[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking

QIU Quan jackqq at gmail.com
Fri Jan 1 13:38:09 UTC 2016

OS platform: FreeBSD 10.1-RELEASE-p25
Filesystem: ZFS
Samba version: upgraded from 4.1.17 to 4.1.22


I have been using the shadow_copy2 and zfsacl VFS modules to enable
access control and the Previous Versions feature for Windows clients.
With /usr/local/etc/smb4.conf configured this way (excerpt):

    vfs objects = shadow_copy2 zfsacl
    shadow:snapdir = .zfs/snapshot
    shadow:format = GMT-%Y.%m.%d-%H.%M.%S
    shadow:sort = desc

After updating the package to 4.1.22, which fixes several
vulnerabilities, I discovered that I could no longer view previous
versions of files or folders.

Checking out the log with log level at 10, I found some error
messages, which indicates access to the snapdir, .zfs/snapshots, is

Error messages:

      acl(ACE_GETACLCNT, /tank/share/.zfs/snapshot): Operation is not
supported on the filesystem where the file reside
      smbd_check_access_rights: Could not get acl on
/tank/share/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED
      user does not have list permission on snapdir /tank/share/.zfs/snapshot
      access denied on listing snapdir /tank/share/.zfs/snapshot

Possible fix:

Reading the patch at
I see the CVE-2015-5299 fix simply takes the returned status from
smbd_check_access_rights() and only checks if it is OK, and if not,
then fails, also classifying other error statuses as access denied.

Meanwhile, smbd_check_access_rights() in source3/smbd/open.c indeed
returns NT_STATUS_ACCESS_DENIED in some way. I wonder if we change the

    if (!NT_STATUS_IS_OK(status)) {

in check_access_snapdir() in source3/modules/vfs_shadow_copy2.c to

    if (status == NT_STATUS_ACCESS_DENIED) {

would result in more accurate outcomes and avoid other statuses such
as NT_STATUS_NOT_SUPPORTED ending up access denied.

裘佺 (QIU Quan) <jackqq at gmail.com>

More information about the samba mailing list