The Samba-Bugzilla – Attachment 5329 Details for
Bug 7104
"wide links" and "unix extensions" are incompatible; CVE-2010-0926
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am jumbo patch for 3.5.0rc3.
0001-Jumbo-patch-for-bug-7104-wide-links-and-unix-extensi.patch (text/plain), 6.50 KB, created by
Jeremy Allison
on 2010-02-11 17:57:53 UTC
(
hide
)
Description:
git-am jumbo patch for 3.5.0rc3.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-02-11 17:57:53 UTC
Size:
6.50 KB
patch
obsolete
>From beb1ef25b2f7e1f0f3f3be919dbe5fdeb6b39008 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Feb 2010 15:52:24 -0800 >Subject: [PATCH] Jumbo patch for bug ##7104 - "wide links" and "unix extensions" are incompatible. > >Fixes issue with preexec scripts creating a share directory, >and problems is a smb.conf reload turns wide links back on >after a connection is establised. > >Includes git refs : >cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b >94865e4dbd3d721c9855aada8c55e02be8b3881e >5d92d969dda450cc3564dd2265d2b042d832c542 >02a5078f1fe6285e4a0b6ad95a3aea1c5bb3e8cf >a6f402ad87ff0ae14d57d97278d67d0ceaaa1d82 > >from master. > >Jeremy. >--- > source3/include/proto.h | 1 + > source3/param/loadparm.c | 33 +++++++++++++++++++++- > source3/smbd/service.c | 70 +++++++++++++++++++++++++++------------------ > 3 files changed, 75 insertions(+), 29 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 6d16dc2..26fbb44 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -4377,6 +4377,7 @@ void lp_set_posix_default_cifsx_readwrite_locktype(enum brl_flavour val); > int lp_min_receive_file_size(void); > char* lp_perfcount_module(void); > void lp_set_passdb_backend(const char *backend); >+void widelinks_warning(int snum); > > /* The following definitions come from param/util.c */ > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 31e5ce4..f362c9b 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -5676,7 +5676,6 @@ FN_LOCAL_BOOL(lp_oplocks, bOpLocks) > FN_LOCAL_BOOL(lp_level2_oplocks, bLevel2OpLocks) > FN_LOCAL_BOOL(lp_onlyuser, bOnlyUser) > FN_LOCAL_PARM_BOOL(lp_manglednames, bMangledNames) >-FN_LOCAL_BOOL(lp_widelinks, bWidelinks) > FN_LOCAL_BOOL(lp_symlinks, bSymlinks) > FN_LOCAL_BOOL(lp_syncalways, bSyncAlways) > FN_LOCAL_BOOL(lp_strict_allocate, bStrictAllocate) >@@ -9890,3 +9889,35 @@ void lp_set_passdb_backend(const char *backend) > { > string_set(&Globals.szPassdbBackend, backend); > } >+ >+/******************************************************************* >+ Safe wide links checks. >+ This helper function always verify the validity of wide links, >+ even after a configuration file reload. >+********************************************************************/ >+ >+static bool lp_widelinks_internal(int snum) >+{ >+ return (bool)(LP_SNUM_OK(snum)? ServicePtrs[(snum)]->bWidelinks : >+ sDefault.bWidelinks); >+} >+ >+void widelinks_warning(int snum) >+{ >+ if (lp_unix_extensions() && lp_widelinks_internal(snum)) { >+ DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >+ "These parameters are incompatible. " >+ "Wide links will be disabled for this share.\n", >+ lp_servicename(snum) )); >+ } >+} >+ >+bool lp_widelinks(int snum) >+{ >+ /* wide links is always incompatible with unix extensions */ >+ if (lp_unix_extensions()) { >+ return false; >+ } >+ >+ return lp_widelinks_internal(snum); >+} >diff --git a/source3/smbd/service.c b/source3/smbd/service.c >index 8039d16..7dddff5 100644 >--- a/source3/smbd/service.c >+++ b/source3/smbd/service.c >@@ -850,25 +850,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, > return NULL; > } > >- /* >- * If widelinks are disallowed we need to canonicalise the connect >- * path here to ensure we don't have any symlinks in the >- * connectpath. We will be checking all paths on this connection are >- * below this directory. We must do this after the VFS init as we >- * depend on the realpath() pointer in the vfs table. JRA. >- */ >- if (!lp_widelinks(snum)) { >- if (!canonicalize_connect_path(conn)) { >- DEBUG(0, ("canonicalize_connect_path failed " >- "for service %s, path %s\n", >- lp_servicename(snum), >- conn->connectpath)); >- conn_free(conn); >- *pstatus = NT_STATUS_BAD_NETWORK_NAME; >- return NULL; >- } >- } >- > if ((!conn->printer) && (!conn->ipc)) { > conn->notify_ctx = notify_init(conn, server_id_self(), > smbd_messaging_context(), >@@ -876,7 +857,18 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, > conn); > } > >-/* ROOT Activities: */ >+/* ROOT Activities: */ >+ /* explicitly check widelinks here so that we can correctly warn >+ * in the logs. */ >+ widelinks_warning(snum); >+ >+ if (lp_unix_extensions() && lp_widelinks(snum)) { >+ DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >+ "These parameters are incompatible. " >+ "Wide links will be disabled for this share.\n", >+ lp_servicename(snum) )); >+ } >+ > /* > * Enforce the max connections parameter. > */ >@@ -902,6 +894,18 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, > return NULL; > } > >+ /* >+ * Fix compatibility issue pointed out by Volker. >+ * We pass the conn->connectpath to the preexec >+ * scripts as a parameter, so attempt to canonicalize >+ * it here before calling the preexec scripts. >+ * We ignore errors here, as it is possible that >+ * the conn->connectpath doesn't exist yet and >+ * the preexec scripts will create them. >+ */ >+ >+ (void)canonicalize_connect_path(conn); >+ > /* Preexecs are done here as they might make the dir we are to ChDir > * to below */ > /* execute any "root preexec = " line */ >@@ -963,6 +967,24 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, > } > } > >+ /* >+ * If widelinks are disallowed we need to canonicalise the connect >+ * path here to ensure we don't have any symlinks in the >+ * connectpath. We will be checking all paths on this connection are >+ * below this directory. We must do this after the VFS init as we >+ * depend on the realpath() pointer in the vfs table. JRA. >+ */ >+ if (!lp_widelinks(snum)) { >+ if (!canonicalize_connect_path(conn)) { >+ DEBUG(0, ("canonicalize_connect_path failed " >+ "for service %s, path %s\n", >+ lp_servicename(snum), >+ conn->connectpath)); >+ *pstatus = NT_STATUS_BAD_NETWORK_NAME; >+ goto err_root_exit; >+ } >+ } >+ > #ifdef WITH_FAKE_KASERVER > if (lp_afs_share(snum)) { > afs_login(conn); >@@ -1039,14 +1061,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, > } > #endif > >- if (lp_unix_extensions() && lp_widelinks(snum)) { >- DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >- "These parameters are incompatible. " >- "Disabling wide links for this share.\n", >- lp_servicename(snum) )); >- lp_do_parameter(snum, "wide links", "False"); >- } >- > /* Figure out the characteristics of the underlying filesystem. This > * assumes that all the filesystem mounted withing a share path have > * the same characteristics, which is likely but not guaranteed. >-- >1.6.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5329">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 7104
:
5279
|
5280
|
5281
|
5282
|
5283
|
5325
|
5326
|
5327
|
5328
|
5329
|
5330
|
5331
|
5332