[SCM] Samba Shared Repository - branch v3-6-test updated

Karolin Seeger kseeger at samba.org
Fri Aug 30 02:16:07 MDT 2013


The branch, v3-6-test has been updated
       via  0150086 smbd: Simplify dropbox special case in unix_convert
       via  b55072c smbd: Fix a profile problem
      from  87adc21 s3-winbindd: fix fallback to ncacn_np in cm_connect_lsat().

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit 0150086d44e90351634a68aced1e44ad076a693c
Author: Volker Lendecke <Volker.Lendecke at SerNet.DE>
Date:   Wed Aug 28 15:42:22 2013 -0700

    smbd: Simplify dropbox special case in unix_convert
    
    EACCESS needs special treatment: If we want to create a fresh file,
    return OBJECT_PATH_NOT_FOUND, so that the client will continue creating
    the file. If the client wants us to open a potentially existing file,
    we need to correctly return ACCESS_DENIED.
    
    This patch makes this behaviour hopefully a bit clearer than the code
    before did.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    The last 2 patches address bug #10114 - Dropbox (write-only-directory) case
    isn't handled correctly in pathname lookup.

commit b55072ccf8d801726aec49a925f5a69277a10494
Author: Volker Lendecke <Volker.Lendecke at SerNet.DE>
Date:   Wed Aug 28 15:39:41 2013 -0700

    smbd: Fix a profile problem
    
    When trying to read a profile, under certain circumstances Windows tries
    to read with its machine account first. The profile previously written
    was stored with an ACL that only allows access for the user and not
    the machine. Windows should get an NT_STATUS_ACCESS_DENIED when using
    the machine account, making it retry with the user account (which would
    then succeed).
    
    Samba under these circumstances erroneously gives
    NT_STATUS_OBJECT_PATH_NOT_FOUND, which makes Windows give up and not
    retry. The reasons is the "dropbox" patch in unix_convert, turning EACCESS
    on the last path component to OBJECT_PATH_NOT_FOUND. This patch makes
    the dropbox behaviour only kick in when we are creating a file. I think
    this is an abstraction violation. unix_convert() should not have to know
    about the create_disposition, but given that we have pathname resolution
    separated from the core open code right now this is the best we can do.
    
    Signed-off-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/include/smb.h      |    1 +
 source3/smbd/filename.c    |   27 ++++++++++++++++++++----
 source3/smbd/nttrans.c     |    6 +++-
 source3/smbd/reply.c       |   48 ++++++++++++++++++++++---------------------
 source3/smbd/smb2_create.c |    3 +-
 5 files changed, 54 insertions(+), 31 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 873657a..2d04373 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1716,6 +1716,7 @@ struct smb_file_time {
 #define UCF_COND_ALLOW_WCARD_LCOMP	0x00000004
 #define UCF_POSIX_PATHNAMES		0x00000008
 #define UCF_UNIX_NAME_LOOKUP		0x00000010
+#define UCF_CREATING_FILE		0x00000020
 
 /*
  * smb_filename
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 207b56c..8ef0c0a 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -713,12 +713,29 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
 
 				/*
 				 * ENOENT/EACCESS are the only valid errors
-				 * here. EACCESS needs handling here for
-				 * "dropboxes", i.e. directories where users
-				 * can only put stuff with permission -wx.
+				 * here.
 				 */
-				if ((errno != 0) && (errno != ENOENT)
-				    && (errno != EACCES)) {
+				if (errno == EACCES) {
+					if (ucf_flags & UCF_CREATING_FILE) {
+						/*
+						 * This is the dropbox
+						 * behaviour. A dropbox is a
+						 * directory with only -wx
+						 * permissions, so
+						 * get_real_filename fails
+						 * with EACCESS, it needs to
+						 * list the directory. We
+						 * nevertheless want to allow
+						 * users creating a file.
+						 */
+						status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
+					} else {
+						status = NT_STATUS_ACCESS_DENIED;
+					}
+					goto fail;
+				}
+
+				if ((errno != 0) && (errno != ENOENT)) {
 					/*
 					 * ENOTDIR and ELOOP both map to
 					 * NT_STATUS_OBJECT_PATH_NOT_FOUND
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index a884b2f..4c145e0 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -536,7 +536,8 @@ void reply_ntcreate_and_X(struct smb_request *req)
 				conn,
 				req->flags2 & FLAGS2_DFS_PATHNAMES,
 				fname,
-				0,
+				(create_disposition == FILE_CREATE)
+					? UCF_CREATING_FILE : 0,
 				NULL,
 				&smb_fname);
 
