The Samba-Bugzilla – Attachment 11757 Details for
Bug 11648
[SECURITY] CVE-2015-7560: Getting and setting Windows ACLs on symlinks can change permissions on link target.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
More complete fix for master.
bug-11648.master (text/plain), 8.87 KB, created by
Jeremy Allison
on 2016-01-05 19:39:31 UTC
(
hide
)
Description:
More complete fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2016-01-05 19:39:31 UTC
Size:
8.87 KB
patch
obsolete
>From 197cb133d4caac482b34d7acce8d19922507e4aa Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:18:12 -0800 >Subject: [PATCH 1/8] s3: smbd: Add refuse_symlink() function that can be used > to prevent operations on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 75be763..4277088 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -54,6 +54,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn, > files_struct *fsp, > const SMB_STRUCT_STAT *psbuf); > >+/**************************************************************************** >+ Check if an open file handle or pathname is a symlink. >+****************************************************************************/ >+ >+static NTSTATUS refuse_symlink(connection_struct *conn, >+ const files_struct *fsp, >+ const char *name) >+{ >+ SMB_STRUCT_STAT sbuf; >+ const SMB_STRUCT_STAT *pst = NULL; >+ >+ if (fsp) { >+ pst = &fsp->fsp_name->st; >+ } else { >+ int ret = vfs_stat_smb_basename(conn, >+ name, >+ &sbuf); >+ if (ret == -1) { >+ return map_nt_error_from_unix(errno); >+ } >+ pst = &sbuf; >+ } >+ if (S_ISLNK(pst->st_ex_mode)) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ return NT_STATUS_OK; >+} >+ > NTSTATUS check_access_fsp(const struct files_struct *fsp, > uint32_t access_mask) > { >-- >2.6.0.rc2.230.g3dd15c0 > > >From 89a1ae11db1f21c439e9464011320e5025fb7d42 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 10:38:28 -0800 >Subject: [PATCH 2/8] s3: smbd: Refuse to get an ACL from a POSIX file handle > on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/nttrans.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c >index b5fbbfd..2eb02d9 100644 >--- a/source3/smbd/nttrans.c >+++ b/source3/smbd/nttrans.c >@@ -1960,6 +1960,13 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn, > return NT_STATUS_ACCESS_DENIED; > } > >+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) { >+ DEBUG(10, ("ACL get on symlink %s denied.\n", >+ fsp_str_dbg(fsp))); >+ TALLOC_FREE(frame); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ > if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER| > SECINFO_GROUP|SECINFO_SACL)) { > /* Don't return SECINFO_LABEL if anything else was >-- >2.6.0.rc2.230.g3dd15c0 > > >From ca87612a4148735fadea33fcfe6884bd51e210cb Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 10:52:50 -0800 >Subject: [PATCH 3/8] s3: smbd: Refuse to set an ACL from a POSIX file handle > on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/nttrans.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c >index 2eb02d9..0fb67b2 100644 >--- a/source3/smbd/nttrans.c >+++ b/source3/smbd/nttrans.c >@@ -893,6 +893,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd, > return NT_STATUS_OK; > } > >+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) { >+ DEBUG(10, ("ACL set on symlink %s denied.\n", >+ fsp_str_dbg(fsp))); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ > if (psd->owner_sid == NULL) { > security_info_sent &= ~SECINFO_OWNER; > } >-- >2.6.0.rc2.230.g3dd15c0 > > >From 97efa1729861948bea1e26e1918678f059a25fd4 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:22:12 -0800 >Subject: [PATCH 4/8] s3: smbd: Refuse to set a POSIX ACL on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/trans2.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 4277088..d22a7f2 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -6924,6 +6924,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, > uint16_t num_def_acls; > bool valid_file_acls = True; > bool valid_def_acls = True; >+ NTSTATUS status; > > if (total_data < SMB_POSIX_ACL_HEADER_SIZE) { > return NT_STATUS_INVALID_PARAMETER; >@@ -6951,6 +6952,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, > return NT_STATUS_INVALID_PARAMETER; > } > >+ status = refuse_symlink(conn, fsp, smb_fname->base_name); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ > DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n", > smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp), > (unsigned int)num_file_acls, >-- >2.6.0.rc2.230.g3dd15c0 > > >From 48014d3a8b09106f015b19de11731ed0be53e0f3 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:24:36 -0800 >Subject: [PATCH 5/8] s3: smbd: Refuse to get a POSIX ACL on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/trans2.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index d22a7f2..e4e5810 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -5338,6 +5338,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, > uint16_t num_file_acls = 0; > uint16_t num_def_acls = 0; > >+ status = refuse_symlink(conn, >+ fsp, >+ smb_fname->base_name); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ > if (fsp && fsp->fh->fd != -1) { > file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, > talloc_tos()); >-- >2.6.0.rc2.230.g3dd15c0 > > >From 6f02287d60cd19dce9ce3470239c4f55b19b8185 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:05:48 -0800 >Subject: [PATCH 6/8] s3: smbd: Set return values early, allows removal of code > duplication. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/trans2.c | 13 +++++-------- > 1 file changed, 5 insertions(+), 8 deletions(-) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index e4e5810..fd05fab 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -243,11 +243,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > size_t num_names; > ssize_t sizeret = -1; > >+ if (pnames) { >+ *pnames = NULL; >+ } >+ *pnum_names = 0; >+ > if (!lp_ea_support(SNUM(conn))) { >- if (pnames) { >- *pnames = NULL; >- } >- *pnum_names = 0; > return NT_STATUS_OK; > } > >@@ -297,10 +298,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > > if (sizeret == 0) { > TALLOC_FREE(names); >- if (pnames) { >- *pnames = NULL; >- } >- *pnum_names = 0; > return NT_STATUS_OK; > } > >-- >2.6.0.rc2.230.g3dd15c0 > > >From 18bef2454aa54f1631ad099b3e6bfc411af8f73a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:29:38 -0800 >Subject: [PATCH 7/8] s3: smbd: Silently return no EA's available on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/trans2.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index fd05fab..e738d46 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -242,6 +242,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > char **names, **tmp; > size_t num_names; > ssize_t sizeret = -1; >+ NTSTATUS status; > > if (pnames) { > *pnames = NULL; >@@ -252,6 +253,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > return NT_STATUS_OK; > } > >+ status = refuse_symlink(conn, fsp, fname); >+ if (!NT_STATUS_IS_OK(status)) { >+ /* >+ * Just return no EA's on a symlink. >+ */ >+ return NT_STATUS_OK; >+ } >+ > /* > * TALLOC the result early to get the talloc hierarchy right. > */ >-- >2.6.0.rc2.230.g3dd15c0 > > >From 5649415e5b2db196acf36004463ed40d0d4c75d0 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:33:48 -0800 >Subject: [PATCH 8/8] s3: smbd: Refuse to set EA's on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/trans2.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index e738d46..776a513 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -664,6 +664,11 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, > return NT_STATUS_EAS_NOT_SUPPORTED; > } > >+ status = refuse_symlink(conn, fsp, smb_fname->base_name); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ > status = check_access(conn, fsp, smb_fname, FILE_WRITE_EA); > if (!NT_STATUS_IS_OK(status)) { > return status; >-- >2.6.0.rc2.230.g3dd15c0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11757">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11648
:
11740
|
11757
|
11760
|
11763
|
11764
|
11768
|
11769
|
11770
|
11773
|
11774
|
11775
|
11776
|
11777
|
11778
|
11779
|
11856
|
11857
|
11858
|
11859
|
11860
|
11861
|
11862
|
11901