From f7207659fba032dac8d16f8b7d85a4b298521668 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 11 Feb 2010 11:25:05 -0800 Subject: [PATCH] Suplementary patch for bug #7104 - "wide links" and "unix extensions" are incompatible. Bug reported by Ralf Zimmermann . Reproduced by jra. If the target directory of a share doesn't exist, but is designed to be created by a "root preexec" script call, then the widelinks check is done too early - thus preventing the user from connecting to the share. Fix is to re-arrange the order of checks in make_connection_snum() to always do the following order of operations: (1). Turn off wide links if unix extensions = yes. (2). Call any root preexec scripts. (3). Call any user preexec scripts. (4). Canonicalize the share path to remove any symlinks (ie. end up with the realpath in the connection_struct). Includes patches cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b and 94865e4dbd3d721c9855aada8c55e02be8b3881e from master. Jeremy. --- source/smbd/service.c | 53 ++++++++++++++++++++++++------------------------- 1 files changed, 26 insertions(+), 27 deletions(-) diff --git a/source/smbd/service.c b/source/smbd/service.c index 481f847..aad1da1 100644 --- a/source/smbd/service.c +++ b/source/smbd/service.c @@ -921,25 +921,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, return NULL; } - /* - * If widelinks are disallowed we need to canonicalise the connect - * path here to ensure we don't have any symlinks in the - * connectpath. We will be checking all paths on this connection are - * below this directory. We must do this after the VFS init as we - * depend on the realpath() pointer in the vfs table. JRA. - */ - if (!lp_widelinks(snum)) { - if (!canonicalize_connect_path(conn)) { - DEBUG(0, ("canonicalize_connect_path failed " - "for service %s, path %s\n", - lp_servicename(snum), - conn->connectpath)); - conn_free(conn); - *pstatus = NT_STATUS_BAD_NETWORK_NAME; - return NULL; - } - } - if ((!conn->printer) && (!conn->ipc)) { conn->notify_ctx = notify_init(conn, server_id_self(), smbd_messaging_context(), @@ -948,6 +929,14 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, } /* ROOT Activities: */ + if (lp_unix_extensions() && lp_widelinks(snum)) { + DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " + "These parameters are incompatible. " + "Disabling wide links for this share.\n", + lp_servicename(snum) )); + lp_do_parameter(snum, "wide links", "False"); + } + /* * Enforce the max connections parameter. */ @@ -1034,6 +1023,24 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, } } + /* + * If widelinks are disallowed we need to canonicalise the connect + * path here to ensure we don't have any symlinks in the + * connectpath. We will be checking all paths on this connection are + * below this directory. We must do this after the VFS init as we + * depend on the realpath() pointer in the vfs table. JRA. + */ + if (!lp_widelinks(snum)) { + if (!canonicalize_connect_path(conn)) { + DEBUG(0, ("canonicalize_connect_path failed " + "for service %s, path %s\n", + lp_servicename(snum), + conn->connectpath)); + *pstatus = NT_STATUS_BAD_NETWORK_NAME; + goto err_root_exit; + } + } + #ifdef WITH_FAKE_KASERVER if (lp_afs_share(snum)) { afs_login(conn); @@ -1103,14 +1110,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, } #endif - if (lp_unix_extensions() && lp_widelinks(snum)) { - DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " - "These parameters are incompatible. " - "Disabling wide links for this share.\n", - lp_servicename(snum) )); - lp_do_parameter(snum, "wide links", "False"); - } - /* Figure out the characteristics of the underlying filesystem. This * assumes that all the filesystem mounted withing a share path have * the same characteristics, which is likely but not guaranteed. -- 1.6.6