[SCM] Samba Shared Repository - branch v4-15-test updated

Jule Anger janger at samba.org
Mon Aug 9 12:06:02 UTC 2021 

The branch, v4-15-test has been updated
       via  4467a0ba7f0 smbd: only open full fd for directories if needed
       via  4f3b6f6b311 smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
       via  9b8e795df6f s3: smbd: Don't leak meta-data about the containing directory of the share root.
       via  3acccfc764d s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
       via  fccedb4d94a configure: Do not put arguments into double quotes
      from  c933b88dbe1 samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -----------------------------------------------------------------
commit 4467a0ba7f0764831827645ae4cca22360d7cb70
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jun 29 12:47:34 2021 +0200

    smbd: only open full fd for directories if needed
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
    RN: File owner not available when file unreadable
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Mon Aug  2 18:05:04 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 6d928eb1e8ea44f0d0aea4ec9b1b7c385a281193)
    
    Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-15-test): Mon Aug  9 12:05:34 UTC 2021 on sn-devel-184

commit 4f3b6f6b311942e1cf42ed263188384d643f25e6
Author: Ralph Boehme <slow at samba.org>
Date:   Sat May 8 21:45:25 2021 +0200

    smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
    
    This was needed before we had pathref fsps, with pathref fsps we can do
    operation requiring WRITE_OWNER_ACCESS, WRITE_DAC_ACCESS and READ_CONTROL_ACCESS
    on the pathref fsp.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit e71e373a07e467ff2d2328f39bd2bc285e2ba840)

commit 9b8e795df6f61fdf530d3fe85faea8ae2e3c00e9
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jul 14 19:11:05 2021 -0700

    s3: smbd: Don't leak meta-data about the containing directory of the share root.
    
    This is a subtle one. In smbd_dirptr_get_entry() we now
    open a pathref fsp on all entries - including "..".
    
    If we're at the root of the share we don't want
    a handle to the directory above it, so silently
    close the smb_fname->fsp for ".." names to prevent
    it from being used to return meta-data to the client
    (more than we already have done historically by
    calling pathname functions on "..").
    
    The marshalling returned entries and async DOS
    code copes with smb_fname->fsp == NULL perfectly
    well.
    
    Only in master, but will need fixing for 4.15.rc1
    or 2.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 2acad27686074029ac83c66b42bb37eea380f449)

commit 3acccfc764df88bd1400bc8da72b2733ca06cdff
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jul 14 21:30:09 2021 -0700

    s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit b004ebb1c62742346b84ecb9d52c783173528fac)

commit fccedb4d94abac9909c2ed00b07af6a207b09590
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Aug 2 17:43:01 2021 +0200

    configure: Do not put arguments into double quotes
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14777
    
    This could create an issue that arguments don't get split by python and then the
    following could happen:
    
        ./configure --libdir=/usr/lib64 --enable-clangdb
    
        LIBDIR='/usr/lib64 --enable-clangdb'
    
    This ends then up in parameters.all.xml:
    
        <!ENTITY pathconfig.LIBDIR   '/usr/lib64 --enable-clangdb'>
    
    The python parser then errors out:
    
        xml.etree.ElementTree.ParseError: not well-formed (invalid token)
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Aug  3 18:36:37 UTC 2021 on sn-devel-184
    
    (cherry picked from commit e2962b4262fc4a7197a3fcbd010fcfaca781baea)

-----------------------------------------------------------------------

Summary of changes:
 configure              |  2 +-
 source3/smbd/dir.c     | 25 +++++++++++++++++++++++++
 source3/smbd/dosmode.c | 23 ++++++++++++++---------
 source3/smbd/open.c    | 31 +++++++++++++++++++++----------
 4 files changed, 61 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/configure b/configure
index a6ca50feb47..2b0ffb0dae1 100755
--- a/configure
+++ b/configure
@@ -13,5 +13,5 @@ export JOBS
 unset LD_PRELOAD
 
 cd . || exit 1
-$PYTHON $WAF configure "$@" || exit 1
+$PYTHON $WAF configure $@ || exit 1
 cd $PREVPATH
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 127e4b0d08d..4c807c3f85c 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -946,6 +946,31 @@ bool smbd_dirptr_get_entry(TALLOC_CTX *ctx,
 			continue;
 		}
 
