check_reduced_name() with vfs_streams_depot fails if :STREAM/ not in root of samba share
Dave Baukus
daveb at spectralogic.com
Tue Mar 8 16:16:24 UTC 2022
Samba 4.13.7 on FreeBSD-stable13 I am getting the following errors:
check_reduced_name: Bad access attempt: . is a symlink outside the share path
conn_rootdir =/export/xxxVol/shares
resolved_name=/export/xxxVol/:STREAM/A9/CE/9E142412DEA1E0320600000000000000
Note, there are no symlinks involved.
The above error causes most/all attempts to save a file to the share from MacOS High Sierra to fail.
We are using vfs_streams_depot; the error only occurs when conn_rootdir is not the root of the server's native filesystem (/export/xxxVol/ in this case)
In other words, if the share is mounted at /export/xxxVol then the error does not occur.
One could argue that the :STREAMS is "out side of the share", but there are legitimate reasons for not mounting the at the root of a filesystem.
Is there a known workaround for this ?
Is this a deficiency in module/vfs_streams_depot.c ?
A case of "don't do that" and/or misconfiguration on my part ?
Or do I need to hack this chunk of smbd/vfs.c:
/*
* In the case of rootdir_len == 1, we know that
* conn_rootdir is "/", and we also know that
* resolved_name starts with a slash. So, in this
* corner case, resolved_name is automatically a
* sub-directory of the conn_rootdir. Thus we can skip
* the string comparison and the next character checks
* (which are even wrong in this case).
*/
if (rootdir_len != 1) {
bool matched;
matched = (strncmp(conn_rootdir, resolved_name,
rootdir_len) == 0);
if (!matched || (resolved_name[rootdir_len] != '/' &&
resolved_name[rootdir_len] != '\0')) {
DBG_NOTICE("Bad access attempt: %s is a symlink "
"outside the "
"share path\n"
"conn_rootdir =%s\n"
"resolved_name=%s\n",
fname,
conn_rootdir,
resolved_name);
TALLOC_FREE(resolved_fname);
return NT_STATUS_ACCESS_DENIED;
}
}
--
Dave Baukus
More information about the samba-technical
mailing list