12995 – Wrong Samba access checks when changing DOS attributes

Bug 12995 - Wrong Samba access checks when changing DOS attributes

Summary: Wrong Samba access checks when changing DOS attributes

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-29 14:16 UTC by Ralph Böhme
Modified:	2017-11-01 08:48 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Possible patch for master (3.25 KB, patch) 2017-08-29 14:16 UTC, Ralph Böhme	no flags	Details
get-am fix for master. (3.09 KB, patch) 2017-10-04 19:52 UTC, Jeremy Allison	no flags	Details
Patch for master (5.22 KB, patch) 2017-10-13 11:07 UTC, Ralph Böhme	no flags	Details
git-am fix cherry-pick from master for 4.7.next. (5.84 KB, patch) 2017-10-17 20:37 UTC, Jeremy Allison	slow: review+	Details
git-am backport from master to 4.6.next. (5.80 KB, patch) 2017-10-17 20:37 UTC, Jeremy Allison	slow: review+	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2017-08-29 14:16:19 UTC

Created attachment 13513 [details]
Possible patch for master

When chaning DOS attributes we currently require that the authenticated user has FILE_WRITE_DATA permissions on the file or directory (by virtue of calling can_write_to_file()).

A Windows server allows changing the DOS attributes if the user has FILE_WRITE_ATTRIBUTES (WA):

PS C:\Users\Administrator> icacls.exe C:\share\smb.pcap
C:\share\smb.pcap BUILTIN\Administrators:(Rc,S,RD,RA,WA)

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "setmode smb.pcap +r"
Enter RIVERSIDE\Administrator's password: 

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "ls smb.pcap"
Enter RIVERSIDE\Administrator's password: 
  smb.pcap                           AR 566018449  Wed May 31 15:15:33 2017

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "setmode smb.pcap -r"
Enter RIVERSIDE\Administrator's password: 

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "ls smb.pcap"
Enter RIVERSIDE\Administrator's password: 
  smb.pcap                            A 566018449  Wed May 31 15:15:33 2017

With the same permissions Samba denies modifying the DOS attribute:

$ ./bin/smbcacls -U slow%x -m smb3 //localhost/share "README" 
REVISION:1
CONTROL:SR|DP
OWNER:SLOWSERVER\slow
GROUP:SLOWSERVER\None
ACL:Everyone:ALLOWED/0x0/READ
ACL:SLOWSERVER\None:ALLOWED/0x0/READ
ACL:SLOWSERVER\slow:ALLOWED/0x0/0x00120181
ACL:SLOWSERVER\fast:ALLOWED/0x0/FULL

$ ./bin/smbclient -U slow%x -m smb3 //localhost/share -c "ls README" 
  README                              A     8859  Tue Aug 29 15:18:22 2017

Setting as user slow who has 0x00120181 (read + write attributes) permissions fails:

$ ./bin/smbclient -U slow%x -m smb3 //localhost/share -c "setmode README +r" 
cli_setatr failed: NT_STATUS_ACCESS_DENIED

Setting as user fast who has full permissions succeeds:

$ ./bin/smbclient -U fast%x -m smb3 //localhost/share -c "setmode README +r"

So checking for FILE_WRITE_DATA instead of FILE_WRITE_ATTRIBUTES  is one problem, but there are more if the underlying file only grants read access to the user.

Attaching a WIP patch for master.

Comment 1 Jeremy Allison 2017-08-29 16:13:11 UTC

Looks good Ralph. Ping me when you want review and merge !

Comment 2 Jeremy Allison 2017-10-04 19:52:00 UTC

Created attachment 13650 [details]
get-am fix for master.

OK, can you try this generic patch for smbd. It changes the behaviour for chdir+getwd()-fail to be return to previous directory, instead of panic.

This should simply prevent you from chdir()'ing into a directory for which you can't getwd().

Can you test this both with and without the shadow_copy2 module ? If we still crash with the shadow_copy2 module then we probably need both this and the previous patch.

Cheers,

Jeremy.

Comment 4 Jeremy Allison 2017-10-04 19:54:19 UTC

Arg, sorry about that - attached patch for wrong bug :-(.

Comment 5 Ralph Böhme 2017-10-13 11:00:28 UTC

Comment on attachment 13513 [details]
Possible patch for master

Not quite correct.

Comment 6 Ralph Böhme 2017-10-13 11:07:14 UTC

Created attachment 13683 [details]
Patch for master

This should do the trick.

Comment 7 Jeremy Allison 2017-10-17 20:37:11 UTC

Created attachment 13701 [details]
git-am fix cherry-pick from master for 4.7.next.

Comment 8 Jeremy Allison 2017-10-17 20:37:45 UTC

Created attachment 13702 [details]
git-am backport from master to 4.6.next.

Comment 9 Ralph Böhme 2017-10-18 04:33:30 UTC

Comment on attachment 13701 [details]
git-am fix cherry-pick from master for 4.7.next.

Thanks for doing the backports!

Comment 10 Ralph Böhme 2017-10-18 04:34:25 UTC

Reassigning to Karolin for inclusion in 4.6 and 4.7.

Comment 11 Karolin Seeger 2017-10-24 08:10:58 UTC

(In reply to Ralph Böhme from comment #10)
Pushed to autobuild-v4-{7,6}-test.

Comment 12 Karolin Seeger 2017-11-01 08:48:06 UTC

(In reply to Karolin Seeger from comment #11)
Pushed to both branches.
Closing out bug report.

Thanks!