15555 – smbpasswd reset permissions only if not 0600

Bug 15555 - smbpasswd reset permissions only if not 0600

Summary: smbpasswd reset permissions only if not 0600

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.19.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-12 03:49 UTC by Jones Syue
Modified:	2024-02-19 10:47 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Patch for v4-19-test (4.08 KB, patch) 2024-01-19 02:32 UTC, Jones Syue	jra: review+ vl: review+	Details
Patch for v4-18-test (4.08 KB, patch) 2024-01-19 02:32 UTC, Jones Syue	jra: review+ vl: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jones Syue 2024-01-12 03:49:25 UTC

Browsing files or download files from samba server, smbd would check user's 
id to decide whether this user could access these files, by lookup user's 
information from the password file (e.g. /usr/local/samba/private/smbpasswd).
smbd might goes through startsmbfilepwent(), this api calls [f]chmod() to 
make sure the password file has valid permissions 0600.

Consider a scenario: we are doing a read performance benchmark about 
downloading a bunch of files (e.g. a thousand files) from a samba server,
monitoring file system i/o activities counters, and expecting that should 
be only read operations on file system because this is just downloading, no 
uploading is involved. But actually found that still write operations on file 
system, because smbd lookup user and always reset 0600 permissions on password 
file while access each file, it makes dirty pages (inode modification) in ram, 
later triggered a kernel journal daemon to sync dirty pages into back storage 
(e.g. ext3 kjournald, or ext4 jbd2).
This looks like not friendly for read performance benchmark if it happened on
an entry-level systems with much less memory and limited computation power,
because dirty pages syncing in the meantime slows down read performance.

This patch adds fstat() before [f]chmod(), it would check whether password
file has valid permissions 0600 or not. If 0600 smbd would bypass [f]chmod()
to avoid making dirty pages on file systems. If not 0600 smbd would warn and
go through [f]chmod() to set valid permissions 0600 to password file as
earlier days.

patch will follow.

Comment 1 Jones Syue 2024-01-12 07:03:00 UTC

Env: Ubuntu 22.04.3, samba-4.19.4. If this patch is not applied yet,
stat could see the timestamps of password file, ACCESS and CHANGE, constantly
updated during downloading files.

$ sudo stat /usr/local/samba/private/smbpasswd
  File: /usr/local/samba/private/smbpasswd
  Size: 105             Blocks: 8          IO Block: 4096   regular file
Device: fc03h/64515d    Inode: 6818535     Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-01-12 13:57:14.469254245 +0800
Modify: 2024-01-11 15:27:30.129693950 +0800
Change: 2024-01-12 13:57:14.469254245 +0800
 Birth: 2024-01-11 15:27:19.265237859 +0800
$ sudo stat /usr/local/samba/private/smbpasswd
  File: /usr/local/samba/private/smbpasswd
  Size: 105             Blocks: 8          IO Block: 4096   regular file
Device: fc03h/64515d    Inode: 6818535     Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-01-12 13:57:50.710265644 +0800
Modify: 2024-01-11 15:27:30.129693950 +0800
Change: 2024-01-12 13:57:50.710265644 +0800
 Birth: 2024-01-11 15:27:19.265237859 +0800
$

gdb call graph shows that how smbd reaches fchmod().

