[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Mon May 7 10:02:01 MDT 2012
The branch, v3-6-test has been updated
via 3d9a8dd Final back port of fix for bug #8837 - smbd crashes when deleting directory and veto files are enabled.
via 5b53510 Convert parse_delete_tokens_list() and unparse_share_modes() to use ndr encoding for the struct security_unix_token. We can do this as libsmb_share_modes never looks inside the delete tokens list, only implicitly gets the length.
via a66a725 The delete tokens are unique to each name hash representing a pathname, if we don't correctly return here we'll add duplicate tokens for a given pasname hash.
via e691385 Fix the talloc heirarchy when adding the unix delete token.
via 483c25e Third part of fix for bug #8837 - smbd crashes when deleting directory and veto files are enabled.
via dd2246f First part of fix for bug 8837 - smbd crashes when deleting directory and veto files are enabled.
from e686621 s3: Fix bug 8904 -- wbinfo --lookup-sids "" crashes winbind
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 3d9a8dd1a97f68df7d91cef5afe4dda80cc03454
Author: Jeremy Allison <jra at samba.org>
Date: Mon Apr 9 14:15:22 2012 -0700
Final back port of fix for bug #8837 - smbd crashes when deleting directory and veto files are enabled.
Use ndr encoding to add the NT security token into the stored data when
delete on close is set.
commit 5b5351022fb81da09d28ab3e7c8c2e2a8956c45e
Author: Jeremy Allison <jra at samba.org>
Date: Mon Apr 9 11:47:27 2012 -0700
Convert parse_delete_tokens_list() and unparse_share_modes() to use ndr encoding for the struct security_unix_token. We can do this as libsmb_share_modes never looks inside the delete tokens list, only implicitly gets the length.
commit a66a725f6190fe48b6c83dc7f0e65bac6fa4bbac
Author: Jeremy Allison <jra at samba.org>
Date: Fri Apr 6 15:39:03 2012 -0700
The delete tokens are unique to each name hash representing a pathname, if we don't correctly return here we'll add duplicate tokens for a given pasname hash.
commit e691385e25804c744fc820fdd6e039c3cf6b6128
Author: Jeremy Allison <jra at samba.org>
Date: Fri Apr 6 14:53:48 2012 -0700
Fix the talloc heirarchy when adding the unix delete token.
commit 483c25eb0c88178012cec11f713b714c3c54f8d6
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 4 14:57:12 2012 -0700
Third part of fix for bug #8837 - smbd crashes when deleting directory and veto files are enabled.
Use correct check to see if veto files has been enabled. Even if not
set lp_veto_files() returns a valid string address (to a '\0' character).
Autobuild-User: Jeremy Allison <jra at samba.org>
Autobuild-Date: Thu Apr 5 01:36:04 CEST 2012 on sn-devel-104
(cherry picked from commit 704ea4729b499ae2716cfe6ad5d952bcb1251a3b)
commit dd2246f0262ef1002bf9e348d6097734596ce100
Author: Jeremy Allison <jra at samba.org>
Date: Wed Apr 4 14:53:10 2012 -0700
First part of fix for bug 8837 - smbd crashes when deleting directory and veto files are enabled.
Add some const to the sec_ctx code.
