[SCM] Samba Shared Repository - branch v4-19-test updated

Jule Anger janger at samba.org
Mon Jan 29 12:00:02 UTC 2024


The branch, v4-19-test has been updated
       via  84020efb1fe smbd: use dirfsp and atname in open_directory()
       via  4477e23de60 smbd: use safe_symlink_target_path() in symlink_target_below_conn()
       via  cd4df6ae432 smbd: add a directory argument to safe_symlink_target_path()
       via  90ae1e8f625 smbd: pass symlink target path to safe_symlink_target_path()
       via  4c4f086dfdb CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner
       via  1dff1340c12 vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time
       via  445637d0f4c gp: Skip site GP list if no site is found
      from  283ff41ee92 s3:passdb: smbpasswd reset permissions only if not 0600

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -----------------------------------------------------------------
commit 84020efb1fed7561259504a3bb36989c58d9996e
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Dec 18 12:35:58 2023 +0100

    smbd: use dirfsp and atname in open_directory()
    
    On systems without /proc/fd support this avoid the expensive chdir()
    logic in non_widelink_open(). open_file_ntcreate() already passes
    dirfsp and atname to reopen_from_fsp(), it was just missed in the
    conversion.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
    
    Reviewed-by: Volker Lendecke <vl at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Mon Jan 22 12:00:56 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 2713023250f15cf9971d88620cab9dd4afd0dc73)
    
    Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-19-test): Mon Jan 29 11:59:41 UTC 2024 on atb-devel-224

commit 4477e23de60d055fde4a89ebb35691a2f35854fb
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jan 2 14:34:26 2024 +0100

    smbd: use safe_symlink_target_path() in symlink_target_below_conn()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 1965fc77b3852a0593e13897af08f5304a1ce3a2)

commit cd4df6ae43286138072b1fdd11b3eec4c47d13fc
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jan 2 13:25:25 2024 +0100

    smbd: add a directory argument to safe_symlink_target_path()
    
    Existing caller passes NULL, no change in behaviour. Prepares for
    replacing symlink_target_below_conn() in open.c.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit fc80c72d658a41fe4d93b24b793b52c91b350175)

commit 90ae1e8f62512ea4da6457d2811310046d178ee9
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jan 2 12:49:14 2024 +0100

    smbd: pass symlink target path to safe_symlink_target_path()
    
    Moves processing the symlink error response to the caller
    filename_convert_dirfsp(). Prepares for using this in
    non_widelink_open(), where it will replace symlink_target_below_conn()
    with the same functionality.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (back-ported from commit 0515dded4ddb49e5570ae7df51126af1a2d643de)

commit 4c4f086dfdbc68880e3d76e2a8aa6d818f925444
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 19 11:12:49 2023 +0100

    CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner
    
    This is a more sensible combination of missing Linux specific features:
    
    - O_PATH
    - openat2() with RESOLVE_NO_SYMLINKS
    - somehow safely reopen an O_PATH file handle
    
    Currently only O_PATH is disabled for these jobs, but that doesn't really match
    and know OS.
    
    The following list shows which features are available and used by Samba on a few
    OSes:
    
            | O_PATH         | RESOLVE_NO_SYMLINKS | Safe reopen    | CI covered
    --------|----------------|---------------------|----------------------------
            | Supported Used | Supported Used      | Supported Used |
    ============================================================================
    Linux   | +         +    | +         +         | +         +    | +
    FreeBSD | +         +    | + [1]     -         | + [2]     -    | -
    AIX     | -         -    | -         -         | -         -    | +
    
    So by also disabling RESOLVE_NO_SYMLINKS and Safe Reopen, we cover classic UNIX
    systems like AIX.
    
    [1] via open() flag O_RESOLVE_BENEATH
    [2] via open() flag O_EMPTY_PATH
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 62cbe145c7e500c4759ed2005c78bd5056c87f43)

commit 1dff1340c12289bf3aa72cfd94f974320f92fbc2
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 19 11:11:55 2023 +0100

    vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time
    
    This will be used in CI to have a gitlab runner without all modern Linux
    features we make use of as part of path processing:
    
    - O_PATH
    - openat2() with RESOLVE_NO_SYMLINKS
    - somehow safely reopen an O_PATH file handle
    
    That gives what a classix UNIX like AIX or Solaris offers feature wise.
    
    Other OSes support other combinations of those features, but we leave the
    exersize of possibly adding more runners supporting those combinations to the
    reader.
    