Thread 1 "smbd[X.X.X.X" hit Breakpoint 1, fchmod () at ../sysdeps/unix/syscall-template.S:120
120     in ../sysdeps/unix/syscall-template.S
#0  fchmod () at ../sysdeps/unix/syscall-template.S:120
#1  0x00007f04fa984517 in startsmbfilepwent (pfile=0x5576b68305d0 "/usr/local/samba/private/smbpasswd", type=PWF_READ, lock_depth=0x5576b6842610) at ../../source3/passdb/pdb_smbpasswd.c:329
#2  0x00007f04fa987794 in smbpasswd_getsampwnam (my_methods=0x5576b6842380, sam_acct=0x5576b683f690, username=0x7ffc232f1970 "root") at ../../source3/passdb/pdb_smbpasswd.c:1297
#3  0x00007f04fa9adf4a in pdb_default_uid_to_sid (methods=0x5576b6842380, uid=0, sid=0x7ffc232f1cf0) at ../../source3/passdb/pdb_interface.c:1435
#4  0x00007f04fa9ae19f in pdb_default_id_to_sid (methods=0x5576b6842380, id=0x7ffc232f1b08, sid=0x7ffc232f1cf0) at ../../source3/passdb/pdb_interface.c:1477
#5  0x00007f04fa9ad64f in pdb_id_to_sid (id=0x7ffc232f1b08, sid=0x7ffc232f1cf0) at ../../source3/passdb/pdb_interface.c:1233
#6  0x00007f04fa9a4a1c in xid_to_sid (psid=0x7ffc232f1cf0, xid=0x7ffc232f1c00) at ../../source3/passdb/lookup_sid.c:1231
#7  0x00007f04fa9a4c73 in uid_to_sid (psid=0x7ffc232f1cf0, uid=0) at ../../source3/passdb/lookup_sid.c:1266
#8  0x00007f04faac5cd2 in create_file_sids (psbuf=0x7ffc232f1e20, powner_sid=0x7ffc232f1cf0, pgroup_sid=0x7ffc232f1d40) at ../../source3/smbd/posix_acls.c:838
#9  0x00007f04faaccdfe in posix_get_nt_acl_common (conn=0x5576b685acc0, name=0x5576b6860e50 ".", sbuf=0x7ffc232f1e20, pal=0x0, posix_acl=0x5576b68579e0, def_acl=0x0, security_info=7, mem_ctx=0x5576b68576b0, ppdesc=0x7ffc232f1f90) at ../../source3/smbd/posix_acls.c:3202
#10 0x00007f04faacd75b in posix_fget_nt_acl (fsp=0x5576b6861280, security_info=7, mem_ctx=0x5576b68576b0, ppdesc=0x7ffc232f1f90) at ../../source3/smbd/posix_acls.c:3390
#11 0x00007f04faa68367 in vfswrap_fget_nt_acl (handle=0x5576b6869220, fsp=0x5576b6861280, security_info=7, mem_ctx=0x5576b68576b0, ppdesc=0x7ffc232f1f90) at ../../source3/modules/vfs_default.c:3448
#12 0x00007f04faac1978 in smb_vfs_call_fget_nt_acl (handle=0x5576b6869220, fsp=0x5576b6861280, security_info=7, mem_ctx=0x5576b68576b0, ppdesc=0x7ffc232f1f90) at ../../source3/smbd/vfs.c:2411
#13 0x00007f04faaa032d in smbd_check_access_rights_fsp (dirfsp=0x5576b686d1c0, fsp=0x5576b6861280, use_privs=false, access_mask=1048704) at ../../source3/smbd/open.c:311
#14 0x00007f04faaac307 in open_directory (conn=0x5576b685acc0, req=0x5576b6844620, access_mask=1048704, share_access=7, create_disposition=1, create_options=0, file_attributes=16, parent_dir_fname=0x5576b681c100, smb_fname_atname=0x5576b6860460, pinfo=0x7ffc232f21a4, fsp=0x5576b6861280) at ../../source3/smbd/open.c:4963
#15 0x00007f04faaaf9a4 in create_file_unixpath (conn=0x5576b685acc0, req=0x5576b6844620, dirfsp=0x5576b686d1c0, smb_fname=0x5576b685fa80, access_mask=1048704, share_access=7, create_disposition=1, create_options=0, file_attributes=0, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x7ffc232f2330, pinfo=0x7ffc232f2314) at ../../source3/smbd/open.c:6341
#16 0x00007f04faab058c in create_file_default (conn=0x5576b685acc0, req=0x5576b6844620, dirfsp=0x5576b686d1c0, smb_fname=0x5576b685fa80, access_mask=1048704, share_access=7, create_disposition=1, create_options=0, file_attributes=0, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x5576b6844308, pinfo=0x5576b684431c, in_context_blobs=0x7ffc232f2908, out_context_blobs=0x5576b68445a0) at ../../source3/smbd/open.c:6626
#17 0x00007f04faa612c1 in vfswrap_create_file (handle=0x5576b6869220, req=0x5576b6844620, dirfsp=0x5576b686d1c0, smb_fname=0x5576b685fa80, access_mask=1048704, share_access=7, create_disposition=1, create_options=0, file_attributes=0, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x5576b6844308, pinfo=0x5576b684431c, in_context_blobs=0x7ffc232f2908, out_context_blobs=0x5576b68445a0) at ../../source3/modules/vfs_default.c:770
#18 0x00007f04faabd18a in smb_vfs_call_create_file (handle=0x5576b6869220, req=0x5576b6844620, dirfsp=0x5576b686d1c0, smb_fname=0x5576b685fa80, access_mask=1048704, share_access=7, create_disposition=1, create_options=0, file_attributes=0, oplock_request=0, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x5576b6844308, pinfo=0x5576b684431c, in_context_blobs=0x7ffc232f2908, out_context_blobs=0x5576b68445a0) at ../../source3/smbd/vfs.c:1560
