From c9bff22b9ff7c43be79064723f210d5f33788dc1 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 12 Oct 2017 15:41:01 +0200 Subject: [PATCH 1/3] s3/smbd: README.Coding fixes in set_ea_dos_attribute While I'm at it, some README.Coding fixes in set_ea_dos_attribute. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12995 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit fbad64200e0199acb644d83073234b2f6c200fce) --- source3/smbd/dosmode.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 3181f2e78a9..73112dc9ab0 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -415,6 +415,7 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, struct xattr_DOSATTRIB dosattrib; enum ndr_err_code ndr_err; DATA_BLOB blob; + int ret; if (!lp_store_dos_attributes(SNUM(conn))) { return NT_STATUS_NOT_IMPLEMENTED; @@ -456,14 +457,15 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, return NT_STATUS_INVALID_PARAMETER; } - if (SMB_VFS_SETXATTR(conn, smb_fname, - SAMBA_XATTR_DOS_ATTRIB, blob.data, blob.length, - 0) == -1) { + ret = SMB_VFS_SETXATTR(conn, smb_fname, + SAMBA_XATTR_DOS_ATTRIB, + blob.data, blob.length, 0); + if (ret != 0) { NTSTATUS status = NT_STATUS_OK; bool need_close = false; files_struct *fsp = NULL; - if((errno != EPERM) && (errno != EACCES)) { + if ((errno != EPERM) && (errno != EACCES)) { DBG_INFO("Cannot set " "attribute EA on file %s: Error = %s\n", smb_fname_str_dbg(smb_fname), strerror(errno)); @@ -475,7 +477,7 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, */ /* Check if we have write access. */ - if(!CAN_WRITE(conn) || !lp_dos_filemode(SNUM(conn))) + if (!CAN_WRITE(conn) || !lp_dos_filemode(SNUM(conn))) return NT_STATUS_ACCESS_DENIED; if (!can_write_to_file(conn, smb_fname)) { @@ -496,9 +498,10 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, } become_root(); - if (SMB_VFS_FSETXATTR(fsp, - SAMBA_XATTR_DOS_ATTRIB, blob.data, - blob.length, 0) == 0) { + ret = SMB_VFS_FSETXATTR(fsp, + SAMBA_XATTR_DOS_ATTRIB, + blob.data, blob.length, 0); + if (ret == 0) { status = NT_STATUS_OK; } unbecome_root(); -- 2.15.0.rc0.271.g36b669edcc-goog From f9509a9bea6d131d71d07064eab393ecf4e2deab Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 29 Aug 2017 15:55:19 +0200 Subject: [PATCH 2/3] s3/smbd: fix access checks in set_ea_dos_attribute() We wanted to set the DOS attributes and failed with permission denied from the VFS/kernel/filesystem. Next thing we wanna do here is override this if either - "dos filemode = true" is set and the security descriptor gives the user write access or if - the stored security descriptor has FILE_WRITE_ATTRIBUTES The former was working, but the latter was not implemented at all. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12995 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 143d26283dad8422fba557de311c304f0093d647) --- source3/smbd/dosmode.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 73112dc9ab0..d7b0a8c9a79 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -464,6 +464,7 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, NTSTATUS status = NT_STATUS_OK; bool need_close = false; files_struct *fsp = NULL; + bool set_dosmode_ok = false; if ((errno != EPERM) && (errno != EACCES)) { DBG_INFO("Cannot set " @@ -477,10 +478,21 @@ NTSTATUS set_ea_dos_attribute(connection_struct *conn, */ /* Check if we have write access. */ - if (!CAN_WRITE(conn) || !lp_dos_filemode(SNUM(conn))) + if (!CAN_WRITE(conn)) { return NT_STATUS_ACCESS_DENIED; + } - if (!can_write_to_file(conn, smb_fname)) { + status = smbd_check_access_rights(conn, smb_fname, false, + FILE_WRITE_ATTRIBUTES); + if (NT_STATUS_IS_OK(status)) { + set_dosmode_ok = true; + } + + if (!set_dosmode_ok && lp_dos_filemode(SNUM(conn))) { + set_dosmode_ok = can_write_to_file(conn, smb_fname); + } + + if (!set_dosmode_ok) { return NT_STATUS_ACCESS_DENIED; } -- 2.15.0.rc0.271.g36b669edcc-goog From 5d4e0029dd90c6616c380893a97b4083987db075 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 29 Aug 2017 16:08:06 +0200 Subject: [PATCH 3/3] s3/smbd: use correct access in get_file_handle_for_metadata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All we want here is FILE_WRITE_ATTRIBUTES, not FILE_WRITE_DATA. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12995 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Oct 17 11:48:09 CEST 2017 on sn-devel-144 (cherry picked from commit a3cc2fedab37134edd401b88087e20881c4ea18f) --- source3/smbd/dosmode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index d7b0a8c9a79..8a11c8fd62a 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -1167,7 +1167,7 @@ static NTSTATUS get_file_handle_for_metadata(connection_struct *conn, NULL, /* req */ 0, /* root_dir_fid */ smb_fname_cp, /* fname */ - FILE_WRITE_DATA, /* access_mask */ + FILE_WRITE_ATTRIBUTES, /* access_mask */ (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */ FILE_SHARE_DELETE), FILE_OPEN, /* create_disposition*/ -- 2.15.0.rc0.271.g36b669edcc-goog