backup intent and dptr_create failure because of become_root() (was Re: Samba4 panic action)

Andrew Bartlett abartlet at samba.org
Sat Oct 20 04:39:46 MDT 2012 

On Fri, 2012-10-12 at 16:22 +0200, steve wrote:
> On 12/10/12 14:21, Ricky Nance wrote:
> > Steve, if you are building from git, the file gdb_backtrace can be found
> > at samba-master/selftest/gdb_backtrace, you will just simply add the
> > line to your smb.conf pointing at that file, and restart samba, then try
> > to recreate the bug. You should then get backtraces in
> > /usr/local/samba/var as files.
> >
> > Ricky
> 
> Hi Ricky.
> Thanks. Much easier.
> Cheers,
> Steve
> 
> Here is the trace:
Steve, 

Thank you very much.

Thanks to a hint Jeremy gave me on a private list, I think I know the
issue.

We fault here, because token == NULL. 

> /usr/local/samba/sbin/smbd: #8  <signal handler called>
> /usr/local/samba/sbin/smbd: No symbol table info available.
> /usr/local/samba/sbin/smbd: #9  0xb695556a in security_token_has_sid 
> (token=0x0, sid=0x99f3790) at ../libcli/security/security_token.c:109
> /usr/local/samba/sbin/smbd:         i = 0
> /usr/local/samba/sbin/smbd: #10 0xb6955bb4 in se_access_check 
> (sd=0x99f35d0, token=0x0, access_desired=1, access_granted=0xbf8dae78) 
> at ../libcli/security/access_check.c:229
> /usr/local/samba/sbin/smbd:         ace = 0x99f3760
> /usr/local/samba/sbin/smbd:         i = 0
> /usr/local/samba/sbin/smbd:         bits_remaining = 1
> /usr/local/samba/sbin/smbd:         explicitly_denied_bits = 0
> /usr/local/samba/sbin/smbd:         owner_rights_allowed = 0
> /usr/local/samba/sbin/smbd:         owner_rights_denied = 0
> /usr/local/samba/sbin/smbd:         owner_rights_default = true
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "se_access_check"
> /usr/local/samba/sbin/smbd: #11 0xb6955e26 in se_file_access_check 
> (sd=0x99f35d0, token=0x0, priv_open_requested=true, access_desired=1, 
> access_granted=0xbf8dae78) at ../libcli/security/access_check.c:340
> /usr/local/samba/sbin/smbd:         bits_remaining = 149295168
> /usr/local/samba/sbin/smbd:         status = {v = 161424512}
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "se_file_access_check"
> /usr/local/samba/sbin/smbd: #12 0xb748ae21 in smbd_check_access_rights 
> (conn=0x99a98d8, smb_fname=0x99f2eb0, use_privs=true, access_mask=1) at 
> ../source3/smbd/open.c:137
> /usr/local/samba/sbin/smbd:         status = {v = 0}
> /usr/local/samba/sbin/smbd:         sd = 0x99f35d0
> /usr/local/samba/sbin/smbd:         rejected_share_access = 0
> /usr/local/samba/sbin/smbd:         rejected_mask = 1
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = 
> "smbd_check_access_rights"
> /usr/local/samba/sbin/smbd: #13 0xb742cd73 in dptr_create 
> (conn=0x99a98d8, req=0x99f2590, fsp=0x0, path=0x99f2870 
> "Administrator/Application Data/LibreOffice", old_handle=false, 
> expect_close=true, spid=1344, wcard=0x99f28d0 "3", wcard_has_wild=false, 
> attr=22, dptr_ret=0xbf8daf94) at ../source3/smbd/dir.c:534
> /usr/local/samba/sbin/smbd:         ret = 0
> /usr/local/samba/sbin/smbd:         backup_intent = true

Here we know the this is a trans2 with backup intent (due to Jeremy's
recent backup privileges work). 

> /usr/local/samba/sbin/smbd:         smb_dname = 0x99f2eb0
> /usr/local/samba/sbin/smbd:         status = {v = 0}
> /usr/local/samba/sbin/smbd:         sconn = 0x99e8fa8
> /usr/local/samba/sbin/smbd:         dptr = 0x0
> /usr/local/samba/sbin/smbd:         dir_hnd = 0x94ce0e0
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "dptr_create"
> /usr/local/samba/sbin/smbd: #14 0xb7471c50 in call_trans2findfirst 
> (conn=0x99a98d8, req=0x99f2590, pparams=0x911fe1c, total_params=104, 
> ppdata=0x911fe24, total_data=0, max_data_bytes=16384) at 
> ../source3/smbd/trans2.c:2499


> /usr/local/samba/sbin/smbd:         backup_priv = true
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "call_trans2findfirst"

At line 2393 of source3/smbd/trans2.c we call become_root().  We
correctly unbecome_root() later, but in the meantime we call
dptr_create(), which calls smbc_check_access_rights() and eventually
calls get_current_nttok().  

Because we are in a become_root(), the token is NULL, and so we
segfault.

Jeremy,

I think you can probably handle it from here.  We don't call
get_current_nttok() in many places, perhaps we might be able to replace
it with a call that doesn't need to inspect the unix security stack, but
instead directly de-references conn or something similar?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list