    The following list shows which features are available and used by Samba on a few
    OSes:
    
            | O_PATH         | RESOLVE_NO_SYMLINKS | Safe reopen    | CI covered
    --------|----------------|---------------------|----------------------------
            | Supported Used | Supported Used      | Supported Used |
    ============================================================================
    Linux   | +         +    | +         +         | +         +    | +
    FreeBSD | +         +    | + [1]     -         | + [2]     -    | -
    AIX     | -         -    | -         -         | -         -    | +
    
    [1] via open() flag O_RESOLVE_BENEATH
    [2] via open() flag O_EMPTY_PATH
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    (cherry picked from commit 5c2f96442a25a1725809a28b3719afbc0bd01830)

commit 445637d0f4c9aeff4f62075ea19cc2bfa5ae4fb6
Author: David Mulder <dmulder at samba.org>
Date:   Fri Jan 5 08:47:07 2024 -0700

    gp: Skip site GP list if no site is found
    
    [MS-GPOL] 3.2.5.1.4 Site Search says if the site
    search returns ERROR_NO_SITENAME, the GP site
    search should be skipped.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15548
    
    Signed-off-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Jan 23 11:20:35 UTC 2024 on atb-devel-224
    
    (cherry picked from commit f05b61b4991e7f51bd184d76a79f8b50114a0ff3)

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp/gpclass.py    | 30 +++++++++------
 script/autobuild.py           |  2 +-
 selftest/skip.opath-required  |  4 ++
 source3/include/proto.h       |  6 +++
 source3/modules/vfs_default.c |  6 +++
 source3/smbd/filename.c       | 85 +++++++++++++++++++++++--------------------
 source3/smbd/open.c           | 77 ++++++++-------------------------------
 7 files changed, 97 insertions(+), 113 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 617ef79350c..babd8f90748 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -866,19 +866,25 @@ def get_gpo_list(dc_hostname, creds, lp, username):
 
     # (S)ite
     if gpo_list_machine:
-        site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
-
         try:
-            log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn)
-            gp_link = get_gpo_link(samdb, site_dn)
-        except ldb.LdbError as e:
-            (enum, estr) = e.args
-            log.debug(estr)
-        else:
-            add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list,
-                                   site_dn, gp_link,
-                                   gpo.GP_LINK_SITE,
-                                   add_only_forced_gpos, token)
+            site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
+
+            try:
+                log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn)
+                gp_link = get_gpo_link(samdb, site_dn)
+            except ldb.LdbError as e:
+                (enum, estr) = e.args
+                log.debug(estr)
+            else:
+                add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list,
+                                       site_dn, gp_link,
+                                       gpo.GP_LINK_SITE,
+                                       add_only_forced_gpos, token)
+        except ldb.LdbError:
+            # [MS-GPOL] 3.2.5.1.4 Site Search: If the method returns
+            # ERROR_NO_SITENAME, the remainder of this message MUST be skipped
+            # and the protocol sequence MUST continue at GPO Search
+            pass
 
     # (L)ocal
     gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy",
diff --git a/script/autobuild.py b/script/autobuild.py
index e074c39d3c0..85043032d73 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -296,7 +296,7 @@ tasks = {
     "samba-no-opath-build": {
         "git-clone-required": True,
         "sequence": [
-            ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1' ./configure.developer --without-ad-dc " + samba_configure_params),
+            ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params),
             ("make", "make -j"),
             ("check-clean-tree", CLEAN_SOURCE_TREE_CMD),
             ("chmod-R-a-w", "chmod -R a-w ."),
diff --git a/selftest/skip.opath-required b/selftest/skip.opath-required
index c3a13f5ec6e..9c6ba481cdf 100644
--- a/selftest/skip.opath-required
+++ b/selftest/skip.opath-required
@@ -14,3 +14,7 @@
 # available this works fine. So for now restrict testing posix
 # extensions to environments where we have O_PATH around
 ^samba.tests.smb1posix
+
+# These don't work without /proc/fd support
+^samba3.blackbox.shadow_copy_torture.*\(fileserver\)
+^samba3.blackbox.virus_scanner.*\(fileserver:local\)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 8eed81d8f2e..15c5839caf8 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -719,6 +719,12 @@ struct smb_filename *synthetic_smb_fname(TALLOC_CTX *mem_ctx,
 					 const SMB_STRUCT_STAT *psbuf,
 					 NTTIME twrp,
 					 uint32_t flags);
+NTSTATUS safe_symlink_target_path(TALLOC_CTX *mem_ctx,
+				  const char *connectpath,
+				  const char *dir,
+				  const char *target,
+				  size_t unparsed,
+				  char **_relative);
 NTSTATUS filename_convert_dirfsp(
 	TALLOC_CTX *ctx,
 	connection_struct *conn,
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 1d4b9b1a840..8d78831492f 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -52,6 +52,9 @@ static int vfswrap_connect(vfs_handle_struct *handle, const char *service, const
 	bool bval;
 
