux platforms if the
+   binaries were built on Linux platforms with libcap support.
+   The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
+   capabilities, allowing all file system access to be allowed
+   even when permissions should have denied access.
+
+
+Changes since 3.5.0
+-------------------
+
+
+o   Jeremy Allison <jra@samba.org>
+    * BUG 7222: Fix for CVE-2010-0728.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 3.4.6
 			 February 24, 2010
                    =============================
@@ -109,8 +159,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 3.4.5
diff --git a/packaging/RHEL-CTDB/samba.spec b/packaging/RHEL-CTDB/samba.spec
index 4c4abce21c..e0a09cb3cd 100644
--- a/packaging/RHEL-CTDB/samba.spec
+++ b/packaging/RHEL-CTDB/samba.spec
@@ -5,7 +5,7 @@ Summary: Samba SMB client and server
 Vendor: Samba Team
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.4.6
+Version:      3.4.7
 Release:      ctdb.1
 Epoch:        0
 License: GNU GPL version 3
diff --git a/packaging/RHEL/makerpms.sh b/packaging/RHEL/makerpms.sh
index 191c742c90..07d6b92c64 100644
--- a/packaging/RHEL/makerpms.sh
+++ b/packaging/RHEL/makerpms.sh
@@ -20,7 +20,7 @@ SRCDIR=`rpm --eval %_sourcedir`
 
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.4.6'
+VERSION='3.4.7'
 REVISION=''
 SPECFILE="samba.spec"
 RPMVER=`rpm --version | awk '{print $3}'`
diff --git a/packaging/RHEL/samba.spec b/packaging/RHEL/samba.spec
index 27661f07a8..2ab0bb7027 100644
--- a/packaging/RHEL/samba.spec
+++ b/packaging/RHEL/samba.spec
@@ -5,7 +5,7 @@ Summary: Samba SMB client and server
 Vendor: Samba Team
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.4.6
+Version:      3.4.7
 Release:      1
 Epoch:        0
 License: GNU GPL version 3
diff --git a/source3/VERSION b/source3/VERSION
index 7133dfbaad..f40ac81c2b 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 29c614bc81..2a3c455f2e 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1690,8 +1690,7 @@ minimum length == 24.
 enum smbd_capability {
     KERNEL_OPLOCK_CAPABILITY,
     DMAPI_ACCESS_CAPABILITY,
-    LEASE_CAPABILITY,
-    KILL_CAPABILITY
+    LEASE_CAPABILITY
 };
 
 /*
diff --git a/source3/include/version.h b/source3/include/version.h
index e2370b2d0d..690d0ce762 100644
--- a/source3/include/version.h
+++ b/source3/include/version.h
@@ -1,8 +1,8 @@
 /* Autogenerated by script/mkversion.sh */
 #define SAMBA_VERSION_MAJOR 3
 #define SAMBA_VERSION_MINOR 4
-#define SAMBA_VERSION_RELEASE 6
-#define SAMBA_VERSION_OFFICIAL_STRING "3.4.6"
+#define SAMBA_VERSION_RELEASE 7
+#define SAMBA_VERSION_OFFICIAL_STRING "3.4.7"
 #ifdef SAMBA_VERSION_VENDOR_FUNCTION
 #  define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
 #else /* SAMBA_VERSION_VENDOR_FUNCTION */
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 6349af5072..e8157662bf 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -592,11 +592,6 @@ char *sys_getwd(char *s)
 
 #if defined(HAVE_POSIX_CAPABILITIES)
 
-/* This define hasn't made it into the glibc capabilities header yet. */
-#ifndef SECURE_NO_SETUID_FIXUP
-#define SECURE_NO_SETUID_FIXUP          2
-#endif
-
 /**************************************************************************
  Try and abstract process capabilities (for systems that have them).
 ****************************************************************************/
@@ -627,32 +622,6 @@ static bool set_process_capability(enum smbd_capability capability,
 	}
 #endif
 
-#if defined(HAVE_PRCTL) && defined(PR_SET_SECUREBITS) && defined(SECURE_NO_SETUID_FIXUP)
-        /* New way of setting capabilities as "sticky". */
-
-	/*
-	 * Use PR_SET_SECUREBITS to prevent setresuid()
-	 * atomically dropping effective capabilities on
-	 * uid change. Only available in Linux kernels
-	 * 2.6.26 and above.
-	 *
-	 * See here:
-	 * http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html
-	 * for details.
-	 *
-	 * Specifically the CAP_KILL capability we need
-	 * to allow Linux threads under different euids
-	 * to send signals to each other.
-	 */
-
-	if (prctl(PR_SET_SECUREBITS, 1 << SECURE_NO_SETUID_FIXUP)) {
-		DEBUG(0,("set_process_capability: "
-			"prctl PR_SET_SECUREBITS failed with error %s\n",
-			strerror(errno) ));
-		return false;
-	}
-#endif
-
 	cap = cap_get_proc();
 	if (cap == NULL) {
 		DEBUG(0,("set_process_capability: cap_get_proc failed: %s\n",
@@ -681,11 +650,6 @@ static bool set_process_capability(enum smbd_capability capability,
 			cap_vals[num_cap_vals++] = CAP_LEASE;
 #endif
 			break;
-		case KILL_CAPABILITY:
-#ifdef CAP_KILL
-			cap_vals[num_cap_vals++] = CAP_KILL;
-#endif
-			break;
 	}
 
 	SMB_ASSERT(num_cap_vals <= ARRAY_SIZE(cap_vals));
@@ -695,37 +659,16 @@ static bool set_process_capability(enum smbd_capability capability,
 		return True;
 	}
 
-	/*
-	 * Ensure the capability is effective. We assume that as a root
-	 * process it's always permitted.
-	 */
-
-	if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
-			enable ? CAP_SET : CAP_CLEAR) == -1) {
-		DEBUG(0, ("set_process_capability: cap_set_flag effective "
-			"failed (%d): %s\n",
-			(int)capability,
-			strerror(errno)));
-		cap_free(cap);
-		return false;
-	}
+	cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
+		enable ? CAP_SET : CAP_CLEAR);
 
 	/* We never want to pass capabilities down to our children, so make
 	 * sure they are not inherited.
 	 */
-	if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals,
-			cap_vals, CAP_CLEAR) == -1) {
-		DEBUG(0, ("set_process_capability: cap_set_flag inheritable "
-			"failed (%d): %s\n",
-			(int)capability,
-			strerror(errno)));
-		cap_free(cap);
-		return false;
-	}
+	cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR);
 
 	if (cap_set_proc(cap) == -1) {
-		DEBUG(0, ("set_process_capability: cap_set_flag (%d) failed: %s\n",
-			(int)capability,
+		DEBUG(0, ("set_process_capability: cap_set_proc failed: %s\n",
 			strerror(errno)));
 		cap_free(cap);
 		return False;
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 25571a9629..2c5ce40085 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1027,14 +1027,6 @@ extern void build_options(bool screen);
 	gain_root_privilege();
 	gain_root_group_privilege();
 
-	/*
-	 * Ensure we have CAP_KILL capability set on Linux,
-	 * where we need this to communicate with threads.
-	 * This is inherited by new threads, but not by new
-	 * processes across exec().
-	 */
-	set_effective_capability(KILL_CAPABILITY);
-
 	fault_setup((void (*)(void *))exit_server_fault);
 	dump_core_setup("smbd");