mkdir-dup test flapping
Andrew Bartlett
abartlet at samba.org
Thu Mar 10 01:34:36 UTC 2016
On Wed, 2016-03-09 at 09:56 -0800, Jeremy Allison wrote:
> On Tue, Mar 08, 2016 at 08:54:32PM -0800, Jeremy Allison wrote:
> >
> > On Wed, Mar 09, 2016 at 04:11:05PM +1300, Douglas Bagnall wrote:
> > >
> > > We looked at this some more, and Andrew seemed to understand and
> > > wrote
> > > the attached patch.
> > >
> > > We need to decide if the change in owner is enough reason to
> > > refuse
> > > the open(), or if we should just continue.
> > >
> > > On the basis that the owner change is not significant, we
> > > reworked the
> > > code to do the lstat() after the fstat(), and not compare the
> > > owner.
> > Fix is really close, but still needs a little work -
> > the call to:
> >
> > fsp->file_id = vfs_file_id_from_sbuf(conn, &smb_dname->st);
> >
> > needs to be moved too (as in the race condition
> > when need_lstat is true smb_dname->st isn't correctly
> > initialized yet), or the lstat needs to be done both
> > before and after. Doing the lstat twice might be
> > safer as I'll need to check what uses fsp->file_id
> > to ensure moving to after the lstat is safe.
> >
> > *Really* nice work though - thanks ! It's late
> > here now so I'll take a look at this first thing
> > in thr morning (US Pacific time) and post an
> > updated patch for you to look at tomorrow.
> OK - here it is. I looked over this very carefully
> and this is what I came up with.
>
> There's no security reason for re-doing the
> lstat after the vfs_fsp_stat() call as if the
> owner and SD were changed, any operation on
> the directory is still protected by the new
> owner/ACL that was placed upon the directory.
>
> Anyone with permission to do those changes
> can do them whether we have the directory
> open or not.
>
> For paranoia's sake I did add an extra ISDIR
> check once we (should) have a file handle to
> make sure the pathname the fsp is pointing to
> is a directory when exiting the function
> (or course, as with all races there's
> nothing to stop a properly credentialed
> used renaming/replacing that pathname
> later, but that's what a fileserver is
> designed to do :-).
>
> I created bug https://bugzilla.samba.org/show_bug.cgi?id=11780
> to track this and get it back-ported to
> release brances.
>
> Let me know what you think !
We are puzzled. While it ran successfully 1000 times locally (in the
same testenv environment), when run in make test on the Catalyst Cloud,
with your patch it failed in 2/10 of the runs I started this morning:
Testing SMB2 Create Directory with multiple connections
waiting for replies
UNEXPECTED(failure): samba3.smb2.create.mkdir-dup(nt4_dc)
REASON: Exception: Exception: ../source4/torture/smb2/create.c:1628:
File 1 returned status NT_STATUS_ACCESS_DENIED
FAILED (1 failures, 0 errors and 0 unexpected successes in 0
testsuites)
A summary with detailed information can be found in:
./bin/ab/summary
commit 68708672142f00dd59f91589d57fb3b3a593ab80
Author: Jeremy Allison <jra at samba.org>
Date: Wed Mar 9 09:43:09 2016 -0800
s3: smbd: Fix error in mkdir race condition detection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11780
The smb2.create.mkdir-dup test creates a race, and against an AD DC
this can cause a flapping test if the lstat() and stat() calls are
made either side of the chown() due to creation of a file by
administrator.
We know when we've hit the race, so relax the check_same_stat()
check in that specific case.
Fix based on an original patch by Andrew Bartlett <abartlet at samba.o
rg>
and Douglas Bagnall <douglas.bagnall at catalyst.net.nz>.
Sorry to drop this on you at the end of the work day.
I've started a number of runs with our patch, but I don't expect a
different result. We have this one on the line, but it's still
fighting as we reel it in...
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list