The Samba-Bugzilla – Attachment 17129 Details for
Bug 14911
CVE-2021-44141 [SECURITY] UNIX extensions in SMB1 disclose whether the outside target of a symlink exists
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master and 4.16
bug-14911-4-16.patch (text/plain), 57.29 KB, created by
Jeremy Allison
on 2022-01-24 17:35:45 UTC
(
hide
)
Description:
git-am fix for master and 4.16
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2022-01-24 17:35:45 UTC
Size:
57.29 KB
patch
obsolete
>From d841151b8d28d589c25d0b39b16620d6701f0a63 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 12:28:54 -0800 >Subject: [PATCH 01/10] CVE-2021-44141: s3: torture: Add > samba3.blackbox.test_symlink_traversal.SMB2. > >Add to knownfail.d/symlink_traversal > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/symlink_traversal | 1 + > .../tests/test_symlink_traversal_smb2.sh | 263 ++++++++++++++++++ > source3/selftest/tests.py | 6 + > 3 files changed, 270 insertions(+) > create mode 100644 selftest/knownfail.d/symlink_traversal > create mode 100755 source3/script/tests/test_symlink_traversal_smb2.sh > >diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal >new file mode 100644 >index 00000000000..a8ac4bbae1f >--- /dev/null >+++ b/selftest/knownfail.d/symlink_traversal >@@ -0,0 +1 @@ >+^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) >diff --git a/source3/script/tests/test_symlink_traversal_smb2.sh b/source3/script/tests/test_symlink_traversal_smb2.sh >new file mode 100755 >index 00000000000..7e1de6dde1a >--- /dev/null >+++ b/source3/script/tests/test_symlink_traversal_smb2.sh >@@ -0,0 +1,263 @@ >+#!/bin/sh >+ >+if [ $# -lt 7 ]; then >+cat <<EOF >+Usage: test_symlink_traversal_smb2.sh SERVER SERVER_IP USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT >+EOF >+exit 1; >+fi >+ >+SERVER="${1}" >+SERVER_IP="${2}" >+USERNAME="${3}" >+PASSWORD="${4}" >+LOCAL_PATH="${5}" >+PREFIX="${6}" >+SMBCLIENT="${7}" >+SMBCLIENT="$VALGRIND ${SMBCLIENT}" >+shift 6 >+ >+incdir=$(dirname "$0")/../../../testprogs/blackbox >+. "$incdir"/subunit.sh >+ >+failed=0 >+ >+# Do not let deprecated option warnings muck this up >+SAMBA_DEPRECATED_SUPPRESS=1 >+export SAMBA_DEPRECATED_SUPPRESS >+ >+ >+# Define the test environment/filenames. >+# >+share_test_dir="$LOCAL_PATH" >+# >+# These files/directories will be created. >+# >+file_outside_share="/tmp/symlink_traverse_test_file.$$" >+dir_outside_share="/tmp/symlink_traverse_test_dir.$$" >+file_outside_share_noperms="/tmp/symlink_traverse_test_file_noperm.$$" >+dir_outside_share_noperms="/tmp/symlink_traverse_test_dir_noperm.$$" >+# >+# These two objects do not exist. >+# >+file_outside_share_noexist="/tmp/symlink_traverse_test_noexist.$$" >+dir_outside_share_noexist="/tmp/symlink_traverse_test_dir_noexist.$$" >+ >+# >+# Cleanup function. >+# >+do_cleanup() >+{ >+( >+#subshell. >+cd "$share_test_dir" || return >+rm -f "file_exists" >+rm -f "symlink_noexist" >+rm -f "symlink_file_outside_share" >+rm -f "symlink_file_outside_share_noexist" >+rm -f "symlink_dir_outside_share" >+rm -f "symlink_dir_outside_share_noexist" >+rm -f "symlink_file_outside_share_noperms" >+rm -f "symlink_dir_outside_share_noperms" >+rm -rf "emptydir" >+# Links inside share. >+rm -f "symlink_file_inside_share_noperms" >+rm -f "file_inside_share_noperms" >+rm -f "symlink_dir_inside_share_noperms" >+chmod 755 "dir_inside_share_noperms" >+rm -rf "dir_inside_share_noperms" >+) >+rm -f "$file_outside_share" >+rm -rf "$dir_outside_share" >+rm -f "$file_outside_share_noperms" >+rm -rf "$dir_outside_share_noperms" >+} >+ >+# >+# Ensure we start from a clean slate. >+# >+do_cleanup >+ >+# >+# Create the test files/directories/symlinks. >+# >+# File/directory explicitly outside share. >+touch "$file_outside_share" >+mkdir "$dir_outside_share" >+# File/directory explicitly outside share with permission denied. >+touch "$file_outside_share_noperms" >+chmod 0 "$file_outside_share_noperms" >+mkdir "$dir_outside_share_noperms" >+chmod 0 "$dir_outside_share_noperms" >+# >+# Create links to these objects inside the share definition. >+( >+#subshell. >+cd "$share_test_dir" || return >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+# >+# Create the identical symlink set underneath "emptydir" >+mkdir "emptydir" >+( >+#subshell >+cd "emptydir" || return >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+) >+# >+# Create symlinks to access denied file and directory >+# objects within the share >+touch "file_inside_share_noperms" >+chmod 0 "file_inside_share_noperms" >+ln -s "file_inside_share_noperms" "symlink_file_inside_share_noperms" >+mkdir "dir_inside_share_noperms" >+touch "dir_inside_share_noperms/noperm_file_exists" >+chmod 0 "dir_inside_share_noperms" >+ln -s "dir_inside_share_noperms" "symlink_dir_inside_share_noperms" >+) >+ >+# >+# smbclient function given command, path, expected error, and posix. >+# >+smbclient_expect_error() >+{ >+ filecmd="$1" >+ filename1="$2" >+ filename2="$3" >+ expected_error="$4" >+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands >+ cat > "$tmpfile" <<EOF >+$filecmd $filename1 $filename2 >+quit >+EOF >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I$SERVER_IP < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ rm -f "$tmpfile" >+ >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed accessing local_symlinks with error %s\n" "$ret" >+ return 1 >+ fi >+ >+ if [ "$expected_error" = "NT_STATUS_OK" ] ; then >+ printf "%s" "$out" | grep -v "NT_STATUS_" >+ else >+ printf "%s" "$out" | grep "$expected_error" >+ fi >+ ret=$? >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed - should get %s doing \"%s %s %s\"\n" "$expected_error" "$filecmd" "$filename1" "$filename2" >+ return 1 >+ fi >+} >+ >+# >+# SMB2 tests. >+# >+test_symlink_traversal_SMB2_onename() >+{ >+name="$1" >+do_rename="$2" >+# >+# get commands. >+# >+ smbclient_expect_error "get" "$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/*" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+ smbclient_expect_error "get" "$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "get" "emptydir/$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/*" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+# >+# ls commands. >+# >+ smbclient_expect_error "ls" "$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "ls" "$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "$name/*" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "ls" "emptydir/$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/*" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+ >+# >+# del commands. >+# smbclient internally does a cli_list, so we expect similar errors. >+# >+ smbclient_expect_error "del" "$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "del" "$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "del" "emptydir/$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "del" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ >+ if [ "$do_rename" = "do rename" ] ; then >+# >+# rename commands. >+# >+ smbclient_expect_error "rename" "file_exists" "$name" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "rename" "file_exists" "$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "rename" "file_exists" "emptydir/$name" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "rename" "file_exists" "emptydir/$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ fi >+ return 0 >+} >+ >+# >+# Check error code returns traversing through different >+# kinds of symlinks over SMB2. >+# >+test_symlink_traversal_SMB2() >+{ >+ test_symlink_traversal_SMB2_onename "symlink_noexist" "no rename" || return 1 >+ test_symlink_traversal_SMB2_onename "symlink_file_outside_share" "do rename" || return 1 >+ test_symlink_traversal_SMB2_onename "symlink_dir_outside_share" "do rename" || return 1 >+ test_symlink_traversal_SMB2_onename "symlink_dir_outside_share_noexist" "no rename" || return 1 >+ test_symlink_traversal_SMB2_onename "symlink_file_outside_share_noperms" "do rename" || return 1 >+ test_symlink_traversal_SMB2_onename "symlink_dir_outside_share_noperms" "do rename" || return 1 >+# >+# Test paths within share with no permissions. >+# >+# Can't 'get' file with no perms or a symlink to it. >+ smbclient_expect_error "get" "file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+ smbclient_expect_error "get" "symlink_file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+# But can list it and the symlink to it. >+ smbclient_expect_error "ls" "file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "symlink_file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+# Can't 'get' file inside a directory with no perms or a symlink to it. >+ smbclient_expect_error "get" "dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+ smbclient_expect_error "get" "symlink_dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+# But can list the directory with no perms and the symlink to it. >+ smbclient_expect_error "ls" "dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "symlink_dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+} >+ >+testit "symlink_traversal_SMB2" \ >+ test_symlink_traversal_SMB2 || \ >+ failed=$((failed+1)) >+ >+# >+# Cleanup. >+do_cleanup >+ >+testok "$0" "$failed" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 4a09a92bf24..539cbd42e5c 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -579,6 +579,12 @@ for env in ["fileserver"]: > smbclient3, > "-mSMB3"]) > >+ plantestsuite("samba3.blackbox.test_symlink_traversal.SMB2", env, >+ [os.path.join(samba3srcdir, "script/tests/test_symlink_traversal_smb2.sh"), >+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', >+ '$PREFIX', smbclient3]) >+ >+ > # > # tar command tests > # >-- >2.30.2 > > >From 25ea8e732af9750c1f6984e5302de095d7b69d04 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 12:32:19 -0800 >Subject: [PATCH 02/10] CVE-2021-44141: s3: torture: Add > samba3.blackbox.test_symlink_traversal.SMB1. > >Add to knownfail.d/symlink_traversal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/symlink_traversal | 1 + > .../tests/test_symlink_traversal_smb1.sh | 263 ++++++++++++++++++ > source3/selftest/tests.py | 4 + > 3 files changed, 268 insertions(+) > create mode 100755 source3/script/tests/test_symlink_traversal_smb1.sh > >diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal >index a8ac4bbae1f..2a51ff3f91d 100644 >--- a/selftest/knownfail.d/symlink_traversal >+++ b/selftest/knownfail.d/symlink_traversal >@@ -1 +1,2 @@ > ^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) >+^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\) >diff --git a/source3/script/tests/test_symlink_traversal_smb1.sh b/source3/script/tests/test_symlink_traversal_smb1.sh >new file mode 100755 >index 00000000000..1deaaccbb54 >--- /dev/null >+++ b/source3/script/tests/test_symlink_traversal_smb1.sh >@@ -0,0 +1,263 @@ >+#!/bin/sh >+ >+if [ $# -lt 7 ]; then >+cat <<EOF >+Usage: test_symlink_traversal_smb1.sh SERVER SERVER_IP USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT >+EOF >+exit 1; >+fi >+ >+SERVER="${1}" >+SERVER_IP="${2}" >+USERNAME="${3}" >+PASSWORD="${4}" >+LOCAL_PATH="${5}" >+PREFIX="${6}" >+SMBCLIENT="${7}" >+SMBCLIENT="$VALGRIND ${SMBCLIENT}" >+shift 6 >+ >+incdir=$(dirname "$0")/../../../testprogs/blackbox >+. "$incdir"/subunit.sh >+ >+failed=0 >+ >+# Do not let deprecated option warnings muck this up >+SAMBA_DEPRECATED_SUPPRESS=1 >+export SAMBA_DEPRECATED_SUPPRESS >+ >+ >+# Define the test environment/filenames. >+# >+share_test_dir="$LOCAL_PATH" >+# >+# These files/directories will be created. >+# >+file_outside_share="/tmp/symlink_traverse_test_file.$$" >+dir_outside_share="/tmp/symlink_traverse_test_dir.$$" >+file_outside_share_noperms="/tmp/symlink_traverse_test_file_noperm.$$" >+dir_outside_share_noperms="/tmp/symlink_traverse_test_dir_noperm.$$" >+# >+# These two objects do not exist. >+# >+file_outside_share_noexist="/tmp/symlink_traverse_test_noexist.$$" >+dir_outside_share_noexist="/tmp/symlink_traverse_test_dir_noexist.