chdir and all that _with_privilege business

Jeremy Allison jra at samba.org
Tue Nov 10 17:52:42 UTC 2015


On Tue, Nov 10, 2015 at 10:42:09AM +0200, Uri Simchoni wrote:
> Hi,
> 
> I can't quite understand the rationale behind the special treatment
> that opens with backup intent receive.
> 
> I was trying to understand the contexts in which we call
> SMB_VFS_CHDIR (as it somewhat complicates some VFS modules) and saw
> this  case where if files are opened with backup intent (or file
> find with backup intent in SMB1) we do some checks differently,
> including chdir to the file's parent and doing all the checks from
> there.
> 
> I could think of two possible reasons:
> 1. To prevent race conditions where one SMB request involves
> multiple UNIX system calls - make sure all those calls reference the
> same file system object - but in that case why is it limited to
> backup intent.
> 2. As a security measure, because with backup intent we run as root,
> but I'm not quite sure what type of attacks this prevents, and also
> whether in that case admin users (which run as root) should also be
> using this type of checking.
> 
> Can someone clarify?

Yeah, you're right here. The rationale is acutally (2)
as in this case we are transitioning a 'normal' user
to root just for this specific open, so we need to
do the extra pathname walk protection.

For 'admin users' the Samba admin has explicitly
mapped all user access to root on that share.

I wrote this as a mitigation factor around
the fact that we're not using openat() and
doing all pathname processing using handle
based calls.

That's the full long term solution, but
remember Samba (and our VFS) was designed
before such things were even a twinkle
in the eye of Solaris (where they first
appeared :-).

Jeremy.



More information about the samba-technical mailing list