(cherry picked from commit f042de2f346c98a852957cdbb09a7f8ac871b69c)
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/security.idl | 4 +-
source3/include/smb.h | 1 +
source3/locking/locking.c | 231 +++++++++++++++++++++++++++------------------
source3/locking/proto.h | 10 ++-
source3/smbd/close.c | 25 +++--
source3/smbd/proto.h | 2 +-
source3/smbd/reply.c | 8 +-
source3/smbd/sec_ctx.c | 2 +-
source3/smbd/trans2.c | 1 +
9 files changed, 174 insertions(+), 110 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 3378367..696d5a5 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -570,7 +570,7 @@ interface security
} sec_desc_buf;
/* This is not yet sent over the network, but is simply defined in IDL */
- typedef [public] struct {
+ typedef [public,gensize] struct {
uint32 num_sids;
[size_is(num_sids)] dom_sid sids[*];
se_privilege privilege_mask;
@@ -578,7 +578,7 @@ interface security
} security_token;
/* This is not yet sent over the network, but is simply defined in IDL */
- typedef [public] struct {
+ typedef [public,gensize] struct {
uid_t uid;
uid_t gid;
uint32 ngroups;
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 549ebb2..873657a 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -637,6 +637,7 @@ struct delete_token_list {
struct delete_token_list *next, *prev;
uint32_t name_hash;
struct security_unix_token *delete_token;
+ struct security_token *delete_nt_token;
};
struct share_mode_lock {
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
index ddd469d..11d1a85 100644
--- a/source3/locking/locking.c
+++ b/source3/locking/locking.c
@@ -44,6 +44,7 @@
#include "serverid.h"
#include "messages.h"
#include "util_tdb.h"
+#include "../librpc/gen_ndr/ndr_security.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_LOCKING
@@ -551,33 +552,10 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck,
lck->delete_tokens = NULL;
for (i = 0; i < pdata->u.s.num_delete_token_entries; i++) {
- uint32_t token_len;
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
struct delete_token_list *pdtl;
-
- if (end_ptr - p < (sizeof(uint32_t) + sizeof(uint32_t) +
- sizeof(uid_t) + sizeof(gid_t))) {
- DEBUG(0,("parse_delete_tokens_list: "
- "corrupt token list (%u)",
- (unsigned int)(end_ptr - p)));
- smb_panic("corrupt token list");
- return -1;
- }
-
- memcpy(&token_len, p, sizeof(token_len));
- delete_tokens_size += token_len;
-
- if (p + token_len > end_ptr || token_len < sizeof(token_len) +
- sizeof(pdtl->name_hash) +
- sizeof(uid_t) +
- sizeof(gid_t)) {
- DEBUG(0,("parse_delete_tokens_list: "
- "invalid token length (%u)\n",
- (unsigned int)token_len ));
- smb_panic("invalid token length");
- return -1;
- }
-
- p += sizeof(token_len);
+ size_t token_len = 0;
pdtl = TALLOC_ZERO_P(lck, struct delete_token_list);
if (pdtl == NULL) {
@@ -587,6 +565,7 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck,
/* Copy out the name_hash. */
memcpy(&pdtl->name_hash, p, sizeof(pdtl->name_hash));
p += sizeof(pdtl->name_hash);
+ delete_tokens_size += sizeof(pdtl->name_hash);
pdtl->delete_token = TALLOC_ZERO_P(pdtl, struct security_unix_token);
if (pdtl->delete_token == NULL) {
@@ -594,40 +573,58 @@ static int parse_delete_tokens_list(struct share_mode_lock *lck,
return -1;
}
- /* Copy out the uid and gid. */
- memcpy(&pdtl->delete_token->uid, p, sizeof(uid_t));
- p += sizeof(uid_t);
- memcpy(&pdtl->delete_token->gid, p, sizeof(gid_t));
- p += sizeof(gid_t);
-
- token_len -= (sizeof(token_len) + sizeof(pdtl->name_hash) +
- sizeof(uid_t) + sizeof(gid_t));
-
- /* Any supplementary groups ? */
- if (token_len) {
- int j;
-
- if (token_len % sizeof(gid_t) != 0) {
- DEBUG(0,("parse_delete_tokens_list: "
