[PATCH] Hardening for the homes directory

Ralph Böhme slow at samba.org
Mon Dec 3 11:28:34 UTC 2018 

On Mon, Dec 03, 2018 at 12:21:39PM +0100, Andreas Schneider wrote:
>On Monday, 3 December 2018 11:54:26 CET Ralph Böhme wrote:
>> Hi Andreas,
>>
>> lgtm besides one nitpick (see below):
>>
>> On Mon, Dec 03, 2018 at 11:41:35AM +0100, Andreas Schneider via samba-
>technical wrote:
>> >From 82dd883797fc4fef68bbc6af7f1b9ee10bea2d44 Mon Sep 17 00:00:00 2001
>> >From: Andreas Schneider <asn at samba.org>
>> >Date: Thu, 22 Nov 2018 18:23:24 +0100
>> >Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
>> >
>> > dir
>> >
>> > ...
>> >
>> >diff --git a/source3/smbd/password.c b/source3/smbd/password.c
>> >index f472bda2c70..8e2eb1312c5 100644
>> >--- a/source3/smbd/password.c
>> >+++ b/source3/smbd/password.c
>> >@@ -122,13 +122,21 @@ int register_homes_share(const char *username)
>> >
>> > 	pwd = Get_Pwnam_alloc(talloc_tos(), username);
>> >
>> >-	if ((pwd == NULL) || (pwd->pw_dir[0] == '\0')) {
>> >+	if ((pwd == NULL) ||
>> >+	    (pwd->pw_dir[0] == '\0')) {
>>
>> is there a logical change I fail to spot on a miserable Monday morning? :)
>>
>> If you want the line wrap for readability please also wrap the closing brace
>> as mentioned in README.Coding:
>>
>> 	if ((pwd == NULL) ||
>> 	    (pwd->pw_dir[0] == '\0'))
>>         {
>
>
>Sorry, that is just a left over I forgot to undo. Updated patchset attached.

ah, ok. :)

Looks like 4/4 is missing?

Also:

>-	if ((pwd == NULL) || (pwd->pw_dir[0] == '\0')) {
>+	if ((pwd == NULL) ||
>+	    (pwd->pw_dir[0] == '\0') ||
>+	    strequal(pwd->pw_dir, "/")) {

This should be:

>-	if ((pwd == NULL) || (pwd->pw_dir[0] == '\0')) {
>+	if ((pwd == NULL) ||
>+	    (pwd->pw_dir[0] == '\0') ||
>+	    strequal(pwd->pw_dir, "/"))
>+      {

I just discovered that we have this in README.Coding which is nice because it 
matches my favored style. :)

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the samba-technical mailing list