Questions about smbd option "strict rename"

Ralph Boehme rb at sernet.de
Sun Nov 22 12:49:33 UTC 2015 

Hi Jeremy,

On Fri, Nov 20, 2015 at 01:45:08PM -0800, Jeremy Allison wrote:
> On Fri, Nov 20, 2015 at 10:01:46AM +0100, Ralph Boehme wrote:
> > ...
> > According to the commit message and the manpage description, "strict
> > rename = no" means we won't check for open files when we do a
> > directory rename.
> > 
> > If this is correct, we have two bugs:
> 
> Just to clarify, you mean: "we have two bugs in our rename path",
> yes ?

yes. I wasn't suggesting we're down to 0 bugs besided those. :)

> > - "strict rename = no": doesn't work, opens are always checked,
> >   regardless of the setting of "strict rename".  can_rename(), the
> >   function where we do this check when renaming a directory, is
> >   missing a check for lp_strict_rename() or similar.
> 
> Yep. That's how it was supposed to work. The code in
> can_rename() should probably be the same as the code in
> source/smbd/dir.c which is:
> 
>         if (!lp_posix_pathnames() &&
>             lp_strict_rename(SNUM(conn)) &&
>             have_file_open_below(fsp->conn, fsp->fsp_name))
>         {
>                 return NT_STATUS_ACCESS_DENIED;
>         }

Ok, thanks for clarifying. Does everybody agree? Metze?

> > - "strict rename = yes": the function called to do the actual check
> >   for open files is file_find_subpath() which only checks for opens in
> >   that process and doesn't traverse locking.tdb
> 
> Yep - that was older code and I remember deciding
> (with Volker I think) that per-process checks were
> probably 'good enough'.
> 
> > In private conversation metze suggested that "strict rename" is
> > supposed to have completely different semantics:
> > 
> > - "strict rename = no": check for opens, but only in the current
> >   process, avoids expensive locking.tdb traversal, deny rename if open
> >   found
> 
> Hmmmm. We also need to have 'lp_posix_pathnames()' in the
> mix too I'm afraid.

Imo we need a different check for this and don't hang this off
lp_posix_pathnames(). POSIX pathnames capability is one thing, POSIX
rename is imo a different one, I'd argue in SMB2/3 UNIX extensions
we'll want to define two distinct capabilities anyway.

> > - "strict rename = yes": check for opens by traversing locking.tdb,
> >   deny rename if open found
> 
> That's the have_file_open_below() semantic I think...

Yes.

> > Either way, I can provide fixes, but first we should agree upon the
> > semantics of "strict rename". :)
> > 
> > I am currently pursuing this case, because not allowing directory
> > renames with open files is a major pita for OS X users. OS X expects
> > POSIX rename semantics and that's what OS X SMB server implements. I
> > know this contradicts MS-SMB2/FSA.
> 
> How does their client ever work against Windows ? Windows
> does strict renames.

Same pita as Samba. :) It works against their own SMB server. OS X
being a UNIX system expects POSIX rename behaviour from filesystems.

Adding Steve to the loop, wonder whether he gets similar reports for
the Linux client.

> > "strict rename = no" with the semantics described in the manpage,
> > would give OS X users an easy workaround. An alternative would be
> > something like my patch attached to the bugreport that tracks this
> > problem for OS X users:
> 
> Hate that patch, sorry :-).

Now that's an argument! :) If "strict rename = no" does the same
trick, I'm fine. Otherwise I'll have to put some more love to the
patch until you're happy too. ;)

> > <https://bugzilla.samba.org/show_bug.cgi?id=11065>
> > <https://attachments.samba.org/attachment.cgi?id=10648>
> 
> How about we standardize on the:
> 
>         if (!lp_posix_pathnames() &&
>             lp_strict_rename(SNUM(conn)) &&
>             have_file_open_below(fsp->conn, fsp->fsp_name))
>         {
>                 return NT_STATUS_ACCESS_DENIED;
>         }
> 
> behavior which does the traverse, and ignore
> the half-assed per-process check (which means
> we can remove the function file_find_subpath()) ?

That's what I would have done besides lp_posix_pathnames(). strict
rename could be reused for SMB2 UNIX extensions POSIX rename
behaviour, so I'd suggest only checking strict rename:

         if (lp_strict_rename(SNUM(conn)) &&
             have_file_open_below(fsp->conn, fsp->fsp_name))
         {
                 return NT_STATUS_ACCESS_DENIED;
         }
	 
and possibly force strict rename to no for CIFS UNIX extensions in
case CIFS_UNIX_POSIX_PATHNAMES_CAP is enabled:

--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3976,6 +3976,7 @@ static void call_trans2setfsinfo(connection_struct *conn,
	if (xconn->smb1.unix_info.client_cap_low & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
		lp_set_posix_pathnames();
+		lp_do_parameter(SNUM(conn), "strict rename", "no");
		mangle_change_to_posix();
	}

However, I'd question whether CIFS_UNIX_POSIX_PATHNAMES_CAP implies
POSIX rename behaviour.

Thanks!
-Ralph

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de

More information about the samba-technical mailing list