- "corrupt group list (%u)",
- (unsigned int)(token_len % sizeof(gid_t)) ));
- smb_panic("corrupt group list");
- return -1;
- }
+ if (p >= end_ptr) {
+ DEBUG(0,("parse_delete_tokens_list: corrupt data"));
+ return -1;
+ }
- pdtl->delete_token->ngroups = token_len / sizeof(gid_t);
- pdtl->delete_token->groups = TALLOC_ARRAY(pdtl->delete_token, gid_t,
- pdtl->delete_token->ngroups);
- if (pdtl->delete_token->groups == NULL) {
- DEBUG(0,("parse_delete_tokens_list: talloc failed"));
- return -1;
- }
+ blob.data = p;
+ blob.length = end_ptr - p;
- for (j = 0; j < pdtl->delete_token->ngroups; j++) {
- memcpy(&pdtl->delete_token->groups[j], p, sizeof(gid_t));
- p += sizeof(gid_t);
- }
+ ndr_err = ndr_pull_struct_blob(&blob,
+ pdtl,
+ pdtl->delete_token,
+ (ndr_pull_flags_fn_t)ndr_pull_security_unix_token);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(1, ("parse_delete_tokens_list: "
+ "ndr_pull_security_unix_token failed\n"));
+ return -1;
+ }
+
+ token_len = ndr_size_security_unix_token(pdtl->delete_token, 0);
+
+ p += token_len;
+ delete_tokens_size += token_len;
+
+ if (p >= end_ptr) {
+ DEBUG(0,("parse_delete_tokens_list: corrupt data"));
+ return -1;
+ }
+
+ pdtl->delete_nt_token = TALLOC_ZERO_P(pdtl, struct security_token);
+ if (pdtl->delete_nt_token == NULL) {
+ DEBUG(0,("parse_delete_tokens_list: talloc failed"));
+ return -1;
+ }
+
+ blob.data = p;
+ blob.length = end_ptr - p;
+
+ ndr_err = ndr_pull_struct_blob(&blob,
+ pdtl,
+ pdtl->delete_nt_token,
+ (ndr_pull_flags_fn_t)ndr_pull_security_token);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(1, ("parse_delete_tokens_list: "
+ "ndr_pull_security_token failed\n"));
+ return -1;
}
+
+ token_len = ndr_size_security_token(pdtl->delete_nt_token, 0);
+
+ p += token_len;
+ delete_tokens_size += token_len;
+
/* Add to the list. */
DLIST_ADD(lck->delete_tokens, pdtl);
}
@@ -769,11 +766,9 @@ static TDB_DATA unparse_share_modes(const struct share_mode_lock *lck)
for (pdtl = lck->delete_tokens; pdtl; pdtl = pdtl->next) {
num_delete_token_entries++;
- delete_tokens_size += (sizeof(uint32_t) +
- sizeof(uint32_t) +
- sizeof(uid_t) +
- sizeof(gid_t) +
- pdtl->delete_token->ngroups*sizeof(gid_t));
+ delete_tokens_size += sizeof(uint32_t) +
+ ndr_size_security_unix_token(pdtl->delete_token, 0) +
+ ndr_size_security_token(pdtl->delete_nt_token, 0);
}
result.dsize = sizeof(*data) +
@@ -813,30 +808,44 @@ static TDB_DATA unparse_share_modes(const struct share_mode_lock *lck)
/* Store any delete on close tokens. */
for (pdtl = lck->delete_tokens; pdtl; pdtl = pdtl->next) {
struct security_unix_token *pdt = pdtl->delete_token;
- uint32_t token_size = sizeof(uint32_t) +
- sizeof(uint32_t) +
- sizeof(uid_t) +
- sizeof(gid_t) +
- (pdt->ngroups * sizeof(gid_t));
+ struct security_token *pdt_nt = pdtl->delete_nt_token;
uint8_t *p = result.dptr + offset;
-
- memcpy(p, &token_size, sizeof(uint32_t));
- p += sizeof(uint32_t);
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
memcpy(p, &pdtl->name_hash, sizeof(uint32_t));
p += sizeof(uint32_t);
+ offset += sizeof(uint32_t);
+
+ ndr_err = ndr_push_struct_blob(&blob,
+ talloc_tos(),
+ pdt,
+ (ndr_push_flags_fn_t)ndr_push_security_unix_token);
- memcpy(p, &pdt->uid, sizeof(uid_t));
- p += sizeof(uid_t);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ smb_panic("ndr_push_security_unix_token failed");
+ }
+
+ /* We know we have space here as we counted above. */
+ memcpy(p, blob.data, blob.length);
+ p += blob.length;
+ offset += blob.length;
+ TALLOC_FREE(blob.data);
- memcpy(p, &pdt->gid, sizeof(gid_t));
- p += sizeof(gid_t);
+ ndr_err = ndr_push_struct_blob(&blob,
+ talloc_tos(),
+ pdt_nt,
