RFC: CVE-2017-2619 fix breaks accessing previous versions of directories with snapshots in subdirectories of the share

Jeremy Allison jra at samba.org
Fri Jul 7 17:12:34 UTC 2017


On Fri, Jul 07, 2017 at 09:30:17AM -0700, Jeremy Allison via samba-technical wrote:
> On Fri, Jul 07, 2017 at 02:12:53PM +0200, Ralph Böhme wrote:
> > Hi!
> > 
> > As explained in <https://bugzilla.samba.org/show_bug.cgi?id=12885>:
> > 
> > With shadow:snapdirseverywhere=true and a snapshot directory that
> > 
> > * is a subdirectory of a share
> > 
> > * and that contains a snapshot directory
> > 
> > we fail the symlink check in the new function non_widelink_open() because
> > parent_dirname() cuts off the subdirectory name leaving only the @GMT stanza
> > which is then interpreted by the called functions as being relative to the
> > parent directory which it isn't.
> > 
> > The simplest fix as far as I can see is to leverage the fact that (given the
> > system defines O_DIRECTORY) we know when we're called for a directory, so we can
> > just directly chdir() into the path passed by the caller.
> > 
> > Can we rely here on O_DIRECTORY? Linux has it, FreeBSD has it, Solaris has it
> > and we probably don't care about the rest.
> > 
> > The subsequent security check done in check_reduced_name() should continue to
> > work with this change.
> > 
> > I've just fire of a private autobuild with the patchset and will follow up with
> > the results (fingers crossed :) ).
> 
> Great catch Ralph. That's a really minimal fix with no disruption
> to the security checks whatsoever !
> 
> Words fail me when I try and articulate how much I *HATE* the
> shadow_copy2 code (even after I fixed up a lot of it :-).

In case it wasn't clear - RB+.

Thanks !

Jeremy.



More information about the samba-technical mailing list