Bug 11647 - Access denied if the share path is "/"
Summary: Access denied if the share path is "/"
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-23 17:31 UTC by Michael Adam
Modified: 2016-01-07 17:36 UTC (History)
4 users (show)

See Also:


Attachments
Patch for v4-3-test cherry-picked from master (5.71 KB, patch)
2015-12-24 00:04 UTC, Michael Adam
obnox: review+
jarrpa: review+
Details
Patch for v4-2-test cherry-picked from master (5.71 KB, patch)
2015-12-24 00:05 UTC, Michael Adam
obnox: review+
jarrpa: review+
Details
Patch for v4-1-test cherry-picked from master (5.71 KB, patch)
2015-12-24 00:07 UTC, Michael Adam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Adam 2015-12-23 17:31:46 UTC
The fix for bug #11395 / CVE-2015-5252 
https://git.samba.org/?p=samba.git;a=commitdiff;h=7606c0db257b3f9d84da5b2bf5fbb4034cc8d77d
locked down the path checks in check_reduced_name[_with_privilege]() to prevent unintended access via wide links.

The new checks do not correctly treat a corner case though: the case of the share path being "/". (Important e.g. for using the glusterfs VFS module.)

In this case all operations after tree connect get ACCESS_DENIED.
Comment 1 Jeremy Allison 2015-12-23 17:35:39 UTC
Hi Michael, should be easy to fix by adding an explicit check for that case.

Thanks,

Jeremy.
Comment 2 Michael Adam 2015-12-23 17:38:09 UTC
Hi Jeremy,

I already have a candidate patch.

Going to propose it next... Michael
Comment 3 Michael Adam 2015-12-24 00:04:28 UTC
Created attachment 11742 [details]
Patch for v4-3-test cherry-picked from master
Comment 4 Michael Adam 2015-12-24 00:05:23 UTC
Created attachment 11743 [details]
Patch for v4-2-test cherry-picked from master
Comment 5 Michael Adam 2015-12-24 00:07:23 UTC
Created attachment 11744 [details]
Patch for v4-1-test cherry-picked from master

Patch for 4.1 - it applies cleanly.
Just for the record (4.1 is in security mode...) - some distros may need it.
Comment 6 José A. Rivera 2015-12-24 01:48:52 UTC
Backports look good. Karo, all yours. :)
Comment 7 Sylvain Pasche 2016-01-04 19:35:16 UTC
Lost several hours today on this :-/.

Workaround if anyone is interested:

mkdir /mnt/root
mount -o rbind / /mnt/root

and use "path = /mnt/root" instead of "path = /"
Comment 8 Karolin Seeger 2016-01-05 08:48:30 UTC
Pushed to autobuild-v4-[2|3]-test.
Comment 9 Karolin Seeger 2016-01-07 17:36:33 UTC
(In reply to Karolin Seeger from comment #8)
Pushed to both branches.
Closing out bug report.

Thanks!