[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking

QIU Quan jackqq at gmail.com
Fri Jan 1 13:38:09 UTC 2016 

OS platform: FreeBSD 10.1-RELEASE-p25
Filesystem: ZFS
Samba version: upgraded from 4.1.17 to 4.1.22

Problem:

I have been using the shadow_copy2 and zfsacl VFS modules to enable
access control and the Previous Versions feature for Windows clients.
With /usr/local/etc/smb4.conf configured this way (excerpt):

    vfs objects = shadow_copy2 zfsacl
    shadow:snapdir = .zfs/snapshot
    shadow:format = GMT-%Y.%m.%d-%H.%M.%S
    shadow:sort = desc

After updating the package to 4.1.22, which fixes several
vulnerabilities, I discovered that I could no longer view previous
versions of files or folders.

Checking out the log with log level at 10, I found some error
messages, which indicates access to the snapdir, .zfs/snapshots, is
denied.

Error messages:

    ../source3/modules/vfs_zfsacl.c:56(zfs_get_nt_acl_common)
      acl(ACE_GETACLCNT, /tank/share/.zfs/snapshot): Operation is not
supported on the filesystem where the file reside
    ../source3/smbd/open.c:128(smbd_check_access_rights)
      smbd_check_access_rights: Could not get acl on
/tank/share/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED
    ../source3/modules/vfs_shadow_copy2.c:1170(check_access_snapdir)
      user does not have list permission on snapdir /tank/share/.zfs/snapshot
    ../source3/modules/vfs_shadow_copy2.c:1339(shadow_copy2_get_shadow_copy_data)
      access denied on listing snapdir /tank/share/.zfs/snapshot

Possible fix:

Reading the patch at
https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch,
I see the CVE-2015-5299 fix simply takes the returned status from
smbd_check_access_rights() and only checks if it is OK, and if not,
then fails, also classifying other error statuses as access denied.

Meanwhile, smbd_check_access_rights() in source3/smbd/open.c indeed
returns NT_STATUS_ACCESS_DENIED in some way. I wonder if we change the
line

    if (!NT_STATUS_IS_OK(status)) {

in check_access_snapdir() in source3/modules/vfs_shadow_copy2.c to

    if (status == NT_STATUS_ACCESS_DENIED) {

would result in more accurate outcomes and avoid other statuses such
as NT_STATUS_NOT_SUPPORTED ending up access denied.


-- 
裘佺 (QIU Quan) <jackqq at gmail.com>

More information about the samba mailing list