$$" >+ >+# >+# Cleanup function. >+# >+do_cleanup() >+{ >+( >+#subshell. >+cd "$share_test_dir" || return >+rm -f "file_exists" >+rm -f "symlink_noexist" >+rm -f "symlink_file_outside_share" >+rm -f "symlink_file_outside_share_noexist" >+rm -f "symlink_dir_outside_share" >+rm -f "symlink_dir_outside_share_noexist" >+rm -f "symlink_file_outside_share_noperms" >+rm -f "symlink_dir_outside_share_noperms" >+rm -rf "emptydir" >+# Links inside share. >+rm -f "symlink_file_inside_share_noperms" >+rm -f "file_inside_share_noperms" >+rm -f "symlink_dir_inside_share_noperms" >+chmod 755 "dir_inside_share_noperms" >+rm -rf "dir_inside_share_noperms" >+) >+rm -f "$file_outside_share" >+rm -rf "$dir_outside_share" >+rm -f "$file_outside_share_noperms" >+rm -rf "$dir_outside_share_noperms" >+} >+ >+# >+# Ensure we start from a clean slate. >+# >+do_cleanup >+ >+# >+# Create the test files/directories/symlinks. >+# >+# File/directory explicitly outside share. >+touch "$file_outside_share" >+mkdir "$dir_outside_share" >+# File/directory explicitly outside share with permission denied. >+touch "$file_outside_share_noperms" >+chmod 0 "$file_outside_share_noperms" >+mkdir "$dir_outside_share_noperms" >+chmod 0 "$dir_outside_share_noperms" >+# >+# Create links to these objects inside the share definition. >+( >+#subshell. >+cd "$share_test_dir" || return >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+# >+# Create the identical symlink set underneath "emptydir" >+mkdir "emptydir" >+( >+#subshell >+cd "emptydir" || return >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+) >+# >+# Create symlinks to access denied file and directory >+# objects within the share >+touch "file_inside_share_noperms" >+chmod 0 "file_inside_share_noperms" >+ln -s "file_inside_share_noperms" "symlink_file_inside_share_noperms" >+mkdir "dir_inside_share_noperms" >+touch "dir_inside_share_noperms/noperm_file_exists" >+chmod 0 "dir_inside_share_noperms" >+ln -s "dir_inside_share_noperms" "symlink_dir_inside_share_noperms" >+) >+ >+# >+# smbclient function given command, path, expected error, and posix. >+# >+smbclient_expect_error() >+{ >+ filecmd="$1" >+ filename1="$2" >+ filename2="$3" >+ expected_error="$4" >+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands >+ cat > "$tmpfile" <<EOF >+$filecmd $filename1 $filename2 >+quit >+EOF >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I$SERVER_IP -mNT1 < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ rm -f "$tmpfile" >+ >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed accessing local_symlinks with error %s\n" "$ret" >+ return 1 >+ fi >+ >+ if [ "$expected_error" = "NT_STATUS_OK" ] ; then >+ printf "%s" "$out" | grep -v "NT_STATUS_" >+ else >+ printf "%s" "$out" | grep "$expected_error" >+ fi >+ ret=$? >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed - should get %s doing \"%s %s %s\"\n" "$expected_error" "$filecmd" "$filename1" "$filename2" >+ return 1 >+ fi >+} >+ >+# >+# SMB1 tests. >+# >+test_symlink_traversal_SMB1_onename() >+{ >+name="$1" >+do_rename="$2" >+# >+# get commands. >+# >+ smbclient_expect_error "get" "$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/*" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+ smbclient_expect_error "get" "$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "get" "emptydir/$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/*" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+# >+# ls commands. >+# >+ smbclient_expect_error "ls" "$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "ls" "$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "$name/*" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "ls" "emptydir/$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/*" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_NAME_INVALID" || return 1 >+ >+# >+# del commands. >+# smbclient internally does a cli_list, so we expect similar errors. >+# >+ smbclient_expect_error "del" "$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "del" "$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "del" "emptydir/$name" "" "NT_STATUS_NO_SUCH_FILE" || return 1 >+ smbclient_expect_error "del" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ >+ if [ "$do_rename" = "do rename" ] ; then >+# >+# rename commands. >+# >+ smbclient_expect_error "rename" "file_exists" "$name" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "rename" "file_exists" "$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "rename" "file_exists" "emptydir/$name" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "rename" "file_exists" "emptydir/$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ fi >+ return 0 >+} >+ >+# >+# Check error code returns traversing through different >+# kinds of symlinks over SMB1. >+# >+test_symlink_traversal_SMB1() >+{ >+ test_symlink_traversal_SMB1_onename "symlink_noexist" "no rename" || return 1 >+ test_symlink_traversal_SMB1_onename "symlink_file_outside_share" "do rename" || return 1 >+ test_symlink_traversal_SMB1_onename "symlink_dir_outside_share" "do rename" || return 1 >+ test_symlink_traversal_SMB1_onename "symlink_dir_outside_share_noexist" "no rename" || return 1 >+ test_symlink_traversal_SMB1_onename "symlink_file_outside_share_noperms" "do rename" || return 1 >+ test_symlink_traversal_SMB1_onename "symlink_dir_outside_share_noperms" "do rename" || return 1 >+# >+# Test paths within share with no permissions. >+# >+# Can't 'get' file with no perms or a symlink to it. >+ smbclient_expect_error "get" "file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+ smbclient_expect_error "get" "symlink_file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+# But can list it and the symlink to it. >+ smbclient_expect_error "ls" "file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "symlink_file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+# Can't 'get' file inside a directory with no perms or a symlink to it. >+ smbclient_expect_error "get" "dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+ smbclient_expect_error "get" "symlink_dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+# But can list the directory with no perms and the symlink to it. >+ smbclient_expect_error "ls" "dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "symlink_dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+} >+ >+testit "symlink_traversal_SMB1" \ >+ test_symlink_traversal_SMB1 || \ >+ failed=$((failed+1)) >+ >+# >+# Cleanup. >+do_cleanup >+ >+testok "$0" "$failed" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 539cbd42e5c..a350279c0c4 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -584,6 +584,10 @@ for env in ["fileserver"]: > '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', > '$PREFIX', smbclient3]) > >+ plantestsuite("samba3.blackbox.test_symlink_traversal.SMB1", env + "_smb1_done", >+ [os.path.join(samba3srcdir, "script/tests/test_symlink_traversal_smb1.sh"), >+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', >+ '$PREFIX', smbclient3]) > > # > # tar command tests >-- >2.30.2 > > >From d522943fa6dcd15d75224e0446e6c3a8a94b402d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 12:34:38 -0800 >Subject: [PATCH 03/10] CVE-2021-44141: s3: torture: Add > samba3.blackbox.test_symlink_traversal.SMB1.posix > >Add to knownfail.d/symlink_traversal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/symlink_traversal | 1 + > .../test_symlink_traversal_smb1_posix.sh | 270 ++++++++++++++++++ > source3/selftest/tests.py | 5 + > 3 files changed, 276 insertions(+) > create mode 100755 source3/script/tests/test_symlink_traversal_smb1_posix.sh > >diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal >index 2a51ff3f91d..25a4da8f250 100644 >--- a/selftest/knownfail.d/symlink_traversal >+++ b/selftest/knownfail.d/symlink_traversal >@@ -1,2 +1,3 @@ > ^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) > ^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\) >+^samba3.blackbox.test_symlink_traversal.SMB1.posix.symlink_traversal_SMB1_posix\(fileserver_smb1_done\) >diff --git a/source3/script/tests/test_symlink_traversal_smb1_posix.sh b/source3/script/tests/test_symlink_traversal_smb1_posix.sh >new file mode 100755 >index 00000000000..6241434dcf6 >--- /dev/null >+++ b/source3/script/tests/test_symlink_traversal_smb1_posix.sh >@@ -0,0 +1,270 @@ >+#!/bin/sh >+ >+if [ $# -lt 7 ]; then >+cat <<EOF >+Usage: test_symlink_traversal_smb1_posix.sh SERVER SERVER_IP USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT >+EOF >+exit 1; >+fi >+ >+SERVER="${1}" >+SERVER_IP="${2}" >+USERNAME="${3}" >+PASSWORD="${4}" >+LOCAL_PATH="${5}" >+PREFIX="${6}" >+SMBCLIENT="${7}" >+SMBCLIENT="$VALGRIND ${SMBCLIENT}" >+shift 6 >+ >+incdir=$(dirname "$0")/../../../testprogs/blackbox >+. "$incdir"/subunit.sh >+ >+failed=0 >+ >+# Do not let deprecated option warnings muck this up >+SAMBA_DEPRECATED_SUPPRESS=1 >+export SAMBA_DEPRECATED_SUPPRESS >+ >+ >+# Define the test environment/filenames. >+# >+share_test_dir="$LOCAL_PATH" >+# >+# These files/directories will be created. >+# >+file_outside_share="/tmp/symlink_traverse_test_file.$$" >+dir_outside_share="/tmp/symlink_traverse_test_dir.$$" >+file_outside_share_noperms="/tmp/symlink_traverse_test_file_noperm.$$" >+dir_outside_share_noperms="/tmp/symlink_traverse_test_dir_noperm.$$" >+# >+# These two objects do not exist. >+# >+file_outside_share_noexist="/tmp/symlink_traverse_test_noexist.$$" >+dir_outside_share_noexist="/tmp/symlink_traverse_test_dir_noexist.$$" >+ >+# >+# Cleanup function. >+# >+do_cleanup() >+{ >+( >+#subshell. >+cd "$share_test_dir" || return >+rm -f "file_exists" >+rm -f "symlink_noexist" >+rm -f "symlink_file_outside_share" >+rm -f "symlink_file_outside_share_noexist" >+rm -f "symlink_dir_outside_share" >+rm -f "symlink_dir_outside_share_noexist" >+rm -f "symlink_file_outside_share_noperms" >+rm -f "symlink_dir_outside_share_noperms" >+rm -rf "emptydir" >+# Links inside share. >+rm -f "symlink_file_inside_share_noperms" >+rm -f "file_inside_share_noperms" >+rm -f "symlink_dir_inside_share_noperms" >+chmod 755 "dir_inside_share_noperms" >+rm -rf "dir_inside_share_noperms" >+) >+rm -f "$file_outside_share" >+rm -rf "$dir_outside_share" >+rm -f "$file_outside_share_noperms" >+rm -rf "$dir_outside_share_noperms" >+} >+ >+# >+# Ensure we start from a clean slate. >+# >+do_cleanup >+ >+# >+# Create the test files/directories/symlinks. >+# >+# File/directory explicitly outside share. >+touch "$file_outside_share" >+mkdir "$dir_outside_share" >+# File/directory explicitly outside share with permission denied. >+touch "$file_outside_share_noperms" >+chmod 0 "$file_outside_share_noperms" >+mkdir "$dir_outside_share_noperms" >+chmod 0 "$dir_outside_share_noperms" >+# >+# Create links to these objects inside the share definition. >+( >+#subshell. >+cd "$share_test_dir" || return >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+# >+# Create the identical symlink set underneath "emptydir" >+mkdir "emptydir" >+( >+#subshell >+cd "emptydir" || return >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+) >+# >+# Create symlinks to access denied file and directory >+# objects within the share >+touch "file_inside_share_noperms" >+chmod 0 "file_inside_share_noperms" >+ln -s "file_inside_share_noperms" "symlink_file_inside_share_noperms" >+mkdir "dir_inside_share_noperms" >+touch "dir_inside_share_noperms/noperm_file_exists" >+chmod 0 "dir_inside_share_noperms" >+ln -s "dir_inside_share_noperms" "symlink_dir_inside_share_noperms" >+) >+ >+# >+# smbclient function given command, path, expected error, and posix. >+# >+smbclient_expect_error() >+{ >+ filecmd="$1" >+ filename1="$2" >+ filename2="$3" >+ expected_error="$4" >+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands >+ cat > "$tmpfile" <<EOF >+posix >+$filecmd $filename1 $filename2 >+quit >+EOF >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I$SERVER_IP -mNT1 < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ rm -f "$tmpfile" >+ >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed accessing local_symlinks with error %s\n" "$ret" >+ return 1 >+ fi >+ >+ if [ "$expected_error" = "NT_STATUS_OK" ] ; then >+ printf "%s" "$out" | grep -v "NT_STATUS_" >+ else >+ printf "%s" "$out" | grep "$expected_error" >+ fi >+ ret=$? >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed - should get %s doing posix \"%s %s %s\"\n" "$expected_error" "$filecmd" "$filename1" "$filename2" >+ return 1 >+ fi >+} >+ >+# >+# SMB1+posix tests. >+# >+test_symlink_traversal_SMB1_posix_onename() >+{ >+name="$1" >+do_rename="$2" >+# >+# get commands. >+# >+# Remember in SMB1+POSIX, "*" is a perfectly valid pathname component, >+# and symlinks can be seen, but not necessarily followed. >+# >+ smbclient_expect_error "get" "$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/*" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "$name/*/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "get" "emptydir/$name" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/*" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_expect_error "get" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# >+# ls commands. >+# >+ smbclient_expect_error "ls" "$name" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "$name/noexist" "" "NT_STATUS_NOT_A_DIRECTORY" || return 1 >+ smbclient_expect_error "ls" "$name/*" "" "NT_STATUS_NOT_A_DIRECTORY" || return 1 >+ smbclient_expect_error "ls" "$name/*/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "ls" "emptydir/$name" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/noexist" "" "NT_STATUS_NOT_A_DIRECTORY" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/*" "" "NT_STATUS_NOT_A_DIRECTORY" || return 