The Samba-Bugzilla – Attachment 5331 Details for
Bug 7104
"wide links" and "unix extensions" are incompatible; CVE-2010-0926
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am jumbo patch for 3.4.6.
0001-Fixes-issue-with-preexec-scripts-creating-a-share-di.patch (text/plain), 6.17 KB, created by
Jeremy Allison
on 2010-02-11 18:04:55 UTC
(
hide
)
Description:
git-am jumbo patch for 3.4.6.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-02-11 18:04:55 UTC
Size:
6.17 KB
patch
obsolete
>From b9dfd1e6017c4288317091cfdd7fa5a79cf55318 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Feb 2010 16:03:02 -0800 >Subject: [PATCH] Fixes issue with preexec scripts creating a share directory, > and problems if a smb.conf reload turns wide links back on > after a connection is establised. > >Includes git refs : >cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b >94865e4dbd3d721c9855aada8c55e02be8b3881e >5d92d969dda450cc3564dd2265d2b042d832c542 >02a5078f1fe6285e4a0b6ad95a3aea1c5bb3e8cf >a6f402ad87ff0ae14d57d97278d67d0ceaaa1d82 > >from master. > >Jeremy. >--- > source3/include/proto.h | 1 + > source3/param/loadparm.c | 33 +++++++++++++++++++++++- > source3/smbd/service.c | 63 +++++++++++++++++++++++++-------------------- > 3 files changed, 68 insertions(+), 29 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index d2ae62c..b241437 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -4358,6 +4358,7 @@ void lp_set_posix_default_cifsx_readwrite_locktype(enum brl_flavour val); > int lp_min_receive_file_size(void); > char* lp_perfcount_module(void); > void lp_set_passdb_backend(const char *backend); >+void widelinks_warning(int snum); > > /* The following definitions come from param/util.c */ > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 6e5e0b2..2ba2dd3 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -5561,7 +5561,6 @@ FN_LOCAL_BOOL(lp_oplocks, bOpLocks) > FN_LOCAL_BOOL(lp_level2_oplocks, bLevel2OpLocks) > FN_LOCAL_BOOL(lp_onlyuser, bOnlyUser) > FN_LOCAL_PARM_BOOL(lp_manglednames, bMangledNames) >-FN_LOCAL_BOOL(lp_widelinks, bWidelinks) > FN_LOCAL_BOOL(lp_symlinks, bSymlinks) > FN_LOCAL_BOOL(lp_syncalways, bSyncAlways) > FN_LOCAL_BOOL(lp_strict_allocate, bStrictAllocate) >@@ -9770,3 +9769,35 @@ void lp_set_passdb_backend(const char *backend) > { > string_set(&Globals.szPassdbBackend, backend); > } >+ >+/******************************************************************* >+ Safe wide links checks. >+ This helper function always verify the validity of wide links, >+ even after a configuration file reload. >+********************************************************************/ >+ >+static bool lp_widelinks_internal(int snum) >+{ >+ return (bool)(LP_SNUM_OK(snum)? ServicePtrs[(snum)]->bWidelinks : >+ sDefault.bWidelinks); >+} >+ >+void widelinks_warning(int snum) >+{ >+ if (lp_unix_extensions() && lp_widelinks_internal(snum)) { >+ DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >+ "These parameters are incompatible. " >+ "Wide links will be disabled for this share.\n", >+ lp_servicename(snum) )); >+ } >+} >+ >+bool lp_widelinks(int snum) >+{ >+ /* wide links is always incompatible with unix extensions */ >+ if (lp_unix_extensions()) { >+ return false; >+ } >+ >+ return lp_widelinks_internal(snum); >+} >diff --git a/source3/smbd/service.c b/source3/smbd/service.c >index 2dd1f5a..6248f5d 100644 >--- a/source3/smbd/service.c >+++ b/source3/smbd/service.c >@@ -850,25 +850,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > return NULL; > } > >- /* >- * If widelinks are disallowed we need to canonicalise the connect >- * path here to ensure we don't have any symlinks in the >- * connectpath. We will be checking all paths on this connection are >- * below this directory. We must do this after the VFS init as we >- * depend on the realpath() pointer in the vfs table. JRA. >- */ >- if (!lp_widelinks(snum)) { >- if (!canonicalize_connect_path(conn)) { >- DEBUG(0, ("canonicalize_connect_path failed " >- "for service %s, path %s\n", >- lp_servicename(snum), >- conn->connectpath)); >- conn_free(conn); >- *pstatus = NT_STATUS_BAD_NETWORK_NAME; >- return NULL; >- } >- } >- > if ((!conn->printer) && (!conn->ipc)) { > conn->notify_ctx = notify_init(conn, server_id_self(), > smbd_messaging_context(), >@@ -876,7 +857,11 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > conn); > } > >-/* ROOT Activities: */ >+/* ROOT Activities: */ >+ /* explicitly check widelinks here so that we can correctly warn >+ * in the logs. */ >+ widelinks_warning(snum); >+ > /* > * Enforce the max connections parameter. > */ >@@ -902,6 +887,18 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > return NULL; > } > >+ /* >+ * Fix compatibility issue pointed out by Volker. >+ * We pass the conn->connectpath to the preexec >+ * scripts as a parameter, so attempt to canonicalize >+ * it here before calling the preexec scripts. >+ * We ignore errors here, as it is possible that >+ * the conn->connectpath doesn't exist yet and >+ * the preexec scripts will create them. >+ */ >+ >+ (void)canonicalize_connect_path(conn); >+ > /* Preexecs are done here as they might make the dir we are to ChDir > * to below */ > /* execute any "root preexec = " line */ >@@ -963,6 +960,24 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > } > } > >+ /* >+ * If widelinks are disallowed we need to canonicalise the connect >+ * path here to ensure we don't have any symlinks in the >+ * connectpath. We will be checking all paths on this connection are >+ * below this directory. We must do this after the VFS init as we >+ * depend on the realpath() pointer in the vfs table. JRA. >+ */ >+ if (!lp_widelinks(snum)) { >+ if (!canonicalize_connect_path(conn)) { >+ DEBUG(0, ("canonicalize_connect_path failed " >+ "for service %s, path %s\n", >+ lp_servicename(snum), >+ conn->connectpath)); >+ *pstatus = NT_STATUS_BAD_NETWORK_NAME; >+ goto err_root_exit; >+ } >+ } >+ > #ifdef WITH_FAKE_KASERVER > if (lp_afs_share(snum)) { > afs_login(conn); >@@ -1032,14 +1047,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, > } > #endif > >- if (lp_unix_extensions() && lp_widelinks(snum)) { >- DEBUG(0,("Share '%s' has wide links and unix extensions enabled. " >- "These parameters are incompatible. " >- "Disabling wide links for this share.\n", >- lp_servicename(snum) )); >- lp_do_parameter(snum, "wide links", "False"); >- } >- > /* Figure out the characteristics of the underlying filesystem. This > * assumes that all the filesystem mounted withing a share path have > * the same characteristics, which is likely but not guaranteed. >-- >1.6.6 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 7104
:
5279
|
5280
|
5281
|
5282
|
5283
|
5325
|
5326
|
5327
|
5328
|
5329
|
5330
| 5331 |
5332