Bug 14759 - 4.15rc can leak meta-data about the directory containing the share path.
Summary: 4.15rc can leak meta-data about the directory containing the share path.
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14758
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-15 02:14 UTC by Jeremy Allison
Modified: 2021-07-28 15:08 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for master. (3.39 KB, patch)
2021-07-15 04:43 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2021-07-15 02:14:39 UTC
This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".

If we're at the root of the share we don't want
a handle to the directory above it, so we should
silently open an fsp on "." for meta-data, but leave the
name returned to the client as "..".

Have patch, need bugnumber.
Comment 1 Jeremy Allison 2021-07-15 04:38:04 UTC
Hmmm. Thinking about it, we leak the same meta-data info for 4.14 and below also, we just used pathname functions to do it.

So it isn't really worse than what we already do. Still, I'd like to tighten it up for 4.15.
Comment 2 Jeremy Allison 2021-07-15 04:43:03 UTC
Created attachment 16681 [details]
git-am fix for master.

In ci as:

https://gitlab.com/samba-team/devel/samba/-/pipelines/337396028
Comment 3 Jeremy Allison 2021-07-15 04:55:17 UTC
I would love a second opinion on whether this is something that needs fixing or not.

4.14 and below are currently doing pathname operations on ".." and returning the stat info and EA info for the ".." directory when a query directory is done on the root of the share (but the name cannot be opened by handle or pathname to actually read the contents of those EA's).

So in 4.15 we'll be doing the same thing, just by handle rather than pathname. Is this something that needs fixing ? Or shall I let sleeping dogs lie and close as NOTABUG ?

I checked Windows, and it returns a fileid of zero for ".." when listing the root directory, but that's the only thing I can see it hiding explicitly.
Comment 4 Jeremy Allison 2021-07-15 06:11:33 UTC
Passes ci. Now we need to decide if we need it for 4.15rc2.
Comment 5 Ralph Böhme 2021-07-28 12:43:24 UTC
Comment on attachment 16681 [details]
git-am fix for master.

Patch lgtm, pushed.
Comment 6 Samba QA Contact 2021-07-28 15:08:04 UTC
This bug was referenced in samba master:

b004ebb1c62742346b84ecb9d52c783173528fac
2acad27686074029ac83c66b42bb37eea380f449