Bug 15732 - smbd fails to correctly check sharemode against OVERWRITE dispositions
Summary: smbd fails to correctly check sharemode against OVERWRITE dispositions
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-02 13:57 UTC by Ralph Böhme
Modified: 2024-11-25 15:10 UTC (History)
1 user (show)

See Also:


Attachments
Patch for 4.20 and 4.21 cherry-picked from master (17.81 KB, patch)
2024-10-17 09:03 UTC, Ralph Böhme
no flags Details
Patch for 4.21 and 4.20 cherry-picked from master (19.04 KB, patch)
2024-11-04 10:41 UTC, Ralph Böhme
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2024-10-02 13:57:26 UTC
It goes like this:

- create file and open read-only with FILE_SHARE_READ
- second read-only open with OVERWRITE disposition and FILE_SHARE_READ

Against Windows the second open fails with STATUS_SHARING_VIOLATION. Against Samba the second open works.

This is simlar to bug 15439 where we fixed this problem for the SD filesystem check. Luckily this time there's no escalation of privileges and the fix is to also use open_access_mask, which includes WRITE_DATA access mapped from the OVERWRITE disposition, for the sharemode checks.

Have patch, need bugnumber.
Comment 1 Samba QA Contact 2024-10-14 12:24:04 UTC
This bug was referenced in samba master:

f88e52a6f487a216dbb805fabc08e862abb9b643
4591f27ca81dff997ef7474565fc9c373abfa4a9
849afe05ade140898b1eab9b28d46edc8357c844
6140c3177a0330f42411618c3fca28930ea02a21
Comment 2 Ralph Böhme 2024-10-17 09:03:07 UTC
Created attachment 18478 [details]
Patch for 4.20 and 4.21 cherry-picked from master
Comment 3 Ralph Böhme 2024-10-25 15:25:54 UTC
The fix in master is missing the following for directories

--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -5487,6 +5487,7 @@ static NTSTATUS open_directory(connection_struct *conn,
                .req                    = req,
                .create_disposition     = create_disposition,
                .access_mask            = access_mask,
+               .open_access_mask       = access_mask,
                .share_access           = share_access,
                .oplock_request         = oplock_request,
                .lease                  = lease,
Comment 5 Samba QA Contact 2024-10-29 12:45:03 UTC
This bug was referenced in samba master:

fdd133ae650d13cb457f7e7529f3bb6df47d8cee
Comment 6 Ralph Böhme 2024-11-04 10:41:35 UTC
Created attachment 18489 [details]
Patch for 4.21 and 4.20 cherry-picked from master
Comment 7 Jule Anger 2024-11-07 08:12:16 UTC
Pushed to autobuild-v4-{21,20}-test.
Comment 8 Samba QA Contact 2024-11-07 09:22:04 UTC
This bug was referenced in samba v4-20-test:

d61855266933ab972c0c3b8db12353baa399f0aa
dca5bd464ddc75e21557e9f4749e533ffa1b3d01
2c7f99a68c078b24d367e6d9a7b2359c5bbfe3fb
3572ffa6c5d11a2d07f3a5ae158e8f9860f34cf6
6bcccb5c7beafe2866efe746dad8f1a2a6dd5b2f
Comment 9 Samba QA Contact 2024-11-07 10:28:13 UTC
This bug was referenced in samba v4-21-test:

a2ee15f58deca9882a330901b291c46a4d354b69
88caf2c0911fc237307e47c6fd8f4e32519947ca
66c09de1f30104f36a98893936ac8bf213bcb2bf
5c3e5377fe6a9ea3890e030fe36af274dc6c8357
a7ea9b5026f9f8ba55a0a296c116c1bc857c1260
Comment 10 Jule Anger 2024-11-07 10:37:56 UTC
Closing out bug report.

Thanks!
Comment 11 Samba QA Contact 2024-11-19 14:48:51 UTC
This bug was referenced in samba v4-20-stable (Release samba-4.20.6):

d61855266933ab972c0c3b8db12353baa399f0aa
dca5bd464ddc75e21557e9f4749e533ffa1b3d01
2c7f99a68c078b24d367e6d9a7b2359c5bbfe3fb
3572ffa6c5d11a2d07f3a5ae158e8f9860f34cf6
6bcccb5c7beafe2866efe746dad8f1a2a6dd5b2f
Comment 12 Samba QA Contact 2024-11-25 15:10:59 UTC
This bug was referenced in samba v4-21-stable (Release samba-4.21.2):

a2ee15f58deca9882a330901b291c46a4d354b69
88caf2c0911fc237307e47c6fd8f4e32519947ca
66c09de1f30104f36a98893936ac8bf213bcb2bf
5c3e5377fe6a9ea3890e030fe36af274dc6c8357
a7ea9b5026f9f8ba55a0a296c116c1bc857c1260