+		/*
+		 * Don't leak metadata about the containing
+		 * directory of the share.
+		 */
+		if (dirptr_path_is_dot && ISDOTDOT(dname)) {
+			/*
+			 * Making a copy here, then freeing
+			 * the original will close the smb_fname->fsp.
+			 */
+			struct smb_filename *tmp_smb_fname =
+				cp_smb_filename(ctx, smb_fname);
+
+			if (tmp_smb_fname == NULL) {
+				TALLOC_FREE(atname);
+				TALLOC_FREE(smb_fname);
+				TALLOC_FREE(dname);
+				TALLOC_FREE(fname);
+				return false;
+			}
+			TALLOC_FREE(smb_fname);
+			smb_fname = tmp_smb_fname;
+			mode = FILE_ATTRIBUTE_DIRECTORY;
+			get_dosmode = false;
+		}
+
 		ok = mode_fn(ctx,
 			     private_data,
 			     dirptr->dir_hnd->fsp,
diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c
index 43c46867122..99cb8607944 100644
--- a/source3/smbd/dosmode.c
+++ b/source3/smbd/dosmode.c
@@ -814,15 +814,20 @@ struct tevent_req *dos_mode_at_send(TALLOC_CTX *mem_ctx,
 	}
 
 	if (smb_fname->fsp == NULL) {
-		/*
-		 * The pathological case where a caller does
-		 * dos_mode_at_send() and smb_fname points at a
-		 * symlink in POSIX context. smb_fname->fsp is NULL.
-		 *
-		 * FIXME ? Should we move to returning
-		 * FILE_ATTRIBUTE_REPARSE_POINT here ?
-		 */
-		state->dosmode = FILE_ATTRIBUTE_NORMAL;
+		if (ISDOTDOT(smb_fname->base_name)) {
+			/*
+			 * smb_fname->fsp is explicitly closed
+			 * for ".." to prevent meta-data leakage.
+			 */
+			state->dosmode = FILE_ATTRIBUTE_DIRECTORY;
+		} else {
+			/*
+			 * This is a symlink in POSIX context.
+			 * FIXME ? Should we move to returning
+			 * FILE_ATTRIBUTE_REPARSE_POINT here ?
+			 */
+			state->dosmode = FILE_ATTRIBUTE_NORMAL;
+		}
 		tevent_req_done(req);
 		return tevent_req_post(req, ev);
 	}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index c29662b4fd2..968dd8ecb00 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1279,10 +1279,7 @@ static NTSTATUS open_file(files_struct *fsp,
 		FILE_WRITE_DATA |
 		FILE_APPEND_DATA |
 		FILE_EXECUTE |
-		WRITE_DAC_ACCESS |
-		WRITE_OWNER_ACCESS |
-		SEC_FLAG_SYSTEM_SECURITY |
-		READ_CONTROL_ACCESS;
+		SEC_FLAG_SYSTEM_SECURITY;
 	bool creating = !file_existed && (flags & O_CREAT);
 	bool truncating = (flags & O_TRUNC);
 	bool open_fd = false;
@@ -4407,6 +4404,7 @@ static NTSTATUS open_directory(connection_struct *conn,
 	struct timespec mtimespec;
 	int info = 0;
 	bool ok;
+	uint32_t need_fd_access;
 
 	if (is_ntfs_stream_smb_fname(smb_dname)) {
 		DEBUG(2, ("open_directory: %s is a stream name!\n",
@@ -4599,12 +4597,25 @@ static NTSTATUS open_directory(connection_struct *conn,
 	*/
 	mtimespec = make_omit_timespec();
 
-	status = reopen_from_fsp(fsp, O_RDONLY|O_DIRECTORY, 0, NULL);
-	if (!NT_STATUS_IS_OK(status)) {
-		DBG_INFO("Could not open fd for%s (%s)\n",
-			 smb_fname_str_dbg(smb_dname),
-			 nt_errstr(status));
-		return status;
+	/*
+	 * Obviously for FILE_LIST_DIRECTORY we need to reopen to get an fd
+	 * usable for reading a directory. SMB2_FLUSH may be called on
+	 * directories opened with FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY so
+	 * for those we need to reopen as well.
+	 */
+	need_fd_access =
+		FILE_LIST_DIRECTORY |
+		FILE_ADD_FILE |
+		FILE_ADD_SUBDIRECTORY;
+
+	if (access_mask & need_fd_access) {
+		status = reopen_from_fsp(fsp, O_RDONLY | O_DIRECTORY, 0, NULL);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_INFO("Could not open fd for [%s]: %s\n",
+				 smb_fname_str_dbg(smb_dname),
+				 nt_errstr(status));
+			return status;
+		}
 	}
 
 	status = vfs_stat_fsp(fsp);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list