Bug 10252 - Access Based Enuemration: User can see/list folders/files even when they denied to either read attribute or read extend attribiute permission

Wed Nov 6 18:05:36 MST 2013

On Wed, Nov 6, 2013 at 3:51 PM, Jeremy Allison <jra at samba.org> wrote:
> On Wed, Nov 06, 2013 at 12:20:05PM +0530, Partha Sarathi wrote:
>> Hi,
>>
>> I just gone through the hide unreadable related code and found that we are
>> only checking for FILE_READ_DATA  at user_can_read_file() and I have added
>> the rest of the access mask just work similar to windows.
>>
>>
>> bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix
>> --- smbd/dir.c  2013-11-05 22:42:44.565464984 -0800
>> +++ smbd/dir.c.fix      2013-11-05 22:42:31.751405097 -0800
>> @@ -1185,7 +1185,7 @@ static bool user_can_read_file(connectio
>>                 return True;
>>         }
>>
>> -       return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
>> +       return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA |
>> FILE_READ_EA | FILE_READ_ATTRIBUTES));
>>  }
>>
>>  /*******************************************************************
>>
>>
>> Note: I have done the unit test and it just works like Windows i.e even if
>> the user is just denied for any one of the READ permissions samba hides the
>> folder/files with the above changes.
>
> Very cool ! This actually fits in with a bug I've been working
> on with David Disseldorp (can't remember the bugid off hand)
> where we also need to check the specific open access modes
> before returning a getinfo reply for SMB2.
>
> Richard is right that we need more torture tests around this,
> then we can get the code into a release.
>
> Could you log a bug please so we can track this ?

Yeah, he filed 10252 already ... if I get some spare time I will try
to write a test.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)