#19 0x00007f04fab040a0 in smbd_smb2_create_send (mem_ctx=0x5576b68438b0, ev=0x5576b682f4f0, smb2req=0x5576b68438b0, in_oplock_level=0 '\000', in_impersonation_level=2, in_desired_access=1048704, in_file_attributes=0, in_share_access=7, in_create_disposition=1, in_create_options=0, in_name=0x5576b6843ca0 "", in_context_blobs=...) at ../../source3/smbd/smb2_create.c:1115
#20 0x00007f04fab01544 in smbd_smb2_request_process_create (smb2req=0x5576b68438b0) at ../../source3/smbd/smb2_create.c:291
#21 0x00007f04faaf2069 in smbd_smb2_request_dispatch (req=0x5576b68438b0) at ../../source3/smbd/smb2_server.c:3474
#22 0x00007f04faaf71f8 in smbd_smb2_io_handler (xconn=0x5576b6842f00, fde_flags=1) at ../../source3/smbd/smb2_server.c:5101
#23 0x00007f04faaf732e in smbd_smb2_connection_handler (ev=0x5576b682f4f0, fde=0x5576b68421c0, flags=1, private_data=0x5576b6842f00) at ../../source3/smbd/smb2_server.c:5139
#24 0x00007f04fa8681b8 in tevent_common_invoke_fd_handler (fde=0x5576b68421c0, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:158
#25 0x00007f04fa873e86 in epoll_event_loop (epoll_ev=0x5576b68419d0, tvalp=0x7ffc232f2cc0) at ../../lib/tevent/tevent_epoll.c:730
#26 0x00007f04fa874619 in epoll_event_loop_once (ev=0x5576b682f4f0, location=0x7f04fabe0208 "../../source3/smbd/smb2_process.c:2050") at ../../lib/tevent/tevent_epoll.c:946
#27 0x00007f04fa870b2e in std_event_loop_once (ev=0x5576b682f4f0, location=0x7f04fabe0208 "../../source3/smbd/smb2_process.c:2050") at ../../lib/tevent/tevent_standard.c:110
#28 0x00007f04fa866b35 in _tevent_loop_once (ev=0x5576b682f4f0, location=0x7f04fabe0208 "../../source3/smbd/smb2_process.c:2050") at ../../lib/tevent/tevent.c:823
#29 0x00007f04fa866ebd in tevent_common_loop_wait (ev=0x5576b682f4f0, location=0x7f04fabe0208 "../../source3/smbd/smb2_process.c:2050") at ../../lib/tevent/tevent.c:952
#30 0x00007f04fa870bd7 in std_event_loop_wait (ev=0x5576b682f4f0, location=0x7f04fabe0208 "../../source3/smbd/smb2_process.c:2050") at ../../lib/tevent/tevent_standard.c:141
#31 0x00007f04fa866f64 in _tevent_loop_wait (ev=0x5576b682f4f0, location=0x7f04fabe0208 "../../source3/smbd/smb2_process.c:2050") at ../../lib/tevent/tevent.c:971
#32 0x00007f04faad7d2c in smbd_process (ev_ctx=0x5576b682f4f0, msg_ctx=0x5576b681a110, sock_fd=32, interactive=false) at ../../source3/smbd/smb2_process.c:2050
#33 0x00005576b60002bc in smbd_accept_connection (ev=0x5576b682f4f0, fde=0x5576b6841a60, flags=1, private_data=0x5576b68419d0) at ../../source3/smbd/server.c:1031
#34 0x00007f04fa8681b8 in tevent_common_invoke_fd_handler (fde=0x5576b6841a60, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:158
#35 0x00007f04fa873e86 in epoll_event_loop (epoll_ev=0x5576b68301d0, tvalp=0x7ffc232f30a0) at ../../lib/tevent/tevent_epoll.c:730
#36 0x00007f04fa874619 in epoll_event_loop_once (ev=0x5576b682f4f0, location=0x5576b60057d8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent_epoll.c:946
#37 0x00007f04fa870b2e in std_event_loop_once (ev=0x5576b682f4f0, location=0x5576b60057d8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent_standard.c:110
#38 0x00007f04fa866b35 in _tevent_loop_once (ev=0x5576b682f4f0, location=0x5576b60057d8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:823
#39 0x00007f04fa866ebd in tevent_common_loop_wait (ev=0x5576b682f4f0, location=0x5576b60057d8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:952
#40 0x00007f04fa870bd7 in std_event_loop_wait (ev=0x5576b682f4f0, location=0x5576b60057d8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent_standard.c:141
#41 0x00007f04fa866f64 in _tevent_loop_wait (ev=0x5576b682f4f0, location=0x5576b60057d8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:971
#42 0x00005576b600106c in smbd_parent_loop (ev_ctx=0x5576b682f4f0, parent=0x5576b682cb40) at ../../source3/smbd/server.c:1373
#43 0x00005576b6003374 in main (argc=1, argv=0x7ffc232f3678) at ../../source3/smbd/server.c:2131

