From 898a01661d9589be5a61a8ad96d81e3fad19adb2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Dec 2011 15:50:23 -0800 Subject: [PATCH 1/3] First part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share. Remove two unneeded check_name() calls. They have already been done in order to get here. --- source3/smbd/open.c | 12 ------------ 1 files changed, 0 insertions(+), 12 deletions(-) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 70e6b4f..693e488 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1431,11 +1431,6 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn, remove_deferred_open_smb_message(req->mid); } - status = check_name(conn, smb_fname->base_name); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - if (!posix_open) { new_dos_attributes &= SAMBA_ATTRIBUTES_MASK; if (file_existed) { @@ -3308,13 +3303,6 @@ NTSTATUS create_file_default(connection_struct *conn, } } - /* All file access must go through check_name() */ - - status = check_name(conn, smb_fname->base_name); - if (!NT_STATUS_IS_OK(status)) { - goto fail; - } - status = create_file_unixpath( conn, req, smb_fname, access_mask, share_access, create_disposition, create_options, file_attributes, -- 1.7.3.1 From 774f9e15ae453140bf7d3562c067cd7470179795 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Dec 2011 15:51:39 -0800 Subject: [PATCH 2/3] Second part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share. Ensure we use UCF_UNIX_NAME_LOOKUP flags on filename_convert() when doing a UNIX infolevel in trans2setfilepathinfo(). --- source3/smbd/trans2.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 93fa291..7e214e2 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -7713,6 +7713,7 @@ static void call_trans2setfilepathinfo(connection_struct *conn, } } else { char *fname = NULL; + uint32_t ucf_flags = 0; /* set path info */ if (total_params < 7) { @@ -7729,10 +7730,14 @@ static void call_trans2setfilepathinfo(connection_struct *conn, return; } + if (INFO_LEVEL_IS_UNIX(info_level)) { + ucf_flags |= UCF_UNIX_NAME_LOOKUP; + } + status = filename_convert(req, conn, req->flags2 & FLAGS2_DFS_PATHNAMES, fname, - 0, + ucf_flags, NULL, &smb_fname); if (!NT_STATUS_IS_OK(status)) { -- 1.7.3.1 From 038595933251bbab1539004638a6cda35c742a9d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Dec 2011 15:52:54 -0800 Subject: [PATCH 3/3] Third part of fix for bug #8663 - deleting a symlink fails if the symlink target is outside of the share. can_access_file_acl() - we can always delete a symlink. can_delete_file_in_directory() - We don't need to do another STAT call here, we know smb_fname->st is in a valid state. --- source3/smbd/file_access.c | 21 +++++++++------------ 1 files changed, 9 insertions(+), 12 deletions(-) diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c index 8b669fe..d0546ad 100644 --- a/source3/smbd/file_access.c +++ b/source3/smbd/file_access.c @@ -40,6 +40,11 @@ bool can_access_file_acl(struct connection_struct *conn, return true; } + if (access_mask == DELETE_ACCESS && S_ISLNK(smb_fname->st.st_ex_mode)) { + /* We can always delete a symlink. */ + return true; + } + status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name, (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | @@ -115,18 +120,10 @@ bool can_delete_file_in_directory(connection_struct *conn, /* sticky bit means delete only by owner of file or by root or * by owner of directory. */ if (smb_fname_parent->st.st_ex_mode & S_ISVTX) { - if(SMB_VFS_STAT(conn, smb_fname) != 0) { - if (errno == ENOENT) { - /* If the file doesn't already exist then - * yes we'll be able to delete it. */ - ret = true; - goto out; - } - DEBUG(10,("can_delete_file_in_directory: can't " - "stat file %s (%s)", - smb_fname_str_dbg(smb_fname), - strerror(errno) )); - ret = false; + if (!VALID_STAT(smb_fname->st)) { + /* If the file doesn't already exist then + * yes we'll be able to delete it. */ + ret = true; goto out; } -- 1.7.3.1