The Samba-Bugzilla – Attachment 5328 Details for
Bug 7104
"wide links" and "unix extensions" are incompatible; CVE-2010-0926
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am patch for 3.3.11.
0001-Suplementary-patch-for-bug-7104-wide-links-and-unix-.patch (text/plain), 4.02 KB, created by
Jeremy Allison
on 2010-02-11 13:47:48 UTC
(
hide
)
Description:
git-am patch for 3.3.11.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-02-11 13:47:48 UTC
Size:
4.02 KB
patch
obsolete
>From f7207659fba032dac8d16f8b7d85a4b298521668 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Feb 2010 11:25:05 -0800 >Subject: [PATCH] Suplementary patch for bug #7104 - "wide links" and "unix extensions" are incompatible. > >Bug reported by Ralf Zimmermann <r.zimmermann@siegnetz.de>. Reproduced by jra. > >If the target directory of a share doesn't exist, but is designed to >be created by a "root preexec" script call, then the widelinks check >is done too early - thus preventing the user from connecting to the >share. > >Fix is to re-arrange the order of checks in make_connection_snum() >to always do the following order of operations: > >(1). Turn off wide links if unix extensions = yes. >(2). Call any root preexec scripts. >(3). Call any user preexec scripts. >(4). Canonicalize the share path to remove any symlinks (ie. end >up with the realpath in the connection_struct). > >Includes patches cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b >and 94865e4dbd3d721c9855aada8c55e02be8b3881e from master. > >Jeremy. >--- > source/smbd/service.c | 53 ++++++++++++++++++++++++------------------------- > 1 files changed, 26 insertions(+), 27 deletions(-) > >diff --git a/source/smbd/service.c b/source/smbd/service.c >index 481f847..aad1da1 100644 >--- a/source/smbd/service.c >+++ b/source/smbd/service.c >@@ -921,25 +921,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > return NULL; > } > >- /* >- * If widelinks are disallowed we need to canonicalise the connect >- * path here to ensure we don't have any symlinks in the >- * connectpath. We will be checking all paths on this connection are >- * below this directory. We must do this after the VFS init as we >- * depend on the realpath() pointer in the vfs table. JRA. >- */ >- if (!lp_widelinks(snum)) { >- if (!canonicalize_connect_path(conn)) { >- DEBUG(0, ("canonicalize_connect_path failed " >- "for service %s, path %s\n", >- lp_servicename(snum), >- conn->connectpath)); >- conn_free(conn); >- *pstatus = NT_STATUS_BAD_NETWORK_NAME; >- return NULL; >- } >- } >- > if ((!conn->printer) && (!conn->ipc)) { > conn->notify_ctx = notify_init(conn, server_id_self(), > smbd_messaging_context(), >@@ -948,6 +929,14 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > } > > /* ROOT Activities: */ >+ if (lp_unix_extensions() && lp_widelinks(snum)) { >+ DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >+ "These parameters are incompatible. " >+ "Disabling wide links for this share.\n", >+ lp_servicename(snum) )); >+ lp_do_parameter(snum, "wide links", "False"); >+ } >+ > /* > * Enforce the max connections parameter. > */ >@@ -1034,6 +1023,24 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > } > } > >+ /* >+ * If widelinks are disallowed we need to canonicalise the connect >+ * path here to ensure we don't have any symlinks in the >+ * connectpath. We will be checking all paths on this connection are >+ * below this directory. We must do this after the VFS init as we >+ * depend on the realpath() pointer in the vfs table. JRA. >+ */ >+ if (!lp_widelinks(snum)) { >+ if (!canonicalize_connect_path(conn)) { >+ DEBUG(0, ("canonicalize_connect_path failed " >+ "for service %s, path %s\n", >+ lp_servicename(snum), >+ conn->connectpath)); >+ *pstatus = NT_STATUS_BAD_NETWORK_NAME; >+ goto err_root_exit; >+ } >+ } >+ > #ifdef WITH_FAKE_KASERVER > if (lp_afs_share(snum)) { > afs_login(conn); >@@ -1103,14 +1110,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > } > #endif > >- if (lp_unix_extensions() && lp_widelinks(snum)) { >- DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >- "These parameters are incompatible. " >- "Disabling wide links for this share.\n", >- lp_servicename(snum) )); >- lp_do_parameter(snum, "wide links", "False"); >- } >- > /* Figure out the characteristics of the underlying filesystem. This > * assumes that all the filesystem mounted withing a share path have > * the same characteristics, which is likely but not guaranteed. >-- >1.6.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5328">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 7104
:
5279
|
5280
|
5281
|
5282
|
5283
|
5325
|
5326
|
5327
|
5328
|
5329
|
5330
|
5331
|
5332