1 >+ smbclient_expect_error "ls" "emptydir/$name/*/noexist" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# >+# SMB1+POSIX stat commands. All symlinks can be stat'ed. >+# >+ smbclient_expect_error "stat" "$name" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "stat" "emptydir/$name" "" "NT_STATUS_OK" || return 1 >+# >+# del commands. Under SMB1+POSIX we can legitimately delete symlinks, so don't >+# try and delete symlink targets, we need them for the later tests. >+# >+ smbclient_expect_error "del" "$name/noexist" "" "NT_STATUS_NOT_A_DIRECTORY" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "del" "emptydir/$name/noexist" "" "NT_STATUS_NOT_A_DIRECTORY" || return 1 >+ >+ if [ "$do_rename" = "do rename" ] ; then >+# >+# rename commands. Under SMB1+POSIX we can legitimately rename symlinks, so don't >+# try and rename symlink targets, we need them for the later tests. >+# >+ smbclient_expect_error "rename" "file_exists" "$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# Now in subdirectory emptydir >+ smbclient_expect_error "rename" "file_exists" "emptydir/$name/noexist" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ fi >+ return 0 >+} >+ >+# >+# Check error code returns traversing through different >+# kinds of symlinks over SMB1+posix. >+# >+test_symlink_traversal_SMB1_posix() >+{ >+ test_symlink_traversal_SMB1_posix_onename "symlink_noexist" "no rename" || return 1 >+ test_symlink_traversal_SMB1_posix_onename "symlink_file_outside_share" "do rename" || return 1 >+ test_symlink_traversal_SMB1_posix_onename "symlink_dir_outside_share" "do rename" || return 1 >+ test_symlink_traversal_SMB1_posix_onename "symlink_dir_outside_share_noexist" "no rename" || return 1 >+ test_symlink_traversal_SMB1_posix_onename "symlink_file_outside_share_noperms" "do rename" || return 1 >+ test_symlink_traversal_SMB1_posix_onename "symlink_dir_outside_share_noperms" "do rename" || return 1 >+# >+# Test paths within share with no permissions. >+# >+# Can't 'get' file with no perms. >+ smbclient_expect_error "get" "file_inside_share_noperms" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+# In SMB1+POSIX you can't "get" a symlink at all. >+ smbclient_expect_error "get" "symlink_file_inside_share_noperms" "" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+# But can list it and the symlink to it. >+ smbclient_expect_error "ls" "file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "symlink_file_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+# Can't 'get' file inside a directory with no perms. >+ smbclient_expect_error "get" "dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_ACCESS_DENIED" || return 1 >+# In SMB1+POSIX you can't traverse through a symlink that points to a noperm directory. >+ smbclient_expect_error "get" "symlink_dir_inside_share_noperms/noperm_file_exists" "" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+# But can list the directory with no perms and the symlink to it. >+ smbclient_expect_error "ls" "dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+ smbclient_expect_error "ls" "symlink_dir_inside_share_noperms" "" "NT_STATUS_OK" || return 1 >+} >+ >+testit "symlink_traversal_SMB1_posix" \ >+ test_symlink_traversal_SMB1_posix || \ >+ failed=$((failed+1)) >+ >+# >+# Cleanup. >+do_cleanup >+ >+testok "$0" "$failed" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index a350279c0c4..c685c09a3dc 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -589,6 +589,11 @@ for env in ["fileserver"]: > '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', > '$PREFIX', smbclient3]) > >+ plantestsuite("samba3.blackbox.test_symlink_traversal.SMB1.posix", env + "_smb1_done", >+ [os.path.join(samba3srcdir, "script/tests/test_symlink_traversal_smb1_posix.sh"), >+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', >+ '$PREFIX', smbclient3]) >+ > # > # tar command tests > # >-- >2.30.2 > > >From 4862cea628c1ef7eb4f9e2da2dc71dcc07964905 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 12:56:51 -0800 >Subject: [PATCH 04/10] CVE-2021-44141: s3: torture: In test_smbclient_s3, > change the error codes expected for test_widelinks() and test_nosymlinks() > from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND. > >For SMB1/2/3 (minus posix) we need to treat bad symlinks >as though they don't exist. > >Add to knwownfail.d/symlink_traversal > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/symlink_traversal | 2 ++ > selftest/target/Samba3.pm | 2 +- > source3/script/tests/test_smbclient_s3.sh | 10 +++++----- > 3 files changed, 8 insertions(+), 6 deletions(-) > >diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal >index 25a4da8f250..840ab38b0f9 100644 >--- a/selftest/knownfail.d/symlink_traversal >+++ b/selftest/knownfail.d/symlink_traversal >@@ -1,3 +1,5 @@ > ^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) > ^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\) > ^samba3.blackbox.test_symlink_traversal.SMB1.posix.symlink_traversal_SMB1_posix\(fileserver_smb1_done\) >+^samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\) >+^samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\) >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 83941a85e15..7bb007c959d 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -2537,7 +2537,7 @@ sub provision($$) > create_file_chmod("$widelinks_target", 0666) or return undef; > > ## >- ## This link should get ACCESS_DENIED >+ ## This link should get an error > ## > symlink "$widelinks_target", "$widelinks_shrdir/source"; > ## >diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh >index 89a17656159..e250d4dd106 100755 >--- a/source3/script/tests/test_smbclient_s3.sh >+++ b/source3/script/tests/test_smbclient_s3.sh >@@ -1044,12 +1044,12 @@ EOF > return 1 > fi > >-# This should fail with NT_STATUS_ACCESS_DENIED >- echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' >+# This should fail with NT_STATUS_OBJECT_NAME_NOT_FOUND >+ echo "$out" | grep 'NT_STATUS_OBJECT_NAME_NOT_FOUND' > ret=$? > if [ $ret != 0 ] ; then > echo "$out" >- echo "failed - should get NT_STATUS_ACCESS_DENIED listing \\widelinks_share\\source" >+ echo "failed - should get NT_STATUS_OBJECT_NAME_NOT_FOUND listing \\widelinks_share\\source" > return 1 > fi > } >@@ -1168,11 +1168,11 @@ EOF > return 1 > fi > >- echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' >+ echo "$out" | grep 'NT_STATUS_OBJECT_NAME_NOT_FOUND' > ret=$? > if [ $ret -ne 0 ] ; then > echo "$out" >- echo "failed - should get NT_STATUS_ACCESS_DENIED getting \\nosymlinks\\source" >+ echo "failed - should get NT_STATUS_OBJECT_NAME_NOT_FOUND getting \\nosymlinks\\source" > return 1 > fi > >-- >2.30.2 > > >From 84632a84dc740ea9d1ff53d38758f4668a43279a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 17:56:35 -0800 >Subject: [PATCH 05/10] CVE-2021-44141: s3: torture: Change expected error > return for samba3.smbtorture_s3.plain.POSIX.smbtorture. > >Trying to open a symlink as a terminal component should return >NT_STATUS_OBJECT_NAME_NOT_FOUND, not NT_STATUS_OBJECT_PATH_NOT_FOUND. > >Mark as knownfail.d/simple_posix_open until we fix the server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/simple_posix_open | 1 + > source3/torture/torture.c | 4 ++-- > 2 files changed, 3 insertions(+), 2 deletions(-) > create mode 100644 selftest/knownfail.d/simple_posix_open > >diff --git a/selftest/knownfail.d/simple_posix_open b/selftest/knownfail.d/simple_posix_open >new file mode 100644 >index 00000000000..5fcbdbdc2c6 >--- /dev/null >+++ b/selftest/knownfail.d/simple_posix_open >@@ -0,0 +1 @@ >+^samba3.smbtorture_s3.plain.POSIX.smbtorture\(.*\) >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index f356fe86555..c1ee78cdac4 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -8028,9 +8028,9 @@ static bool run_simple_posix_open_test(int dummy) > goto out; > } else { > if (!check_both_error(__LINE__, status, ERRDOS, ERRbadpath, >- NT_STATUS_OBJECT_PATH_NOT_FOUND)) { >+ NT_STATUS_OBJECT_NAME_NOT_FOUND)) { > printf("POSIX open of %s should have failed " >- "with NT_STATUS_OBJECT_PATH_NOT_FOUND, " >+ "with NT_STATUS_OBJECT_NAME_NOT_FOUND, " > "failed with %s instead.\n", > sname, nt_errstr(status)); > goto out; >-- >2.30.2 > > >From d635c7eefc77e9be7797edd05539a6eeef20ccd8 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 11:44:09 -0800 >Subject: [PATCH 06/10] CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying > to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND. > >Matches the error return from openat_pathref_fsp(). > >NT_STATUS_OBJECT_PATH_NOT_FOUND is for a bad component in a path, not >a bad terminal symlink. > >Remove knownfail.d/simple_posix_open, we now pass. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/simple_posix_open | 1 - > source3/smbd/open.c | 13 ++++++------- > 2 files changed, 6 insertions(+), 8 deletions(-) > delete mode 100644 selftest/knownfail.d/simple_posix_open > >diff --git a/selftest/knownfail.d/simple_posix_open b/selftest/knownfail.d/simple_posix_open >deleted file mode 100644 >index 5fcbdbdc2c6..00000000000 >--- a/selftest/knownfail.d/simple_posix_open >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smbtorture_s3.plain.POSIX.smbtorture\(.*\) >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index cf5c620fe21..0427b0cef9d 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -1443,12 +1443,10 @@ static NTSTATUS open_file(files_struct *fsp, > * POSIX client that hit a symlink. We don't want to > * return NT_STATUS_STOPPED_ON_SYMLINK to avoid handling > * this special error code in all callers, so we map >- * this to NT_STATUS_OBJECT_PATH_NOT_FOUND. Historically >- * the lower level functions returned status code mapped >- * from errno by map_nt_error_from_unix() where ELOOP is >- * mapped to NT_STATUS_OBJECT_PATH_NOT_FOUND. >+ * this to NT_STATUS_OBJECT_NAME_NOT_FOUND to match >+ * openat_pathref_fsp(). > */ >- status = NT_STATUS_OBJECT_PATH_NOT_FOUND; >+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND; > } > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3,("Error opening file %s (%s) (local_flags=%d) " >@@ -1531,9 +1529,10 @@ static NTSTATUS open_file(files_struct *fsp, > { > /* > * Don't allow stat opens on symlinks directly unless >- * it's a POSIX open. >+ * it's a POSIX open. Match the return code from >+ * openat_pathref_fsp(). > */ >- return NT_STATUS_OBJECT_PATH_NOT_FOUND; >+ return NT_STATUS_OBJECT_NAME_NOT_FOUND; > } > > if (!fsp->fsp_flags.is_pathref) { >-- >2.30.2 > > >From ca0e1052761e2bd695ccdc44fd84eb0a246a0ca1 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 14:33:17 -0800 >Subject: [PATCH 07/10] CVE-2021-44141: s3: smbd: Inside check_reduced_name() > ensure we return the correct error codes when failing symlinks. > >NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure. >NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure. > >Remove: > > samba3.blackbox.test_symlink_traversal.SMB1.posix > samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\) > samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\) > >in knownfail.d/symlink_traversal as we now pass these. Only one more fix >remaining to get rid of knownfail.d/symlink_traversal completely. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/symlink_traversal | 3 --- > source3/smbd/vfs.c | 18 ++++++++++++++++-- > 2 files changed, 16 insertions(+), 5 deletions(-) > >diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal >index 840ab38b0f9..2a51ff3f91d 100644 >--- a/selftest/knownfail.d/symlink_traversal >+++ b/selftest/knownfail.d/symlink_traversal >@@ -1,5 +1,2 @@ > ^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) > ^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\) >-^samba3.blackbox.test_symlink_traversal.SMB1.posix.symlink_traversal_SMB1_posix\(fileserver_smb1_done\) >-^samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\) >-^samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\) >diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c >index 9bc528837d7..cd412a3d57a 100644 >--- a/source3/smbd/vfs.c >+++ b/source3/smbd/vfs.c >@@ -1146,6 +1146,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, > bool allow_symlinks = true; > const char *conn_rootdir; > size_t rootdir_len; >+ bool parent_dir_checked = false; > > DBG_DEBUG("check_reduced_name [%s] [%s]\n", fname, conn->connectpath); > >@@ -1207,6 +1208,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, > if (resolved_name == NULL) { > return NT_STATUS_NO_MEMORY; > } >+ parent_dir_checked = true; > } else { > resolved_name = resolved_fname->base_name; > } >@@ -1256,7 +1258,13 @@ NTSTATUS check_reduced_name(connection_struct *conn, > conn_rootdir, > resolved_name); > TALLOC_FREE(resolved_fname); >- return NT_STATUS_ACCESS_DENIED; >+ if (parent_dir_checked) { >+ /* Part of a component path. */ >+ return NT_STATUS_OBJECT_PATH_NOT_FOUND; >+ } else { >+ /* End of a path. */ >+ return NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ } > } > } > >@@ -1311,7 +1319,13 @@ NTSTATUS check_reduced_name(connection_struct *conn, > p); > TALLOC_FREE(resolved_fname); > TALLOC_FREE(new_fname); >- return NT_STATUS_ACCESS_DENIED; >+ if (parent_dir_checked) { >+ /* Part of a component path. */ >+ return NT_STATUS_OBJECT_PATH_NOT_FOUND; >+ } else { >+ /* End of a path. */ >+ return NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ } > } > } > >-- >2.30.2 > > >From 3389357367c4f9aa25e5777197911d0152528d1f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 14:39:42 -0800 >Subject: [PATCH 08/10] CVE-2021-44141: s3: smbd: Fix a subtle bug in the error > returns from filename_convert(). > >If filename_convert() fails to convert the path, we never call >check_name(). This means we can return an incorrect error code >(NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points >outside the share to a non-readable directory. We need to make >sure in this case we always call check_name(). > >Remove knownfail.d/symlink_traversal. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/symlink_traversal | 2 -- > source3/smbd/filename.c | 36 ++++++++++++++++++++++++++ > 2 files changed, 36 insertions(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/symlink_traversal > >diff --git a/selftest/knownfail.d/symlink_traversal b/selftest/knownfail.d/symlink_traversal >deleted file mode 100644 >index 2a51ff3f91d..00000000000 >--- a/selftest/knownfail.d/symlink_traversal >+++ /dev/null >@@ -1,2 +0,0 @@ >-^samba3.blackbox.test_symlink_traversal.SMB2.symlink_traversal_SMB2\(fileserver\) >-^samba3.blackbox.test_symlink_traversal.SMB1.symlink_traversal_SMB1\(fileserver_smb1_done\) >diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c >index 53c58d6e80a..ef382b43bd6 100644 >--- a/source3/smbd/filename.c >+++ b/source3/smbd/filename.c >@@ -36,6 +36,9 @@ static int get_real_filename(connection_struct *conn, > TALLOC_CTX *mem_ctx, > char **found_name); > >+static NTSTATUS check_name(connection_struct *conn, >+ const struct smb_filename *smb_fname); >+ > uint32_t ucf_flags_from_smb_request(struct smb_request *req) > { > uint32_t ucf_flags = 0; >@@ -542,6 +545,39 @@ static NTSTATUS unix_convert_step_search_fail(struct uc_state *state) > > if (errno == EACCES) { > if ((state->ucf_flags & UCF_PREP_CREATEFILE) == 0) { >+ /* >+ * Could be a symlink pointing to >+ * a directory outside the share >+ * to which we don't have access. >+ * If so, we need to know that here >+ * so we can return the correct error code. >+ * check_name() is never called if we >+ * error out of filename_convert(). >+ */ >+ int ret; >+ NTSTATUS status; >+ struct smb_filename dname = (struct smb_filename) { >+ .base_name = state->dirpath, >+ .twrp = state->smb_fname->twrp, >+ }; >+ >+ /* handle null paths */ >+ if ((dname.base_name == NULL) || >+ (dname.base_name[0] == '\0')) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ ret = SMB_VFS_LSTAT(state->conn, &dname); >+ if (ret != 0) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ if (!S_ISLNK(dname.st.st_ex_mode)) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ status = check_name(state->conn, &dname); >+ if (!NT_STATUS_IS_OK(status)) { >+ /* We know this is an intermediate path. */ >+ return NT_STATUS_OBJECT_PATH_NOT_FOUND; >+ } > return NT_STATUS_ACCESS_DENIED; > } else { > /* >-- >2.30.2 > > >From b8438ed9e3a99444f1a1c3c5db6437eb0bafed36 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 22:15:46 -0800 >Subject: [PATCH 09/10] CVE-2021-44141: s3: torture: Add a test > samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak > target info across a SMB1+POSIX rename. > >Add a knownfail.d/posix_sylink_rename > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/posix_sylink_rename | 1 + > .../tests/test_symlink_rename_smb1_posix.sh | 186 ++++++++++++++++++ > source3/selftest/tests.py | 5 + > 3 files changed, 192 insertions(+) > create mode 100644 selftest/knownfail.d/posix_sylink_rename > create mode 100755 source3/script/tests/test_symlink_rename_smb1_posix.sh > >diff --git a/selftest/knownfail.d/posix_sylink_rename b/selftest/knownfail.d/posix_sylink_rename >new file mode 100644 >index 00000000000..9c3cc0a41ba >--- /dev/null >+++ b/selftest/knownfail.d/posix_sylink_rename >@@ -0,0 +1 @@ >+^samba3.blackbox.test_symlink_rename.SMB1.posix.symlink_rename_SMB1_posix\(fileserver_smb1_done\) >diff --git a/source3/script/tests/test_symlink_rename_smb1_posix.sh b/source3/script/tests/test_symlink_rename_smb1_posix.sh >new file mode 100755 >index 00000000000..7d2e0037b8d >--- /dev/null >+++ b/source3/script/tests/test_symlink_rename_smb1_posix.sh >@@ -0,0 +1,186 @@ >+#!/bin/sh >+ >+if [ $# -lt 7 ]; then >+cat <<EOF >+Usage: test_symlink_rename_smb1_posix.sh SERVER SERVER_IP USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT >+EOF >+exit 1; >+fi >+ >+SERVER="${1}" >+SERVER_IP="${2}" >+USERNAME="${3}" >+PASSWORD="${4}" >+LOCAL_PATH="${5}" >+PREFIX="${6}" >+SMBCLIENT="${7}" >+SMBCLIENT="$VALGRIND ${SMBCLIENT}" >+shift 6 >+ >+incdir=$(dirname "$0")/../../../testprogs/blackbox >+. "$incdir"/subunit.sh >+ >+failed=0 >+ >+# Do not let deprecated option warnings muck this up >+SAMBA_DEPRECATED_SUPPRESS=1 >+export SAMBA_DEPRECATED_SUPPRESS >+ >+ >+# Define the test environment/filenames. >+# >+share_test_dir="$LOCAL_PATH" >+# >+# These files/directories will be created. >+# >+file_outside_share="/tmp/symlink_rename_test_file.$$" >+dir_outside_share="/tmp/symlink_rename_test_dir.$$" >+file_outside_share_noperms="/tmp/symlink_rename_test_file_noperm.$$" >+dir_outside_share_noperms="/tmp/symlink_rename_test_dir_noperm.$$" >+# >+# These two objects do not exist. >+# >+file_outside_share_noexist="/tmp/symlink_rename_test_noexist.$$" >+dir_outside_share_noexist="/tmp/symlink_rename_test_dir_noexist.