Olf fashioned 'anonynous' FTP 'incoming' directory

Dirk-Willem van Gulik Dirk-willem.Van.gulik at bbc.co.uk
Fri Jan 7 02:58:42 MST 2011 

On 6 Jan 2011, at 17:56, TAKAHASHI Motonobu wrote:

> I tested to connect from a Windows XP client to the share and copy a text file.
> I found the file just copied can not appear in the folder, but if I
> type 'type file.txt', then the
> content of the file is displayed.

So on unix I have:

 SETUP:
	$ mkdir -p /data/foo/bar
	$ echo Hi > /data/foo/bar/test.txt
	$ chmod 0111 /data/foo

 CHECK denied
  	$ ls /data
        foo
        $ ls /data/foo
 	ls: /data/foo: Permission denied

 CHECK ok:
 	$ ls /data/foo/bar
        test.txt
	$ cat /data/foo/bar/test.txt
        Hi

We are on FreeBSD-8.2 and Samba 3.5.6. Vanilla/minimal build with just MAX_DEBUG. The config is:

	[foo]
		 path = /data/foo
	 	writeable = yes
 		inherit owner = yes
 		force create mode = 444
 		hide unwriteable files = yes

And while a mount succeeds - any ls/dir on the share or any deeper files fails with a NT_STATUS_ACCESS_DENIED - even for the test.txt which should in fact be 'fine'.

Below is the all:99 log details (but sanitized). This is for an 'ls /foo/bar/test.txt'.

As far as I can see in the code - as we always do a directory walk - we always assume that every element of a path which is a directory can always be 'opendir()-ed' (which we want - to do mangling) - and if any of them is denied - we deny the whole path (marked !!!! in below). 

Foregoing the 'posix' behaviour of allowing a 0111-directory/xx/0666-file to be in fact accessible.  (Hence my patch/modifies in [1],[2] which I think are done at the wrong level).

Or does this yield something different on your machine ? Or am I making a conceptual mistake ?

Thanks,

Dw.

[2011/01/07 10:49:33.913542, 10] lib/util_sock.c:726(read_smb_length_return_keepalive)
  got smb length of 164
[2011/01/07 10:49:33.913600,  6] smbd/process.c:1482(process_smb)
  got message type 0x0 of len 0xa4
[2011/01/07 10:49:33.913627,  3] smbd/process.c:1485(process_smb)
  Transaction 61 of length 168 (0 toread)
[2011/01/07 10:49:33.913650,  5] lib/util.c:617(show_msg)
[2011/01/07 10:49:33.913664,  5] lib/util.c:627(show_msg)
  size=164
  smb_com=0x32
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=8
  smb_flg2=51201
  smb_tid=1
  smb_pid=1
  smb_uid=100
  smb_mid=61
  smt_wct=15
  smb_vwv[ 0]=   96 (0x60)
  smb_vwv[ 1]=    0 (0x0)
  smb_vwv[ 2]=   10 (0xA)
  smb_vwv[ 3]=16644 (0x4104)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=    0 (0x0)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=   96 (0x60)
  smb_vwv[10]=   68 (0x44)
  smb_vwv[11]=    0 (0x0)
  smb_vwv[12]=  164 (0xA4)
  smb_vwv[13]=    1 (0x1)
  smb_vwv[14]=    1 (0x1)
  smb_bcc=99
[2011/01/07 10:49:33.913913, 10] ../lib/util/util.c:278(_dump_data)
  [0000] 00 00 00 16 00 01 00 07   00 0B 02 00 00 00 00 5C   ........ .......\
  [0010] 00 64 00 32 00 62 00 38   00 62 00 61 00 35 00 62   .d.2.b.8 .b.a.5.b
  [0020] 00 39 00 61 00 31 00 64   00 62 00 33 00 30 00 34   .9.a.1.d .b.3.0.4
  [0030] 00 62 00 38 00 35 00 35   00 33 00 33 00 64 00 62   .b.8.5.5 .3.3.d.b
  [0040] 00 38 00 37 00 36 00 35   00 34 00 62 00 36 00 65   .8.7.6.5 .4.b.6.e
  [0050] 00 63 00 36 00 39 00 63   00 63 00 36 00 66 00 61   .c.6.9.c .c.6.f.a
  [0060] 00 00 00                                          ... 
[2011/01/07 10:49:33.914309,  3] smbd/process.c:1294(switch_message)
  switch message SMBtrans2 (pid 593) conn 0x22003230
[2011/01/07 10:49:33.914969,  4] smbd/uid.c:257(change_to_user)
  change_to_user: Skipping user change - already user
[2011/01/07 10:49:33.915022,  3] smbd/trans2.c:2252(call_trans2findfirst)
  call_trans2findfirst: dirtype = 16, maxentries = 1, close_after_first=1, close_if_end = 1 requires_resume_key = 1 level = 0x20b, max_data_bytes = 16644
[2011/01/07 10:49:33.915056,  5] smbd/filename.c:169(unix_convert)
  unix_convert called on file "bar"
[2011/01/07 10:49:33.915084, 10] smbd/statcache.c:236(stat_cache_lookup)
  stat_cache_lookup: lookup failed for name [bar]
[2011/01/07 10:49:33.915105,  5] smbd/filename.c:328(unix_convert)
  unix_convert begin: name = bar, dirpath = , start = bar
[2011/01/07 10:49:33.915143,  5] smbd/statcache.c:138(stat_cache_add)
  stat_cache_add: Added entry (220d56c0:size 28) bar -> bar
[2011/01/07 10:49:33.915167,  5] smbd/filename.c:351(unix_convert)
  conversion of base_name finished bar -> bar
[2011/01/07 10:49:33.915188,  3] smbd/vfs.c:851(check_reduced_name)
  check_reduced_name [bar] [/data/foo]
[2011/01/07 10:49:33.915226, 10] smbd/vfs.c:938(check_reduced_name)
  check_reduced_name realpath [bar] -> [/data/foo/bar]
[2011/01/07 10:49:33.915252,  3] smbd/vfs.c:1008(check_reduced_name)
  check_reduced_name: bar reduced to /data/foo/bar
[2011/01/07 10:49:33.915278,  5] smbd/trans2.c:2333(call_trans2findfirst)
  dir=./, mask = bar
[2011/01/07 10:49:33.915303,  5] smbd/dir.c:423(dptr_create)
  dptr_create dir=./
[2011/01/07 10:49:33.915323,  3] smbd/vfs.c:851(check_reduced_name)
  check_reduced_name [./] [/data/foo]
[2011/01/07 10:49:33.915345, 10] smbd/vfs.c:938(check_reduced_name)
  check_reduced_name realpath [./] -> [/data/foo]
[2011/01/07 10:49:33.915366,  3] smbd/vfs.c:1008(check_reduced_name)
  check_reduced_name: ./ reduced to /data/foo
[2011/01/07 10:49:33.915397,  5] smbd/dir.c:1331(OpenDir)  <------------------------ !!!!
  OpenDir: Can't open ./. Permission denied
[2011/01/07 10:49:33.915454,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/trans2.c(2395) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2011/01/07 10:49:33.915481,  5] lib/util.c:617(show_msg)
[2011/01/07 10:49:33.915493,  5] lib/util.c:627(show_msg)
  size=35
  smb_com=0x32
  smb_rcls=34
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=51203
  smb_tid=1
  smb_pid=1
  smb_uid=100
  smb_mid=61
  smt_wct=0
  smb_bcc=0


1: http://lists.samba.org/archive/samba-technical/2011-January/075603.html
2: http://lists.samba.org/archive/samba-technical/2011-January/075638.html

More information about the samba-technical mailing list