 	handle->conn->have_proc_fds = sys_have_proc_fds();
+#ifdef DISABLE_PROC_FDS
+	handle->conn->have_proc_fds = false;
+#endif
 
 	/*
 	 * assume the kernel will support openat2(),
@@ -70,6 +73,9 @@ static int vfswrap_connect(vfs_handle_struct *handle, const char *service, const
 		handle->conn->open_how_resolve |=
 			VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS;
 	}
+#ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS
+	handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS;
+#endif
 
 	return 0;    /* Return >= 0 for success */
 }
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 8693dcf1153..55a49e0ba93 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -942,44 +942,46 @@ static char *symlink_target_path(
 	return ret;
 }
 
-static NTSTATUS safe_symlink_target_path(
-	TALLOC_CTX *mem_ctx,
-	const char *connectpath,
-	const char *name_in,
-	const char *substitute,
-	size_t unparsed,
-	char **_name_out)
+NTSTATUS safe_symlink_target_path(TALLOC_CTX *mem_ctx,
+				  const char *connectpath,
+				  const char *dir,
+				  const char *target,
+				  size_t unparsed,
+				  char **_relative)
 {
-	char *target = NULL;
 	char *abs_target = NULL;
 	char *abs_target_canon = NULL;
 	const char *relative = NULL;
-	char *name_out = NULL;
-	NTSTATUS status = NT_STATUS_NO_MEMORY;
 	bool in_share;
+	NTSTATUS status = NT_STATUS_NO_MEMORY;
 
-	target = symlink_target_path(mem_ctx, name_in, substitute, unparsed);
-	if (target == NULL) {
-		goto fail;
-	}
-
-	DBG_DEBUG("name_in: %s, substitute: %s, unparsed: %zu, target=%s\n",
-		  name_in,
-		  substitute,
-		  unparsed,
-		  target);
+	DBG_DEBUG("connectpath [%s] target [%s] unparsed [%zu]\n",
+		  connectpath, target, unparsed);
 
 	if (target[0] == '/') {
-		abs_target = target;
+		abs_target = talloc_strdup(mem_ctx, target);
+	} else if (dir == NULL) {
+		abs_target = talloc_asprintf(mem_ctx,
+					     "%s/%s",
+					     connectpath,
+					     target);
+	} else if (dir[0] == '/') {
+		abs_target = talloc_asprintf(mem_ctx,
+					     "%s/%s",
+					     dir,
+					     target);
 	} else {
-		abs_target = talloc_asprintf(
-			target, "%s/%s", connectpath, target);
-		if (abs_target == NULL) {
-			goto fail;
-		}
+		abs_target = talloc_asprintf(mem_ctx,
+					     "%s/%s/%s",
+					     connectpath,
+					     dir,
+					     target);
+	}
+	if (abs_target == NULL) {
+		goto fail;
 	}
 
-	abs_target_canon = canonicalize_absolute_path(target, abs_target);
+	abs_target_canon = canonicalize_absolute_path(abs_target, abs_target);
 	if (abs_target_canon == NULL) {
 		goto fail;
 	}
@@ -994,15 +996,14 @@ static NTSTATUS safe_symlink_target_path(
 		goto fail;
 	}
 
-	name_out = talloc_strdup(mem_ctx, relative);
-	if (name_out == NULL) {
+	*_relative = talloc_strdup(mem_ctx, relative);
+	if (*_relative == NULL) {
 		goto fail;
 	}
 
 	status = NT_STATUS_OK;
-	*_name_out = name_out;
 fail:
-	TALLOC_FREE(target);
+	TALLOC_FREE(abs_target);
 	return status;
 }
 