@@ -1165,7 +1166,8 @@ static void call_nt_transact_create(connection_struct *conn,
 				conn,
 				req->flags2 & FLAGS2_DFS_PATHNAMES,
 				fname,
-				0,
+				(create_disposition == FILE_CREATE)
+					? UCF_CREATING_FILE : 0,
 				NULL,
 				&smb_fname);
 
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index ca3a08f..0585a6e 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -1748,11 +1748,20 @@ void reply_open(struct smb_request *req)
 		goto out;
 	}
 
+	if (!map_open_params_to_ntcreate(fname, deny_mode,
+					OPENX_FILE_EXISTS_OPEN, &access_mask,
+					&share_mode, &create_disposition,
+					&create_options, &private_flags)) {
+		reply_force_doserror(req, ERRDOS, ERRbadaccess);
+		goto out;
+	}
+
 	status = filename_convert(ctx,
 				conn,
 				req->flags2 & FLAGS2_DFS_PATHNAMES,
 				fname,
-				0,
+				(create_disposition == FILE_CREATE)
+					? UCF_CREATING_FILE : 0,
 				NULL,
 				&smb_fname);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -1766,14 +1775,6 @@ void reply_open(struct smb_request *req)
 		goto out;
 	}
 
-	if (!map_open_params_to_ntcreate(smb_fname->base_name, deny_mode,
-					 OPENX_FILE_EXISTS_OPEN, &access_mask,
-					 &share_mode, &create_disposition,
-					 &create_options, &private_flags)) {
-		reply_force_doserror(req, ERRDOS, ERRbadaccess);
-		goto out;
-	}
-
 	status = SMB_VFS_CREATE_FILE(
 		conn,					/* conn */
 		req,					/* req */
@@ -1923,11 +1924,22 @@ void reply_open_and_X(struct smb_request *req)
 		goto out;
 	}
 
+	if (!map_open_params_to_ntcreate(fname, deny_mode,
+					smb_ofun,
+					&access_mask, &share_mode,
+					&create_disposition,
+					&create_options,
+					&private_flags)) {
+		reply_force_doserror(req, ERRDOS, ERRbadaccess);
+		goto out;
+	}
+
 	status = filename_convert(ctx,
 				conn,
 				req->flags2 & FLAGS2_DFS_PATHNAMES,
 				fname,
-				0,
+				(create_disposition == FILE_CREATE)
+					? UCF_CREATING_FILE : 0,
 				NULL,
 				&smb_fname);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -1941,16 +1953,6 @@ void reply_open_and_X(struct smb_request *req)
 		goto out;
 	}
 
-	if (!map_open_params_to_ntcreate(smb_fname->base_name, deny_mode,
-					 smb_ofun,
-					 &access_mask, &share_mode,
-					 &create_disposition,
-					 &create_options,
-					 &private_flags)) {
-		reply_force_doserror(req, ERRDOS, ERRbadaccess);
-		goto out;
-	}
-
 	status = SMB_VFS_CREATE_FILE(
 		conn,					/* conn */
 		req,					/* req */
@@ -2145,7 +2147,7 @@ void reply_mknew(struct smb_request *req)
 				conn,
 				req->flags2 & FLAGS2_DFS_PATHNAMES,
 				fname,
-				0,
+				UCF_CREATING_FILE,
 				NULL,
 				&smb_fname);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2286,7 +2288,7 @@ void reply_ctemp(struct smb_request *req)
 		status = filename_convert(ctx, conn,
 				req->flags2 & FLAGS2_DFS_PATHNAMES,
 				fname,
-				0,
+				UCF_CREATING_FILE,
 				NULL,
 				&smb_fname);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -5539,7 +5541,7 @@ void reply_mkdir(struct smb_request *req)
 	status = filename_convert(ctx, conn,
 				 req->flags2 & FLAGS2_DFS_PATHNAMES,
 				 directory,
-				 0,
+				 UCF_CREATING_FILE,
 				 NULL,
 				 &smb_dname);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
index 5b81099..0862990 100644
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -694,7 +694,8 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
 					  smb1req->conn,
 					  smb1req->flags2 & FLAGS2_DFS_PATHNAMES,
 					  fname,
-					  0,
+					  (in_create_disposition == FILE_CREATE) ?
+						UCF_CREATING_FILE : 0,
 					  NULL,
 					  &smb_fname);
 		if (!NT_STATUS_IS_OK(status)) {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list