+ (ndr_push_flags_fn_t)ndr_push_security_token);
- for (i = 0; i < pdt->ngroups; i++) {
- memcpy(p, &pdt->groups[i], sizeof(gid_t));
- p += sizeof(gid_t);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ smb_panic("ndr_push_security_token failed");
}
- offset += token_size;
+
+ /* We know we have space here as we counted above. */
+ memcpy(p, blob.data, blob.length);
+ p += blob.length;
+ offset += blob.length;
+ TALLOC_FREE(blob.data);
}
safe_strcpy((char *)result.dptr + offset, lck->servicepath,
@@ -1508,6 +1517,7 @@ static struct security_unix_token *copy_unix_token(TALLOC_CTX *ctx, const struct
static bool add_delete_on_close_token(struct share_mode_lock *lck,
uint32_t name_hash,
+ const struct security_token *nt_tok,
const struct security_unix_token *tok)
{
struct delete_token_list *dtl;
@@ -1518,11 +1528,16 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck,
}
dtl->name_hash = name_hash;
- dtl->delete_token = copy_unix_token(lck, tok);
+ dtl->delete_token = copy_unix_token(dtl, tok);
if (dtl->delete_token == NULL) {
TALLOC_FREE(dtl);
return false;
}
+ dtl->delete_nt_token = dup_nt_token(dtl, nt_tok);
+ if (dtl->delete_nt_token == NULL) {
+ TALLOC_FREE(dtl);
+ return false;
+ }
DLIST_ADD(lck->delete_tokens, dtl);
lck->modified = true;
return true;
@@ -1542,14 +1557,17 @@ static bool add_delete_on_close_token(struct share_mode_lock *lck,
void set_delete_on_close_lck(files_struct *fsp,
struct share_mode_lock *lck,
bool delete_on_close,
+ const struct security_token *nt_tok,
const struct security_unix_token *tok)
{
struct delete_token_list *dtl;
bool ret;
if (delete_on_close) {
+ SMB_ASSERT(nt_tok != NULL);
SMB_ASSERT(tok != NULL);
} else {
+ SMB_ASSERT(nt_tok == NULL);
SMB_ASSERT(tok == NULL);
}
@@ -1560,13 +1578,17 @@ void set_delete_on_close_lck(files_struct *fsp,
/* Delete this entry. */
DLIST_REMOVE(lck->delete_tokens, dtl);
TALLOC_FREE(dtl);
- return;
+ } else {
+ /* Replace this token with the
+ given tok. */
+ TALLOC_FREE(dtl->delete_token);
+ dtl->delete_token = copy_unix_token(dtl, tok);
+ SMB_ASSERT(dtl->delete_token != NULL);
+ TALLOC_FREE(dtl->delete_nt_token);
+ dtl->delete_nt_token = dup_nt_token(dtl, nt_tok);
+ SMB_ASSERT(dtl->delete_nt_token != NULL);
}
- /* Replace this token with the
- given tok. */
- TALLOC_FREE(dtl->delete_token);
- dtl->delete_token = copy_unix_token(dtl, tok);
- SMB_ASSERT(dtl->delete_token != NULL);
+ return;
}
}
@@ -1575,11 +1597,13 @@ void set_delete_on_close_lck(files_struct *fsp,
return;
}
- ret = add_delete_on_close_token(lck, fsp->name_hash, tok);
+ ret = add_delete_on_close_token(lck, fsp->name_hash, nt_tok, tok);
SMB_ASSERT(ret);
}
-bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct security_unix_token *tok)
+bool set_delete_on_close(files_struct *fsp, bool delete_on_close,
+ const struct security_token *nt_tok,
+ const struct security_unix_token *tok)
{
struct share_mode_lock *lck;
@@ -1594,8 +1618,15 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct s
return False;
}
- set_delete_on_close_lck(fsp, lck, delete_on_close,
- delete_on_close ? tok : NULL);
+ if (delete_on_close) {
+ set_delete_on_close_lck(fsp, lck, true,
+ nt_tok,
+ tok);
+ } else {
+ set_delete_on_close_lck(fsp, lck, false,
+ NULL,
+ NULL);
+ }
if (fsp->is_directory) {
SMB_ASSERT(!is_ntfs_stream_smb_fname(fsp->fsp_name));
@@ -1610,7 +1641,15 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct s
return True;
}
-const struct security_unix_token *get_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash)
+/****************************************************************************
+ Return the NT token and UNIX token if there's a match. Return true if
+ found, false if not.