$$" >+ >+# >+# Cleanup function. >+# >+do_cleanup() >+{ >+( >+#subshell. >+cd "$share_test_dir" || return >+rm -f "file_exists" >+rm -f "symlink_noexist" >+rm -f "symlink_file_outside_share" >+rm -f "symlink_file_outside_share_noexist" >+rm -f "symlink_dir_outside_share" >+rm -f "symlink_dir_outside_share_noexist" >+rm -f "symlink_file_outside_share_noperms" >+rm -f "symlink_dir_outside_share_noperms" >+# Links inside share. >+rm -f "symlink_file_inside_share_noperms" >+rm -f "file_inside_share_noperms" >+rm -f "symlink_dir_inside_share_noperms" >+chmod 755 "dir_inside_share_noperms" >+rm -rf "dir_inside_share_noperms" >+) >+rm -f "$file_outside_share" >+rm -rf "$dir_outside_share" >+rm -f "$file_outside_share_noperms" >+rm -rf "$dir_outside_share_noperms" >+} >+ >+# >+# Ensure we start from a clean slate. >+# >+do_cleanup >+ >+# >+# Create the test files/directories/symlinks. >+# >+# File/directory explicitly outside share. >+touch "$file_outside_share" >+mkdir "$dir_outside_share" >+# File/directory explicitly outside share with permission denied. >+touch "$file_outside_share_noperms" >+chmod 0 "$file_outside_share_noperms" >+mkdir "$dir_outside_share_noperms" >+chmod 0 "$dir_outside_share_noperms" >+# >+# Create links to these objects inside the share definition. >+( >+#subshell. >+cd "$share_test_dir" || return >+# Source file for all renames. None of these should succeed. >+touch "file_exists" >+ln -s "noexist" "symlink_noexist" >+ln -s "$file_outside_share" "symlink_file_outside_share" >+ln -s "$file_outside_share_noexist" "symlink_file_outside_share_noexist" >+ln -s "$dir_outside_share" "symlink_dir_outside_share" >+ln -s "$dir_outside_share_noexist" "symlink_dir_outside_share_noexist" >+ln -s "$file_outside_share_noperms" "symlink_file_outside_share_noperms" >+ln -s "$dir_outside_share_noperms" "symlink_dir_outside_share_noperms" >+# >+# Create symlinks to access denied file and directory >+# objects within the share >+touch "file_inside_share_noperms" >+chmod 0 "file_inside_share_noperms" >+ln -s "file_inside_share_noperms" "symlink_file_inside_share_noperms" >+mkdir "dir_inside_share_noperms" >+touch "dir_inside_share_noperms/noperm_file_exists" >+chmod 0 "dir_inside_share_noperms" >+ln -s "dir_inside_share_noperms" "symlink_dir_inside_share_noperms" >+) >+ >+# >+# smbclient function given command, path, expected error, and posix. >+# >+smbclient_expect_error() >+{ >+ filecmd="$1" >+ filename1="$2" >+ filename2="$3" >+ expected_error="$4" >+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands >+ cat > "$tmpfile" <<EOF >+posix >+$filecmd $filename1 $filename2 >+quit >+EOF >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I$SERVER_IP -mNT1 < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ rm -f "$tmpfile" >+ >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed accessing local_symlinks with error %s\n" "$ret" >+ return 1 >+ fi >+ >+ if [ "$expected_error" = "NT_STATUS_OK" ] ; then >+ printf "%s" "$out" | grep -v "NT_STATUS_" >+ else >+ printf "%s" "$out" | grep "$expected_error" >+ fi >+ ret=$? >+ if [ $ret != 0 ] ; then >+ printf "%s\n" "$out" >+ printf "failed - should get %s doing posix \"%s %s %s\"\n" "$expected_error" "$filecmd" "$filename1" "$filename2" >+ return 1 >+ fi >+} >+ >+# >+# SMB1+posix tests. >+# >+test_symlink_rename_SMB1_posix() >+{ >+# >+# rename commands. >+# As all the targets exist as symlinks, these should all fail. >+# >+ smbclient_expect_error "rename" "file_exists" "symlink_noexist" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_file_outside_share" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_file_outside_share_noexist" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_dir_outside_share" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_dir_outside_share_noexist" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_file_outside_share_noperms" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_dir_outside_share_noperms" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_file_inside_share_noperms" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ smbclient_expect_error "rename" "file_exists" "symlink_dir_inside_share_noperms" "NT_STATUS_OBJECT_NAME_COLLISION" || return 1 >+ return 0 >+} >+ >+testit "symlink_rename_SMB1_posix" \ >+ test_symlink_rename_SMB1_posix || \ >+ failed=$((failed+1)) >+ >+# >+# Cleanup. >+do_cleanup >+ >+testok "$0" "$failed" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index c685c09a3dc..08c8d48ddd5 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -594,6 +594,11 @@ for env in ["fileserver"]: > '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', > '$PREFIX', smbclient3]) > >+ plantestsuite("samba3.blackbox.test_symlink_rename.SMB1.posix", env + "_smb1_done", >+ [os.path.join(samba3srcdir, "script/tests/test_symlink_rename_smb1_posix.sh"), >+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', >+ '$PREFIX', smbclient3]) >+ > # > # tar command tests > # >-- >2.30.2 > > >From f1da9dde7723e3a5e9df33b699ec6c74d10ffca6 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 7 Dec 2021 22:19:29 -0800 >Subject: [PATCH 10/10] CVE-2021-44141: s3: smbd: Inside > rename_internals_fsp(), we must use vfs_stat() for existence, not > SMB_VFS_STAT(). > >We need to take SMB1+POSIX into account here and do an LSTAT if it's >a POSIX name. > >Remove knownfail.d/posix_sylink_rename > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/posix_sylink_rename | 1 - > source3/smbd/reply.c | 2 +- > 2 files changed, 1 insertion(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/posix_sylink_rename > >diff --git a/selftest/knownfail.d/posix_sylink_rename b/selftest/knownfail.d/posix_sylink_rename >deleted file mode 100644 >index 9c3cc0a41ba..00000000000 >--- a/selftest/knownfail.d/posix_sylink_rename >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.blackbox.test_symlink_rename.SMB1.posix.symlink_rename_SMB1_posix\(fileserver_smb1_done\) >diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c >index ac5f253b353..ffe6ec45153 100644 >--- a/source3/smbd/reply.c >+++ b/source3/smbd/reply.c >@@ -7305,7 +7305,7 @@ NTSTATUS rename_internals_fsp(connection_struct *conn, > goto out; > } > >- dst_exists = SMB_VFS_STAT(conn, smb_fname_dst) == 0; >+ dst_exists = vfs_stat(conn, smb_fname_dst) == 0; > > if(!replace_if_exists && dst_exists) { > DEBUG(3, ("rename_internals_fsp: dest exists doing rename " >-- >2.30.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
slow
:
ci-passed+
Actions:
View
Attachments on
bug 14911
:
17002
|
17003
|
17007
|
17009
|
17010
|
17011
|
17012
|
17014
|
17015
|
17016
|
17017
|
17018
|
17019
|
17020
|
17021
|
17022
|
17052
|
17053
|
17056
|
17057
|
17058
|
17059
|
17060
| 17129 |
17135
|
17136