The Samba-Bugzilla – Attachment 11742 Details for
Bug 11647
Access denied if the share path is "/"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-3-test cherry-picked from master
bug-11647.v4-3-test.patch (text/plain), 5.71 KB, created by
Michael Adam
on 2015-12-24 00:04:28 UTC
(
hide
)
Description:
Patch for v4-3-test cherry-picked from master
Filename:
MIME Type:
Creator:
Michael Adam
Created:
2015-12-24 00:04:28 UTC
Size:
5.71 KB
patch
obsolete
>From 956916b4315cca5f09f1bd05bfec89cb1e5cf6eb Mon Sep 17 00:00:00 2001 >From: Michael Adam <obnox@samba.org> >Date: Wed, 23 Dec 2015 18:01:23 +0100 >Subject: [PATCH] s3:smbd: fix a corner case of the symlink verification > >Commit 7606c0db257b3f9d84da5b2bf5fbb4034cc8d77d fixes the >path checks in check_reduced_name[_with_privilege]() to >prevent unintended access via wide links. > >The fix fails to correctly treat a corner case where the share >path is "/". This case is important for some real world >scenarios, notably the use of the glusterfs VFS module: > >For the share path "/", the newly introduced checks deny all >operations in the share. > >This change fixes the checks for the corner case. >The point is that the assumptions on which the original >checks are based are not true for the rootdir "/" case. >This is the case where the rootdir starts _and ends_ with >a slash. Hence a subdirectory does not continue with a >slash after the rootdir, since the candidate path has >been normalized. > >This fix just omits the string comparison and the >next character checks in the case of rootdir "/", >which is correct because we know that the candidate >path is normalized and hence starts with a '/'. > >The patch is fairly minimal, but changes indentation, >hence best viewed with 'git show -w'. > >A side effect is that the rootdir="/" case needs >one strncmp less. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11647 > >Pair-Programmed-With: Jose A. Rivera <jarrpa@samba.org> > >Signed-off-by: Michael Adam <obnox@samba.org> >Signed-off-by: Jose A. Rivera <jarrpa@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Michael Adam <obnox@samba.org> >Autobuild-Date(master): Thu Dec 24 00:57:31 CET 2015 on sn-devel-144 > >(cherry picked from commit ada59ec7b3a5ed0478d11da2fe0c90991d137288) >--- > source3/smbd/vfs.c | 78 +++++++++++++++++++++++++++++++++++++----------------- > 1 file changed, 53 insertions(+), 25 deletions(-) > >diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c >index 27b38d6..1a2ee3d 100644 >--- a/source3/smbd/vfs.c >+++ b/source3/smbd/vfs.c >@@ -982,7 +982,6 @@ NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, > struct smb_filename *smb_fname_cwd = NULL; > struct privilege_paths *priv_paths = NULL; > int ret; >- bool matched; > > DEBUG(3,("check_reduced_name_with_privilege [%s] [%s]\n", > fname, >@@ -1077,18 +1076,32 @@ NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, > } > > rootdir_len = strlen(conn_rootdir); >- matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0); >- >- if (!matched || (resolved_name[rootdir_len] != '/' && >- resolved_name[rootdir_len] != '\0')) { >- DEBUG(2, ("check_reduced_name_with_privilege: Bad access " >- "attempt: %s is a symlink outside the " >- "share path\n", >- dir_name)); >- DEBUGADD(2, ("conn_rootdir =%s\n", conn_rootdir)); >- DEBUGADD(2, ("resolved_name=%s\n", resolved_name)); >- status = NT_STATUS_ACCESS_DENIED; >- goto err; >+ >+ /* >+ * In the case of rootdir_len == 1, we know that conn_rootdir is >+ * "/", and we also know that resolved_name starts with a slash. >+ * So, in this corner case, resolved_name is automatically a >+ * sub-directory of the conn_rootdir. Thus we can skip the string >+ * comparison and the next character checks (which are even >+ * wrong in this case). >+ */ >+ if (rootdir_len != 1) { >+ bool matched; >+ >+ matched = (strncmp(conn_rootdir, resolved_name, >+ rootdir_len) == 0); >+ >+ if (!matched || (resolved_name[rootdir_len] != '/' && >+ resolved_name[rootdir_len] != '\0')) { >+ DEBUG(2, ("check_reduced_name_with_privilege: Bad " >+ "access attempt: %s is a symlink outside the " >+ "share path\n", >+ dir_name)); >+ DEBUGADD(2, ("conn_rootdir =%s\n", conn_rootdir)); >+ DEBUGADD(2, ("resolved_name=%s\n", resolved_name)); >+ status = NT_STATUS_ACCESS_DENIED; >+ goto err; >+ } > } > > /* Now ensure that the last component either doesn't >@@ -1220,7 +1233,6 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) > if (!allow_widelinks || !allow_symlinks) { > const char *conn_rootdir; > size_t rootdir_len; >- bool matched; > > conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname); > if (conn_rootdir == NULL) { >@@ -1231,17 +1243,33 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) > } > > rootdir_len = strlen(conn_rootdir); >- matched = (strncmp(conn_rootdir, resolved_name, >- rootdir_len) == 0); >- if (!matched || (resolved_name[rootdir_len] != '/' && >- resolved_name[rootdir_len] != '\0')) { >- DEBUG(2, ("check_reduced_name: Bad access " >- "attempt: %s is a symlink outside the " >- "share path\n", fname)); >- DEBUGADD(2, ("conn_rootdir =%s\n", conn_rootdir)); >- DEBUGADD(2, ("resolved_name=%s\n", resolved_name)); >- SAFE_FREE(resolved_name); >- return NT_STATUS_ACCESS_DENIED; >+ >+ /* >+ * In the case of rootdir_len == 1, we know that >+ * conn_rootdir is "/", and we also know that >+ * resolved_name starts with a slash. So, in this >+ * corner case, resolved_name is automatically a >+ * sub-directory of the conn_rootdir. Thus we can skip >+ * the string comparison and the next character checks >+ * (which are even wrong in this case). >+ */ >+ if (rootdir_len != 1) { >+ bool matched; >+ >+ matched = (strncmp(conn_rootdir, resolved_name, >+ rootdir_len) == 0); >+ if (!matched || (resolved_name[rootdir_len] != '/' && >+ resolved_name[rootdir_len] != '\0')) { >+ DEBUG(2, ("check_reduced_name: Bad access " >+ "attempt: %s is a symlink outside the " >+ "share path\n", fname)); >+ DEBUGADD(2, ("conn_rootdir =%s\n", >+ conn_rootdir)); >+ DEBUGADD(2, ("resolved_name=%s\n", >+ resolved_name)); >+ SAFE_FREE(resolved_name); >+ return NT_STATUS_ACCESS_DENIED; >+ } > } > > /* Extra checks if all symlinks are disallowed. */ >-- >2.5.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
obnox
:
review+
jarrpa
:
review+
Actions:
View
Attachments on
bug 11647
: 11742 |
11743
|
11744