+****************************************************************************/
+
+bool get_delete_on_close_token(struct share_mode_lock *lck,
+ uint32_t name_hash,
+ const struct security_token **pp_nt_tok,
+ const struct security_unix_token **pp_tok)
{
struct delete_token_list *dtl;
@@ -1621,15 +1660,21 @@ const struct security_unix_token *get_delete_on_close_token(struct share_mode_lo
DEBUG(10,("get_delete_on_close_token: dtl->name_hash = 0x%x\n",
(unsigned int)dtl->name_hash ));
if (dtl->name_hash == name_hash) {
- return dtl->delete_token;
+ if (pp_nt_tok) {
+ *pp_nt_tok = dtl->delete_nt_token;
+ }
+ if (pp_tok) {
+ *pp_tok = dtl->delete_token;
+ }
+ return true;
}
}
- return NULL;
+ return false;
}
bool is_delete_on_close_set(struct share_mode_lock *lck, uint32_t name_hash)
{
- return (get_delete_on_close_token(lck, name_hash) != NULL);
+ return get_delete_on_close_token(lck, name_hash, NULL, NULL);
}
bool set_sticky_write_time(struct file_id fileid, struct timespec write_time)
diff --git a/source3/locking/proto.h b/source3/locking/proto.h
index b7c8990..7745da5 100644
--- a/source3/locking/proto.h
+++ b/source3/locking/proto.h
@@ -173,12 +173,18 @@ void del_deferred_open_entry(struct share_mode_lock *lck, uint64_t mid,
bool remove_share_oplock(struct share_mode_lock *lck, files_struct *fsp);
bool downgrade_share_oplock(struct share_mode_lock *lck, files_struct *fsp);
NTSTATUS can_set_delete_on_close(files_struct *fsp, uint32 dosmode);
-const struct security_unix_token *get_delete_on_close_token(struct share_mode_lock *lck, uint32_t name_hash);
+bool get_delete_on_close_token(struct share_mode_lock *lck,
+ uint32_t name_hash,
+ const struct security_token **pp_nt_tok,
+ const struct security_unix_token **pp_tok);
void set_delete_on_close_lck(files_struct *fsp,
struct share_mode_lock *lck,
bool delete_on_close,
+ const struct security_token *nt_tok,
+ const struct security_unix_token *tok);
+bool set_delete_on_close(files_struct *fsp, bool delete_on_close,
+ const struct security_token *nt_tok,
const struct security_unix_token *tok);
-bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const struct security_unix_token *tok);
bool is_delete_on_close_set(struct share_mode_lock *lck, uint32_t name_hash);
bool set_sticky_write_time(struct file_id fileid, struct timespec write_time);
bool set_write_time(struct file_id fileid, struct timespec write_time);
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index a431a5d..36cec1a 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -280,6 +280,8 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
NTSTATUS tmp_status;
struct file_id id;
const struct security_unix_token *del_token = NULL;
+ const struct security_token *del_nt_token = NULL;
+ bool got_tokens = false;
/* Ensure any pending write time updates are done. */
if (fsp->update_write_time_event) {
@@ -345,7 +347,9 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
became_user = True;
}
fsp->delete_on_close = true;
- set_delete_on_close_lck(fsp, lck, True, get_current_utok(conn));
+ set_delete_on_close_lck(fsp, lck, True,
+ get_current_nttok(conn),
+ get_current_utok(conn));
if (became_user) {
unbecome_user();
}
@@ -398,8 +402,9 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
*/
fsp->update_write_time_on_close = false;
- del_token = get_delete_on_close_token(lck, fsp->name_hash);
- SMB_ASSERT(del_token != NULL);
+ got_tokens = get_delete_on_close_token(lck, fsp->name_hash,
+ &del_nt_token, &del_token);
+ SMB_ASSERT(got_tokens);
if (!unix_token_equal(del_token, get_current_utok(conn))) {
/* Become the user who requested the delete. */
@@ -418,7 +423,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
del_token->gid,
del_token->ngroups,
del_token->groups,
- NULL);
+ del_nt_token);
changed_user = true;
}
@@ -491,7 +496,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
*/
fsp->delete_on_close = false;
- set_delete_on_close_lck(fsp, lck, false, NULL);
+ set_delete_on_close_lck(fsp, lck, false, NULL, NULL);
done:
@@ -817,7 +822,7 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp)
return NT_STATUS_OK;
}
- if(((errno == ENOTEMPTY)||(errno == EEXIST)) && lp_veto_files(SNUM(conn))) {
+ if(((errno == ENOTEMPTY)||(errno == EEXIST)) && *lp_veto_files(SNUM(conn))) {
/*
* Check to see if the only thing in this directory are
* vetoed files/directories. If so then delete them and
@@ -962,6 +967,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp,
bool delete_dir = False;
NTSTATUS status = NT_STATUS_OK;
NTSTATUS status1 = NT_STATUS_OK;
+ const struct security_token *del_nt_token = NULL;
const struct security_unix_token *del_token = NULL;
/*
@@ -998,6 +1004,7 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp,
send_stat_cache_delete_message(fsp->conn->sconn->msg_ctx,
fsp->fsp_name->base_name);
--
Samba Shared Repository
More information about the samba-cvs
mailing list