Attachment 5279 Details for Bug 7104 – git-am fix for 3.5.0.

[patch] git-am fix for 3.5.0.

0001-Fix-bug-7104-wide-links-and-unix-extensions-are-inco.patch (text/plain), 5.75 KB, created by Jeremy Allison on 2010-02-05 17:27:25 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2010-02-05 17:27:25 UTC

Size: 5.75 KB

patch

obsolete

>From bd269443e311d96ef495a9db47d1b95eb83bb8f4 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 5 Feb 2010 15:20:18 -0800
>Subject: [PATCH] Fix bug 7104 - "wide links" and "unix extensions" are incompatible.
>
>Change parameter "wide links" to default to "no".
>Ensure "wide links = no" if "unix extensions = yes" on a share.
>Fix man pages to refect this.
>
>Remove "within share" checks for a UNIX symlink set - even if
>widelinks = no. The server will not follow that link anyway.
>
>Correct DEBUG message in check_reduced_name() to add missing "\n"
>so it's really clear when a path is being denied as it's outside
>the enclosing share path.
>
>Jeremy.
>---
> docs-xml/smbdotconf/misc/widelinks.xml          |   13 ++++++--
> docs-xml/smbdotconf/protocol/unixextensions.xml |    3 ++
> source3/param/loadparm.c                        |    2 +-
> source3/smbd/service.c                          |    8 +++++
> source3/smbd/trans2.c                           |   36 -----------------------
> source3/smbd/vfs.c                              |    2 +-
> 6 files changed, 22 insertions(+), 42 deletions(-)
>
>diff --git a/docs-xml/smbdotconf/misc/widelinks.xml b/docs-xml/smbdotconf/misc/widelinks.xml
>index fb707c1..1c30bb7 100644
>--- a/docs-xml/smbdotconf/misc/widelinks.xml
>+++ b/docs-xml/smbdotconf/misc/widelinks.xml
>@@ -9,10 +9,15 @@
> 	server are always allowed; this parameter controls access only 
> 	to areas that are outside the directory tree being exported.</para>
> 
>-	<para>Note that setting this parameter can have a negative 
>-	effect on your server performance due to the extra system calls 
>-	that Samba has to  do in order to perform the link checks.</para>
>+	<para>Note: Turning this parameter on when UNIX extensions are enabled
>+	will allow UNIX clients to create symbolic links on the share that
>+	can point to files or directories outside restricted path exported
>+	by the share definition. This can cause access to areas outside of
>+	the share. Due to this problem, this parameter will be automatically
>+	disabled (with a message in the log file) if the
>+	<smbconfoption name="unix extensions"/> option is on.
>+	</para>
> </description>
> 
>-<value type="default">yes</value>
>+<value type="default">no</value>
> </samba:parameter>
>diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/unixextensions.xml
>index da9ad10..36e72d2 100644
>--- a/docs-xml/smbdotconf/protocol/unixextensions.xml
>+++ b/docs-xml/smbdotconf/protocol/unixextensions.xml
>@@ -10,6 +10,9 @@
>     by supporting features such as symbolic links, hard links, etc...
>     These extensions require a similarly enabled client, and are of
>     no current use to Windows clients.</para>
>+    <para>
>+    Note if this parameter is turned on, the <smbconfoption name="wide links"/>
>+    parameter will automatically be disabled.
> </description>
> 
> <value type="default">yes</value>
>diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
>index bd70ee1..5bac25c 100644
>--- a/source3/param/loadparm.c
>+++ b/source3/param/loadparm.c
>@@ -606,7 +606,7 @@ static struct service sDefault = {
> 	True,			/* bLevel2OpLocks */
> 	False,			/* bOnlyUser */
> 	True,			/* bMangledNames */
>-	True,			/* bWidelinks */
>+	false,			/* bWidelinks */
> 	True,			/* bSymlinks */
> 	False,			/* bSyncAlways */
> 	False,			/* bStrictAllocate */
>diff --git a/source3/smbd/service.c b/source3/smbd/service.c
>index e8775ff..8039d16 100644
>--- a/source3/smbd/service.c
>+++ b/source3/smbd/service.c
>@@ -1039,6 +1039,14 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
> 	}
> #endif
> 
>+	if (lp_unix_extensions() && lp_widelinks(snum)) {
>+		DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
>+			"These parameters are incompatible. "
>+			"Disabling wide links for this share.\n",
>+			lp_servicename(snum) ));
>+		lp_do_parameter(snum, "wide links", "False");
>+	}
>+
> 	/* Figure out the characteristics of the underlying filesystem. This
> 	 * assumes that all the filesystem mounted withing a share path have
> 	 * the same characteristics, which is likely but not guaranteed.
>diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
>index df61167..28862d1 100644
>--- a/source3/smbd/trans2.c
>+++ b/source3/smbd/trans2.c
>@@ -5836,42 +5836,6 @@ static NTSTATUS smb_set_file_unix_link(connection_struct *conn,
> 		return NT_STATUS_INVALID_PARAMETER;
> 	}
> 
>-	/* !widelinks forces the target path to be within the share. */
>-	/* This means we can interpret the target as a pathname. */
>-	if (!lp_widelinks(SNUM(conn))) {
>-		char *rel_name = NULL;
>-		char *last_dirp = NULL;
>-
>-		if (*link_target == '/') {
>-			/* No absolute paths allowed. */
>-			return NT_STATUS_ACCESS_DENIED;
>-		}
>-		rel_name = talloc_strdup(ctx,newname);
>-		if (!rel_name) {
>-			return NT_STATUS_NO_MEMORY;
>-		}
>-		last_dirp = strrchr_m(rel_name, '/');
>-		if (last_dirp) {
>-			last_dirp[1] = '\0';
>-		} else {
>-			rel_name = talloc_strdup(ctx,"./");
>-			if (!rel_name) {
>-				return NT_STATUS_NO_MEMORY;
>-			}
>-		}
>-		rel_name = talloc_asprintf_append(rel_name,
>-				"%s",
>-				link_target);
>-		if (!rel_name) {
>-			return NT_STATUS_NO_MEMORY;
>-		}
>-
>-		status = check_name(conn, rel_name);
>-		if (!NT_STATUS_IS_OK(status)) {
>-			return status;
>-		}
>-	}
>-
> 	DEBUG(10,("smb_set_file_unix_link: SMB_SET_FILE_UNIX_LINK doing symlink %s -> %s\n",
> 			newname, link_target ));
> 
>diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
>index 5acec70..94bdb1f 100644
>--- a/source3/smbd/vfs.c
>+++ b/source3/smbd/vfs.c
>@@ -945,7 +945,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
> 				strlen(conn_rootdir)) != 0) {
> 			    DEBUG(2, ("check_reduced_name: Bad access "
> 				      "attempt: %s is a symlink outside the "
>-				      "share path", fname));
>+				      "share path\n", fname));
> 			    if (free_resolved_name) {
> 				    SAFE_FREE(resolved_name);
> 			    }
>-- 
>1.6.6
>

Actions: View

Attachments on bug 7104: 5279 | 5280 | 5281 | 5282 | 5283 | 5325 | 5326 | 5327 | 5328 | 5329 | 5330 | 5331 | 5332