12873 – ACCESS_DENIED with symlinks within a root ("/") share

Bug 12873 - ACCESS_DENIED with symlinks within a root ("/") share

Summary: ACCESS_DENIED with symlinks within a root ("/") share

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.6.5
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-07-03 20:24 UTC by Andreas Hasenack
Modified:	2022-01-09 21:27 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Hasenack 2017-07-03 20:24:46 UTC

I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.

For the test I used 4.6.5 with the patch for bug #12860.

This is the smb.conf:
[global]
    server string = %h server (Samba, Ubuntu)
    netbios name = xenial
    server role = standalone server
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb


[rootfs]
    path = /
    follow symlinks = yes
    wide links = no
    read only = no
    guest ok = no
    browseable = yes


/opt has this:
root@xenial-samba-rootfs:~# ls -lah /opt
total 5.0K
drwxr-xr-x  3 root root  6 Jul  3 20:01 .
drwxr-xr-x 22 root root 22 Jun 19 23:52 ..
-rw-r--r--  1 root root  6 Jul  3 20:01 file.txt
lrwxrwxrwx  1 root root 16 Jul  3 20:01 symlink-to-directory -> target-directory
lrwxrwxrwx  1 root root  8 Jul  3 20:01 symlink-to-file -> file.txt
drwxr-xr-x  2 root root  2 Jul  3 20:01 target-directory


This worked with 4.3.8 without the CVE-2017-2619 patch:
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
  .                                   D        0  Mon Jul  3 20:01:36 2017
  ..                                  D        0  Mon Jul  3 20:01:49 2017

        244825344 blocks of size 1024. 244392448 blocks available
    
    
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-to-file of size 6 as \opt\symlink-to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)



But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED listing \opt\symlink-to-directory\*
    
    
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED opening remote file \opt\symlink-to-file

Comment 1 Dariusz Gadomski 2017-08-23 09:04:06 UTC

Looks like this issue is fixed as a side effect of b886a9443d49f6e27fa3863d87c9e24d12e62874 s3/smbd: let non_widelink_open() chdir() to directories directly.