Bug 15709 - hostname restrict access does not work in 'hosts allow/hosts deny'
Summary: hostname restrict access does not work in 'hosts allow/hosts deny'
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.20.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-05 08:31 UTC by Jones Syue
Modified: 2024-09-05 11:00 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jones Syue 2024-09-05 08:31:13 UTC
When a client access a specific share through tree connect command, smbd
would get a list of 'hosts allow/hosts deny' setup from a specific share,
compare client's hostname with list, and see whether allow or deny client's
connection. For example a share with 'hosts allow = Jones-ws22-66', the
api share_sanity_checks() should restrict access to only client with 
hostname 'Jones-ws22-66' to enter the specific share if client's hostname 
and list has a match. But so far remote_hostname (rhost) is an ip address
format, not a hostname format, so here is no matches. Even though clients
with expected hostname 'Jones-ws22-66' but actually failed to enter share.
'hosts deny' also has this similar issue in the opposite direction.

This patch checks remote_hostname content in share_sanity_checks(); if 
remote_hostname (rhost) is still in a format of ip address, use 
get_remote_machine_name() instead.

Considered a case: allow only a client with its hostname 'Jones-ws22-66' to
enter the share 'samba', so adds 'hosts allow = Jones-ws22-66' under the 
specific section '[samba]'. Use 'smbclient' with option '-nJones-ws22-66' 
to test if the client with expected hostname is able to enter the share. 
My env is Ubuntu 22.04.4, samba-4.20.4, and my smb.conf is:

[global]
workgroup = U2204

[samba]
path = /home/jones/samba
browsable = yes
guest ok = yes
read only = no
create mask = 0755
hosts allow = Jones-ws22-66

Before patch: 
1. Any hostname is always denied.
# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-ws22-66
tree connect failed: NT_STATUS_ACCESS_DENIED
# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-Deny-Me
tree connect failed: NT_STATUS_ACCESS_DENIED
2. server can see two denied log prompted, 'rhost' is an ip address format.
# cat /usr/local/samba/var/log.smbd
[2024/09/05 16:06:34.970407,  0] ../../lib/util/access.c:372(allow_access)
  Denied connection from 192.168.251.232 (192.168.251.232)
[2024/09/05 16:06:42.891776,  0] ../../lib/util/access.c:372(allow_access)
  Denied connection from 192.168.251.232 (192.168.251.232)

After patch:
1. Only 'Jones-ws22-66' is able to enter the share.
# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-ws22-66
Try "help" to get a list of possible commands.
smb: \> exit
# smbclient //${SERVER_IP}/samba -U${UN}%${PW} -nJones-Deny-Me
tree connect failed: NT_STATUS_ACCESS_DENIED
2. server can see one denied log prompted with hostname specified, this 
is more understandable than the ip address format.
# cat /usr/local/samba/var/log.smbd
[2024/09/05 16:24:18.345736,  0] ../../lib/util/access.c:372(allow_access)
  Denied connection from jones-deny-me (192.168.251.232)

patch will follow.