Bug 12995 - Wrong Samba access checks when changing DOS attributes
Wrong Samba access checks when changing DOS attributes
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-29 14:16 UTC by Ralph Böhme
Modified: 2017-11-01 08:48 UTC (History)
3 users (show)

See Also:


Attachments
Possible patch for master (3.25 KB, patch)
2017-08-29 14:16 UTC, Ralph Böhme
no flags Details
get-am fix for master. (3.09 KB, patch)
2017-10-04 19:52 UTC, Jeremy Allison
no flags Details
Patch for master (5.22 KB, patch)
2017-10-13 11:07 UTC, Ralph Böhme
no flags Details
git-am fix cherry-pick from master for 4.7.next. (5.84 KB, patch)
2017-10-17 20:37 UTC, Jeremy Allison
slow: review+
Details
git-am backport from master to 4.6.next. (5.80 KB, patch)
2017-10-17 20:37 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2017-08-29 14:16:19 UTC
Created attachment 13513 [details]
Possible patch for master

When chaning DOS attributes we currently require that the authenticated user has FILE_WRITE_DATA permissions on the file or directory (by virtue of calling can_write_to_file()).

A Windows server allows changing the DOS attributes if the user has FILE_WRITE_ATTRIBUTES (WA):

PS C:\Users\Administrator> icacls.exe C:\share\smb.pcap
C:\share\smb.pcap BUILTIN\Administrators:(Rc,S,RD,RA,WA)

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "setmode smb.pcap +r"
Enter RIVERSIDE\Administrator's password: 

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "ls smb.pcap"
Enter RIVERSIDE\Administrator's password: 
  smb.pcap                           AR 566018449  Wed May 31 15:15:33 2017

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "setmode smb.pcap -r"
Enter RIVERSIDE\Administrator's password: 

$ ./bin/smbclient -U "riverside\Administrator" -m smb3 //10.10.11.14/share -c "ls smb.pcap"
Enter RIVERSIDE\Administrator's password: 
  smb.pcap                            A 566018449  Wed May 31 15:15:33 2017

With the same permissions Samba denies modifying the DOS attribute:

$ ./bin/smbcacls -U slow%x -m smb3 //localhost/share "README" 
REVISION:1
CONTROL:SR|DP
OWNER:SLOWSERVER\slow
GROUP:SLOWSERVER\None
ACL:Everyone:ALLOWED/0x0/READ
ACL:SLOWSERVER\None:ALLOWED/0x0/READ
ACL:SLOWSERVER\slow:ALLOWED/0x0/0x00120181
ACL:SLOWSERVER\fast:ALLOWED/0x0/FULL

$ ./bin/smbclient -U slow%x -m smb3 //localhost/share -c "ls README" 
  README                              A     8859  Tue Aug 29 15:18:22 2017

Setting as user slow who has 0x00120181 (read + write attributes) permissions fails:

$ ./bin/smbclient -U slow%x -m smb3 //localhost/share -c "setmode README +r" 
cli_setatr failed: NT_STATUS_ACCESS_DENIED

Setting as user fast who has full permissions succeeds:

$ ./bin/smbclient -U fast%x -m smb3 //localhost/share -c "setmode README +r"

So checking for FILE_WRITE_DATA instead of FILE_WRITE_ATTRIBUTES  is one problem, but there are more if the underlying file only grants read access to the user.

Attaching a WIP patch for master.
Comment 1 Jeremy Allison 2017-08-29 16:13:11 UTC
Looks good Ralph. Ping me when you want review and merge !
Comment 2 Jeremy Allison 2017-10-04 19:52:00 UTC
Created attachment 13650 [details]
get-am fix for master.

OK, can you try this generic patch for smbd. It changes the behaviour for chdir+getwd()-fail to be return to previous directory, instead of panic.

This should simply prevent you from chdir()'ing into a directory for which you can't getwd().

Can you test this both with and without the shadow_copy2 module ? If we still crash with the shadow_copy2 module then we probably need both this and the previous patch.

Cheers,

Jeremy.
Comment 4 Jeremy Allison 2017-10-04 19:54:19 UTC
Arg, sorry about that - attached patch for wrong bug :-(.
Comment 5 Ralph Böhme 2017-10-13 11:00:28 UTC
Comment on attachment 13513 [details]
Possible patch for master

Not quite correct.
Comment 6 Ralph Böhme 2017-10-13 11:07:14 UTC
Created attachment 13683 [details]
Patch for master

This should do the trick.
Comment 7 Jeremy Allison 2017-10-17 20:37:11 UTC
Created attachment 13701 [details]
git-am fix cherry-pick from master for 4.7.next.
Comment 8 Jeremy Allison 2017-10-17 20:37:45 UTC
Created attachment 13702 [details]
git-am backport from master to 4.6.next.
Comment 9 Ralph Böhme 2017-10-18 04:33:30 UTC
Comment on attachment 13701 [details]
git-am fix cherry-pick from master for 4.7.next.

Thanks for doing the backports!
Comment 10 Ralph Böhme 2017-10-18 04:34:25 UTC
Reassigning to Karolin for inclusion in 4.6 and 4.7.
Comment 11 Karolin Seeger 2017-10-24 08:10:58 UTC
(In reply to Ralph Böhme from comment #10)
Pushed to autobuild-v4-{7,6}-test.
Comment 12 Karolin Seeger 2017-11-01 08:48:06 UTC
(In reply to Karolin Seeger from comment #11)
Pushed to both branches.
Closing out bug report.

Thanks!