[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking

Jeremy Allison jra at samba.org
Fri Jan 1 17:19:37 UTC 2016 

On Fri, Jan 01, 2016 at 09:38:09PM +0800, QIU Quan wrote:
> OS platform: FreeBSD 10.1-RELEASE-p25
> Filesystem: ZFS
> Samba version: upgraded from 4.1.17 to 4.1.22
> 
> Problem:
> 
> I have been using the shadow_copy2 and zfsacl VFS modules to enable
> access control and the Previous Versions feature for Windows clients.
> With /usr/local/etc/smb4.conf configured this way (excerpt):
> 
>     vfs objects = shadow_copy2 zfsacl
>     shadow:snapdir = .zfs/snapshot
>     shadow:format = GMT-%Y.%m.%d-%H.%M.%S
>     shadow:sort = desc
> 
> After updating the package to 4.1.22, which fixes several
> vulnerabilities, I discovered that I could no longer view previous
> versions of files or folders.
> 
> Checking out the log with log level at 10, I found some error
> messages, which indicates access to the snapdir, .zfs/snapshots, is
> denied.
> 
> Error messages:
> 
>     ../source3/modules/vfs_zfsacl.c:56(zfs_get_nt_acl_common)
>       acl(ACE_GETACLCNT, /tank/share/.zfs/snapshot): Operation is not
> supported on the filesystem where the file reside
>     ../source3/smbd/open.c:128(smbd_check_access_rights)
>       smbd_check_access_rights: Could not get acl on
> /tank/share/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED
>     ../source3/modules/vfs_shadow_copy2.c:1170(check_access_snapdir)
>       user does not have list permission on snapdir /tank/share/.zfs/snapshot
>     ../source3/modules/vfs_shadow_copy2.c:1339(shadow_copy2_get_shadow_copy_data)
>       access denied on listing snapdir /tank/share/.zfs/snapshot
> 
> Possible fix:
> 
> Reading the patch at
> https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch,
> I see the CVE-2015-5299 fix simply takes the returned status from
> smbd_check_access_rights() and only checks if it is OK, and if not,
> then fails, also classifying other error statuses as access denied.
> 
> Meanwhile, smbd_check_access_rights() in source3/smbd/open.c indeed
> returns NT_STATUS_ACCESS_DENIED in some way. I wonder if we change the
> line
> 
>     if (!NT_STATUS_IS_OK(status)) {
> 
> in check_access_snapdir() in source3/modules/vfs_shadow_copy2.c to
> 
>     if (status == NT_STATUS_ACCESS_DENIED) {
> 
> would result in more accurate outcomes and avoid other statuses such
> as NT_STATUS_NOT_SUPPORTED ending up access denied.

Thanks QIU, can you log this as a bug at bugzilla.samba.org
so we can track it ?

Thanks,

Jeremy.

More information about the samba mailing list