Comment 2 Jones Syue 2024-01-12 07:05:06 UTC

merge request:
https://gitlab.com/samba-team/samba/-/merge_requests/3487

ci is passed:
https://gitlab.com/samba-team/devel/samba/-/pipelines/1135770797

Comment 3 Samba QA Contact 2024-01-18 10:29:04 UTC

This bug was referenced in samba master:

c82a267b2a1b7617e818548aa486b7cfbda74657

Comment 4 Jones Syue 2024-01-19 02:32:07 UTC

Created attachment 18229 [details]
Patch for v4-19-test

Comment 5 Jones Syue 2024-01-19 02:32:33 UTC

Created attachment 18230 [details]
Patch for v4-18-test

Comment 6 Jule Anger 2024-01-22 09:03:05 UTC

Pushed to autobuild-v4-{19,18}-test.

Comment 7 Samba QA Contact 2024-01-22 10:10:20 UTC

This bug was referenced in samba v4-18-test:

e6745b151074c620fe5d102b0b5f0c47023e12e1

Comment 8 Samba QA Contact 2024-01-22 10:54:03 UTC

This bug was referenced in samba v4-19-test:

283ff41ee9273ee345ee8432e77eac950810581c

Comment 9 Jule Anger 2024-01-22 11:15:30 UTC

Closing out bug report.

Thanks!

Comment 10 Samba QA Contact 2024-01-31 20:42:35 UTC

This bug was referenced in samba v4-18-stable (Release samba-4.18.10):

e6745b151074c620fe5d102b0b5f0c47023e12e1

Comment 11 Samba QA Contact 2024-02-19 10:47:58 UTC

This bug was referenced in samba v4-19-stable (Release samba-4.19.5):

283ff41ee9273ee345ee8432e77eac950810581c