Bug 10252 - Access Based Enuemration: User can see/list folders/files even when they denied to either read attribute or read extend attribiute permission
Summary: Access Based Enuemration: User can see/list folders/files even when they deni...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-05 11:05 UTC by Partha
Modified: 2023-12-14 08:24 UTC (History)
5 users (show)

See Also:


Attachments
git-am fix for mater. (7.15 KB, patch)
2015-10-09 22:10 UTC, Jeremy Allison
no flags Details
git-am fix for master. (12.83 KB, patch)
2015-10-14 00:13 UTC, Jeremy Allison
no flags Details
git-am fix for 4.3.next. (13.28 KB, patch)
2015-10-14 19:16 UTC, Jeremy Allison
vl: review+
jra: review? (slow)
Details
git-am fix for 4.2.next. (13.27 KB, patch)
2015-10-14 19:16 UTC, Jeremy Allison
vl: review+
jra: review? (slow)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Partha 2013-11-05 11:05:39 UTC
SAMBA only blocks/stop listing folders when the user has been denied for all of the three mentioned permissions.

1) List folder/read data.

2) Read attributes.

3) Read Extended attributes.


SAMBA does allows to list the folders/files for a user who has been denied by at least any one of the above permissions listed.

Note: Windows avoid displaying/rendering folders for a user who has been denied for any one of the above permissions listed.

Expectation: SAMBA also should behave the same way like windows does.
Comment 1 Richard Sharpe 2013-11-07 01:02:53 UTC
OK, it looks like we need to check for:

FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES | SEC_STD_READ_CONTROL

in this:

bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix
--- smbd/dir.c  2013-11-05 22:42:44.565464984 -0800
+++ smbd/dir.c.fix      2013-11-05 22:42:31.751405097 -0800
@@ -1185,7 +1185,7 @@ static bool user_can_read_file(connectio
                return True;
        }

-       return can_access_file_acl(conn, smb_fname, FILE_READ_DATA);
+       return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA |
FILE_READ_EA | FILE_READ_ATTRIBUTES));
 }

(This patch was suggested by Partha but it needs one more permission by the look of things.)
Comment 2 Richard Sharpe 2013-11-10 19:50:23 UTC
A test:

Here is my test case:

C:\New folder>icacls *
New folder KUMO\administrator:(I)(OI)(CI)(F)
           BUILTIN\Administrators:(I)(OI)(CI)(F)
           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
           KUMO\Domain Users:(I)(OI)(CI)(RX)

New folder (2) KUMO\administrator:(OI)(CI)(F)
               BUILTIN\Administrators:(OI)(CI)(F)
               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
               KUMO\Domain Users:(OI)(CI)(Rc,S,RD,REA,X)

New folder (3) KUMO\administrator:(OI)(CI)(F)
               BUILTIN\Administrators:(OI)(CI)(F)
               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
               KUMO\Domain Users:(OI)(CI)(Rc,S,RD,X,RA)

New folder (4) KUMO\administrator:(OI)(CI)(F)
               BUILTIN\Administrators:(OI)(CI)(F)
               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
               KUMO\Domain Users:(OI)(CI)(S,RD,REA,X,RA)

New folder (5) KUMO\administrator:(OI)(CI)(F)
               BUILTIN\Administrators:(OI)(CI)(F)
               NT AUTHORITY\SYSTEM:(OI)(CI)(F)
               KUMO\Domain Users:(OI)(CI)(Rc,S,REA,X,RA)

Successfully processed 5 files; Failed processing 0 files

Notice that there is one file for each of the combinations of permissions we think are important.

Here is what I see from smbclient when accessing this folder:

 cc235# smbclient //10.1.3.78/new\ folder -Usome-dom/some-user%some-pass
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
Domain=[KUMO] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1]
smb: \> ls
  .                                   D        0  Sun Nov 10 11:25:50 2013
  ..                                  D        0  Sun Nov 10 11:25:50 2013
  New folder                          D        0  Sun Nov 10 11:22:09 2013

                40857 blocks of size 1048576. 17539 blocks available
smb: \>

This demonstrates, I believe, that all four of the bits mentioned above are needed before Windows will show file/folders when ABE is enabled.

A further test demonstrates that the X bit (traverse folder/execute file) does not affect visibility under ABE.
Comment 3 Richard Sharpe 2013-11-10 19:51:14 UTC
Note, not having a particular permission is as good as being explicitly having it denied.
Comment 4 Jeremy Allison 2013-11-13 00:32:21 UTC
Looks good to me. I'll write up a torture test case for master and get this into 4.1.next and master.

Cheers,

Jeremy.
Comment 5 Björn Jacke 2014-11-21 08:07:03 UTC
any news on this Jeremy?
Comment 6 Jeremy Allison 2015-10-09 22:10:52 UTC
Created attachment 11486 [details]
git-am fix for mater.

Placeholder for my smbtorture work. Adds smb2.acls.ACCESSBASED which passes against Win2k12R2.

Full patch to follow.

Jeremy.
Comment 7 Jeremy Allison 2015-10-14 00:13:34 UTC
Created attachment 11489 [details]
git-am fix for master.

Contains fix + torture test.
Comment 8 Jeremy Allison 2015-10-14 19:16:11 UTC
Created attachment 11491 [details]
git-am fix for 4.3.next.
Comment 9 Jeremy Allison 2015-10-14 19:16:44 UTC
Created attachment 11492 [details]
git-am fix for 4.2.next.

Back-port from 4.3.next fix.
Comment 10 Jeremy Allison 2015-10-15 19:10:46 UTC
Re-assigning to Karolin for inclusion in 4.3.next, 4.2.next.
Comment 11 Karolin Seeger 2015-10-19 08:58:55 UTC
(In reply to Jeremy Allison from comment #10)
Pushed to autobuild-v4-[2|3]-test.
Comment 12 Karolin Seeger 2015-10-19 09:45:51 UTC
(In reply to Karolin Seeger from comment #11)
Pushed to both branches.
Closing out bug report.

Thanks!