@@ -1438,6 +1439,7 @@ NTSTATUS filename_convert_dirfsp(
 	size_t unparsed = 0;
 	NTSTATUS status;
 	char *target = NULL;
+	char *safe_target = NULL;
 	size_t symlink_redirects = 0;
 
 next:
@@ -1476,17 +1478,22 @@ next:
 	 * resolve all symlinks locally.
 	 */
 
-	status = safe_symlink_target_path(
-		mem_ctx,
-		conn->connectpath,
-		name_in,
-		substitute,
-		unparsed,
-		&target);
+	target = symlink_target_path(mem_ctx, name_in, substitute, unparsed);
+	if (target == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = safe_symlink_target_path(mem_ctx,
+					  conn->connectpath,
+					  NULL,
+					  target,
+					  unparsed,
+					  &safe_target);
+	TALLOC_FREE(target);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
-	name_in = target;
+	name_in = safe_target;
 
 	symlink_redirects += 1;
 
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a7759c349e4..c3b27928510 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -571,7 +571,6 @@ out:
 static NTSTATUS symlink_target_below_conn(
 	TALLOC_CTX *mem_ctx,
 	const char *connection_path,
-	size_t connection_path_len,
 	struct files_struct *fsp,
 	struct files_struct *dirfsp,
 	struct smb_filename *symlink_name,
@@ -579,9 +578,7 @@ static NTSTATUS symlink_target_below_conn(
 {
 	char *target = NULL;
 	char *absolute = NULL;
-	const char *relative = NULL;
 	NTSTATUS status;
-	bool ok;
 
 	if (fsp_get_pathref_fd(fsp) != -1) {
 		/*
@@ -594,69 +591,28 @@ static NTSTATUS symlink_target_below_conn(
 			talloc_tos(), dirfsp, symlink_name, &target);
 	}
 
+	status = safe_symlink_target_path(talloc_tos(),
+					  connection_path,
+					  dirfsp->fsp_name->base_name,
+					  target,
+					  0,
+					  &absolute);
 	if (!NT_STATUS_IS_OK(status)) {
-		DBG_DEBUG("readlink_talloc failed: %s\n", nt_errstr(status));
+		DBG_DEBUG("safe_symlink_target_path() failed: %s\n",
+			  nt_errstr(status));
 		return status;
 	}
 
-	if (target[0] != '/') {
-		char *tmp = talloc_asprintf(
-			talloc_tos(),
-			"%s/%s/%s",
-			connection_path,
-			dirfsp->fsp_name->base_name,
-			target);
-
-		TALLOC_FREE(target);
-
-		if (tmp == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		target = tmp;
-	}
-
-	DBG_DEBUG("redirecting to %s\n", target);
-
-	absolute = canonicalize_absolute_path(talloc_tos(), target);
-	TALLOC_FREE(target);
-
-	if (absolute == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	/*
-	 * We're doing the "below connection_path" here because it's
-	 * cheap. It might be that we get a symlink out of the share,
-	 * pointing to yet another symlink getting us back into the
-	 * share. If we need that, we would have to remove the check
-	 * here.
-	 */
-	ok = subdir_of(
-		connection_path,
-		connection_path_len,
-		absolute,
-		&relative);
-	if (!ok) {
-		DBG_NOTICE("Bad access attempt: %s is a symlink "
-			   "outside the share path\n"
-			   "conn_rootdir =%s\n"
-			   "resolved_name=%s\n",
-			   symlink_name->base_name,
-			   connection_path,
-			   absolute);
-		TALLOC_FREE(absolute);
-		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
-	}
-
-	if (relative[0] == '\0') {
+	if (absolute[0] == '\0') {
 		/*
 		 * special case symlink to share root: "." is our
 		 * share root filename
 		 */
-		absolute[0] = '.';
-		absolute[1] = '\0';
-	} else {
-		memmove(absolute, relative, strlen(relative)+1);
+		TALLOC_FREE(absolute);
+		absolute = talloc_strdup(talloc_tos(), ".");
+		if (absolute == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
 	}
 
 	*_target = absolute;
@@ -834,7 +790,6 @@ again:
 	status = symlink_target_below_conn(
 		talloc_tos(),
 		connpath,
-		connpath_len,
 		fsp,
 		discard_const_p(files_struct, dirfsp),
 		smb_fname_rel,
@@ -4960,8 +4915,8 @@ static NTSTATUS open_directory(connection_struct *conn,
 
 	if (access_mask & need_fd_access) {
 		status = reopen_from_fsp(
-			fsp->conn->cwd_fsp,
-			fsp->fsp_name,
+			parent_dir_fname->fsp,
+			smb_fname_atname,
 			fsp,
 			O_RDONLY | O_DIRECTORY,
 			0,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list