Bug 15023 - rmdir silently fails if directory contains unreadable files and hide unreadable is yes.
Summary: rmdir silently fails if directory contains unreadable files and hide unreadab...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.15.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-20 12:51 UTC by Lev
Modified: 2022-05-02 09:47 UTC (History)
1 user (show)

See Also:

Attachments
git-am fix for master. (13.98 KB, patch)
2022-03-21 20:52 UTC, Jeremy Allison 		no flags Details
git-am fix for master. (13.86 KB, patch)
2022-03-21 20:57 UTC, Jeremy Allison 		no flags Details
git-am fix for 4.16.next, 4.15.next. (14.20 KB, patch)
2022-03-22 20:49 UTC, Jeremy Allison 		npower: review+
Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lev 2022-03-20 12:51:36 UTC 
Scenario:

1. Create a share, set "hide unreadable = Yes", "vfs objects = acl_xattr":

[v1]
        path = /export/v1
        read only = no
        browseable = Yes
        hide unreadable = Yes
        vfs objects = acl_xattr 

2. Create a director and file inside the directory:

V:\>dir Test
 Volume in drive V is v1
 Volume Serial Number is C964-5443

 Directory of V:\Test

03/20/2022  05:08 AM    <DIR>          .
03/20/2022  05:02 AM    <DIR>          ..
03/20/2022  05:08 AM                 0 file.txt
               1 File(s)              0 bytes
               2 Dir(s)  107,121,086,464 bytes free
			   
3. On file, disable inheritance, remove all inherited permissions. File becomes unreadable and is not shown any more:

V:\>dir Test
 Volume in drive V is v1
 Volume Serial Number is C964-5443

 Directory of V:\Test

03/20/2022  05:08 AM    <DIR>          .
03/20/2022  05:02 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  107,121,086,464 bytes free
			   
4. Try to delete directory. rmdir doesn't fail, however directory was not really deleted:

V:\>rmdir Test

V:\>dir Test
 Volume in drive V is v1
 Volume Serial Number is C964-5443

 Directory of V:\Test

03/20/2022  05:08 AM    <DIR>          .
03/20/2022  05:02 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  107,121,086,464 bytes free

5. If reset the flag "hide unreadable", rmdir fails, as expected:

V:\>rmdir Test
The directory is not empty.

According to tcpdump, if "hide unreadable" is No, request SetInfo(0x11) with flag DeleteOnClose fails with STATUS_DIRECTORY_NOT_EMPTY. But if "hide unreadable" is Yes, SetInfo(0x11) succeeds, and only then Close(0x6) fails with STATUS_DIRECTORY_NOT_EMPTY. Looks like Windows client ignores failure of Close(0x6).

I think the problem is in can_delete_directory_fsp() -> is_visible_fsp() - it honors "hide unreadable" option, and as a result can_delete_directory_fsp() returns NT_STATUS_OK.
Comment 1 Jeremy Allison 2022-03-21 17:08:08 UTC 
Yes, Windows clients ignore errors on close (it's a big pain). They only look at the return from the set-delete-on-close operation.
Comment 2 Jeremy Allison 2022-03-21 17:20:25 UTC 
The man page for smb.conf says of "hide unreadable":

"This parameter prevents clients from seeing the existence of files that cannot be read."

If we deny deletion of a directory containing files hidden by "hide unreadable" via can_delete_directory_fsp() -> is_visible_fsp(), then the client knows there are files in the directory. It's not a security issue though, as the client doesn't get any information about the files within.

We could fix this by adding a check for lp_delete_veto_files(SNUM(conn)) inside can_delete_directory_fsp(), as that is the check that the rmdir_internals() code uses to decide if it should delete files that have been hidden from the client when deleting the containing directory. Something like:

---------------------------------------------------------------------
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 6180eba2fac..059de584d17 100644
--- a/source3/smbd/dir.c
+++ b/source3/smbd/dir.c
@@ -2029,11 +2029,17 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp)
                }
 
                if (!is_visible_fsp(direntry_fname->fsp)) {
-                       TALLOC_FREE(talloced);
-                       TALLOC_FREE(fullname);
-                       TALLOC_FREE(smb_dname_full);
-                       TALLOC_FREE(direntry_fname);
-                       continue;
+                       /*
+                        * Hidden file.
+                        * Allow if "delete veto files = yes"
+                        */
+                       if (lp_delete_veto_files(SNUM(conn))) {
+                               TALLOC_FREE(talloced);
+                               TALLOC_FREE(fullname);
+                               TALLOC_FREE(smb_dname_full);
+                               TALLOC_FREEcan_delete_directory_fsp()(direntry_fname);
+                               continue;
+                       }
                }
 
                TALLOC_FREE(talloced);
---------------------------------------------------------------------

Actually, I think this is the correct fix, as this is exactly what we do in the same function can_delete_directory_fsp() if we run into a dangling symlink.
Comment 3 Jeremy Allison 2022-03-21 20:52:33 UTC 
Created attachment 17229 [details]
git-am fix for master.

Patch I'm putting into CI so I don't lose it.
Comment 4 Jeremy Allison 2022-03-21 20:57:15 UTC 
Created attachment 17230 [details]
git-am fix for master.

Fixed added nl.
Comment 5 Samba QA Contact 2022-03-22 17:49:04 UTC 
This bug was referenced in samba master:

5fe341d2d67afb7088edcb772b058c747ab341b1
80503b46e7238d0796f5cc9eb6104958c3b3fcc7
Comment 6 Jeremy Allison 2022-03-22 20:49:57 UTC 
Created attachment 17235 [details]
git-am fix for 4.16.next, 4.15.next.

Cherry-picked from master. Applies cleanly to 4.16.next, 4.15.next.
Comment 7 Noel Power 2022-03-24 09:33:32 UTC 
Comment on attachment 17235 [details]
git-am fix for 4.16.next, 4.15.next.

lgtm
Comment 8 Noel Power 2022-03-24 09:34:09 UTC 
reassign to Jule for inclusion in 4.15/4.16
Comment 9 Jule Anger 2022-03-24 10:59:34 UTC 
Pushed to autobuild-v4-{16,15}-test.
Comment 10 Samba QA Contact 2022-03-24 11:56:03 UTC 
This bug was referenced in samba v4-16-test:

5242660aa14a66d5cdecf2b2916b6c44999f58ab
7676cb51450c7559806fc20158dcd73925ccc0b9
Comment 11 Samba QA Contact 2022-03-24 13:33:03 UTC 
This bug was referenced in samba v4-15-test:

bbd8bdc14c8e6a76d93b6abde57d55b6a0e0dac9
f2e124e423c9dbe1f140320b88016be6f6ed84b1
Comment 12 Jule Anger 2022-03-24 15:05:05 UTC 
Closing out bug report.

Thanks!
Comment 13 Samba QA Contact 2022-04-26 14:45:39 UTC 
This bug was referenced in samba v4-15-stable (Release samba-4.15.7):

bbd8bdc14c8e6a76d93b6abde57d55b6a0e0dac9
f2e124e423c9dbe1f140320b88016be6f6ed84b1
Comment 14 Samba QA Contact 2022-05-02 09:47:58 UTC 
This bug was referenced in samba v4-16-stable (Release samba-4.16.1):

5242660aa14a66d5cdecf2b2916b6c44999f58ab
7676cb51450c7559806fc20158dcd73925ccc0b9