The Samba-Bugzilla – Attachment 8109 Details for
Bug 9329
Directory listing with SeBackup can crash smbd.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.0.0rc
0001-Fix-bug-9329-Directory-listing-with-SeBackup-can-cra.patch (text/plain), 3.43 KB, created by
Jeremy Allison
on 2012-10-26 00:15:27 UTC
(
hide
)
Description:
git-am fix for 4.0.0rc
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-10-26 00:15:27 UTC
Size:
3.43 KB
patch
obsolete
>From 2a4a0048119f07b46ffc9c75e8d2c85aa745d4a6 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 25 Oct 2012 11:27:05 -0700 >Subject: [PATCH 1/2] Fix bug #9329 - Directory listing with SeBackup can > crash smbd. > >When we do a become_root()/unbecome_root() pair to temporarily >raise privilege, this NULLs out the NT token. If we're within >a become_root()/unbecome_root() pair then return the previous >token on the stack as our NT token. This is what we should be >using to check against NT ACLs in the file server. This copes >with security context changing when removing a file on close >under the context of another user (when 2 users have a file >open, one sets delete on close and then the other user has >to actually do the delete). > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/proto.h | 1 + > source3/smbd/sec_ctx.c | 25 +++++++++++++++++++++++++ > source3/smbd/uid.c | 12 +++++++++++- > 3 files changed, 37 insertions(+), 1 deletions(-) > >diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h >index d218184..c80ef14 100644 >--- a/source3/smbd/proto.h >+++ b/source3/smbd/proto.h >@@ -952,6 +952,7 @@ void set_sec_ctx(uid_t uid, gid_t gid, int ngroups, gid_t *groups, const struct > void set_root_sec_ctx(void); > bool pop_sec_ctx(void); > void init_sec_ctx(void); >+const struct security_token *sec_ctx_active_token(void); > > /* The following definitions come from smbd/server.c */ > >diff --git a/source3/smbd/sec_ctx.c b/source3/smbd/sec_ctx.c >index 83674a2..07565bf 100644 >--- a/source3/smbd/sec_ctx.c >+++ b/source3/smbd/sec_ctx.c >@@ -466,3 +466,28 @@ void init_sec_ctx(void) > current_user.vuid = UID_FIELD_INVALID; > current_user.nt_user_token = NULL; > } >+ >+/************************************************************* >+ Called when we're inside a become_root() temporary escalation >+ of privileges and the nt_user_token is NULL. Return the last >+ active token on the context stack. We know there is at least >+ one valid non-NULL token on the stack so panic if we underflow. >+*************************************************************/ >+ >+const struct security_token *sec_ctx_active_token(void) >+{ >+ int stack_index = sec_ctx_stack_ndx; >+ struct sec_ctx *ctx_p = &sec_ctx_stack[stack_index]; >+ >+ while (ctx_p->token == NULL) { >+ stack_index--; >+ if (stack_index < 0) { >+ DEBUG(0, ("Security context active token " >+ "stack underflow!\n")); >+ smb_panic("Security context active token " >+ "stack underflow!"); >+ } >+ ctx_p = &sec_ctx_stack[stack_index]; >+ } >+ return ctx_p->token; >+} >diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c >index eac5d9d..30c7154 100644 >--- a/source3/smbd/uid.c >+++ b/source3/smbd/uid.c >@@ -533,9 +533,19 @@ const struct security_unix_token *get_current_utok(connection_struct *conn) > return ¤t_user.ut; > } > >+/**************************************************************************** >+ Return the Windows token we are running effectively as on this connection. >+ If this is currently a NULL token as we're inside become_root() - a temporary >+ UNIX security override, then we search up the stack for the previous active >+ token. >+****************************************************************************/ >+ > const struct security_token *get_current_nttok(connection_struct *conn) > { >- return current_user.nt_user_token; >+ if (current_user.nt_user_token) { >+ return current_user.nt_user_token; >+ } >+ return sec_ctx_active_token(); > } > > uint64_t get_current_vuid(connection_struct *conn) >-- >1.7.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9329
:
8109
|
8114