backup intent and dptr_create failure because of become_root() (was Re: Samba4 panic action)
Andrew Bartlett
abartlet at samba.org
Sat Oct 20 04:39:46 MDT 2012
On Fri, 2012-10-12 at 16:22 +0200, steve wrote:
> On 12/10/12 14:21, Ricky Nance wrote:
> > Steve, if you are building from git, the file gdb_backtrace can be found
> > at samba-master/selftest/gdb_backtrace, you will just simply add the
> > line to your smb.conf pointing at that file, and restart samba, then try
> > to recreate the bug. You should then get backtraces in
> > /usr/local/samba/var as files.
> >
> > Ricky
>
> Hi Ricky.
> Thanks. Much easier.
> Cheers,
> Steve
>
> Here is the trace:
Steve,
Thank you very much.
Thanks to a hint Jeremy gave me on a private list, I think I know the
issue.
We fault here, because token == NULL.
> /usr/local/samba/sbin/smbd: #8 <signal handler called>
> /usr/local/samba/sbin/smbd: No symbol table info available.
> /usr/local/samba/sbin/smbd: #9 0xb695556a in security_token_has_sid
> (token=0x0, sid=0x99f3790) at ../libcli/security/security_token.c:109
> /usr/local/samba/sbin/smbd: i = 0
> /usr/local/samba/sbin/smbd: #10 0xb6955bb4 in se_access_check
> (sd=0x99f35d0, token=0x0, access_desired=1, access_granted=0xbf8dae78)
> at ../libcli/security/access_check.c:229
> /usr/local/samba/sbin/smbd: ace = 0x99f3760
> /usr/local/samba/sbin/smbd: i = 0
> /usr/local/samba/sbin/smbd: bits_remaining = 1
> /usr/local/samba/sbin/smbd: explicitly_denied_bits = 0
> /usr/local/samba/sbin/smbd: owner_rights_allowed = 0
> /usr/local/samba/sbin/smbd: owner_rights_denied = 0
> /usr/local/samba/sbin/smbd: owner_rights_default = true
> /usr/local/samba/sbin/smbd: __FUNCTION__ = "se_access_check"
> /usr/local/samba/sbin/smbd: #11 0xb6955e26 in se_file_access_check
> (sd=0x99f35d0, token=0x0, priv_open_requested=true, access_desired=1,
> access_granted=0xbf8dae78) at ../libcli/security/access_check.c:340
> /usr/local/samba/sbin/smbd: bits_remaining = 149295168
> /usr/local/samba/sbin/smbd: status = {v = 161424512}
> /usr/local/samba/sbin/smbd: __FUNCTION__ = "se_file_access_check"
> /usr/local/samba/sbin/smbd: #12 0xb748ae21 in smbd_check_access_rights
> (conn=0x99a98d8, smb_fname=0x99f2eb0, use_privs=true, access_mask=1) at
> ../source3/smbd/open.c:137
> /usr/local/samba/sbin/smbd: status = {v = 0}
> /usr/local/samba/sbin/smbd: sd = 0x99f35d0
> /usr/local/samba/sbin/smbd: rejected_share_access = 0
> /usr/local/samba/sbin/smbd: rejected_mask = 1
> /usr/local/samba/sbin/smbd: __FUNCTION__ =
> "smbd_check_access_rights"
> /usr/local/samba/sbin/smbd: #13 0xb742cd73 in dptr_create
> (conn=0x99a98d8, req=0x99f2590, fsp=0x0, path=0x99f2870
> "Administrator/Application Data/LibreOffice", old_handle=false,
> expect_close=true, spid=1344, wcard=0x99f28d0 "3", wcard_has_wild=false,
> attr=22, dptr_ret=0xbf8daf94) at ../source3/smbd/dir.c:534
> /usr/local/samba/sbin/smbd: ret = 0
> /usr/local/samba/sbin/smbd: backup_intent = true
Here we know the this is a trans2 with backup intent (due to Jeremy's
recent backup privileges work).
> /usr/local/samba/sbin/smbd: smb_dname = 0x99f2eb0
> /usr/local/samba/sbin/smbd: status = {v = 0}
> /usr/local/samba/sbin/smbd: sconn = 0x99e8fa8
> /usr/local/samba/sbin/smbd: dptr = 0x0
> /usr/local/samba/sbin/smbd: dir_hnd = 0x94ce0e0
> /usr/local/samba/sbin/smbd: __FUNCTION__ = "dptr_create"
> /usr/local/samba/sbin/smbd: #14 0xb7471c50 in call_trans2findfirst
> (conn=0x99a98d8, req=0x99f2590, pparams=0x911fe1c, total_params=104,
> ppdata=0x911fe24, total_data=0, max_data_bytes=16384) at
> ../source3/smbd/trans2.c:2499
> /usr/local/samba/sbin/smbd: backup_priv = true
> /usr/local/samba/sbin/smbd: __FUNCTION__ = "call_trans2findfirst"
At line 2393 of source3/smbd/trans2.c we call become_root(). We
correctly unbecome_root() later, but in the meantime we call
dptr_create(), which calls smbc_check_access_rights() and eventually
calls get_current_nttok().
Because we are in a become_root(), the token is NULL, and so we
segfault.
Jeremy,
I think you can probably handle it from here. We don't call
get_current_nttok() in many places, perhaps we might be able to replace
it with a call that doesn't need to inspect the unix security stack, but
instead directly de-references conn or something similar?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list