Installation of KB885835 (aka MS04-044) breaks the ability to remove "read-only" files. This can be replicated in Solaris 8 (Generic_117350-08) Test configuration: Samba 3.0.10 built on Linux 2.4.25 or Solaris 8 (Generic_117350-08) Filesystem share with option: delete readonly = yes Test user=richardh who belongs to group richardh The following file structure: drwxrwsr-x 2 richardh richardh 4096 Dec 30 15:05 ./testdir -r--r--r-- 1 root richardh 0 Dec 30 15:05 ./testdir/testfile Using standard bash shell, the user richardh can delete the file testfile due to write permissions on testdir: $ rm testfile rm: remove write-protected regular empty file `testfile'? yes Using smbclient, the user richardh can delete the file testfile Using Windows2000 with all current patches *except* KB885835 the user richardh is prompted for deletion readonly file testfile which succeeds. Using the exact same system after installation of KB885835 and reboot (no other changes) the user richardh is prompted for deletion of testfile but is denied with error: "Cannot delete testfile: Access is denied. The source file may be in use". Note: Changing permissions from 444 to 644 (still owned by root.. no effective permissions difference for user richardh) unchecks the "Read only" box on Windows2000 file properties and allows for deletion of file without prompt. Uninstallation of KB885835 restores ability to delete this file. Log level 3 dumps from Linux server *********************************** Failed delete with KB885835 installed: ************************************** [2004/12/30 14:45:03, 3] smbd/dir.c:dptr_create(491) creating new dirptr 256 for path tmp/testdir, expect_close = 1 [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 79 of length 132 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBntcreateX (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111) unix_mode(tmp/testdir/testfile) returning 0700 [2004/12/30 14:45:05, 2] smbd/open.c:open_file(245) richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2) [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 80 of length 76 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2291) call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1035 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380) call_trans2qfilepathinfo tmp/testdir/testfile (fnum = 10882) level=1035 call=7 total_data=0 [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 81 of length 81 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2setfilepathinfo(3096) call_trans2setfilepathinfo(8) tmp/testdir/testfile (fnum 10882) info_level=1013 totdata=1 [2004/12/30 14:45:05, 3] smbd/error.c:error_packet(129) error packet at smbd/trans2.c(3309) cmd=50 (SMBtrans2) NT_STATUS_CANNOT_DELETE [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 82 of length 45 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBclose (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/reply.c:reply_close(2772) close fd=-1 fnum=10882 (numopen=2) [2004/12/30 14:45:05, 2] smbd/close.c:close_normal_file(270) richardh closed file tmp/testdir/testfile (numopen=1) [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 83 of length 122 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380) call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1004 call=5 total_data=0 [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 84 of length 132 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBntcreateX (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111) unix_mode(tmp/testdir/testfile) returning 0700 [2004/12/30 14:45:05, 2] smbd/open.c:open_file(245) richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2) [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 85 of length 120 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2setfilepathinfo(3096) call_trans2setfilepathinfo(8) tmp/testdir/testfile (fnum 10883) info_level=1004 totdata=40 [2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111) unix_mode(tmp/testdir/testfile) returning 0600 [2004/12/30 14:45:05, 2] smbd/trans2.c:call_trans2setfilepathinfo(3681) file_set_dosmode of tmp/testdir/testfile failed (Operation not permitted) [2004/12/30 14:45:05, 3] smbd/error.c:error_packet(105) error string = Operation not permitted [2004/12/30 14:45:05, 3] smbd/error.c:error_packet(129) error packet at smbd/trans2.c(3682) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 86 of length 45 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBclose (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/reply.c:reply_close(2772) close fd=-1 fnum=10883 (numopen=2) [2004/12/30 14:45:05, 2] smbd/close.c:close_normal_file(270) richardh closed file tmp/testdir/testfile (numopen=1) [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 87 of length 74 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfsinfo(1825) call_trans2qfsinfo: level = 258 [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 88 of length 74 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfsinfo(1825) call_trans2qfsinfo: level = 261 [2004/12/30 14:45:40, 3] smbd/process.c:process_smb(1091) Transaction 89 of length 53 [2004/12/30 14:45:40, 3] smbd/process.c:switch_message(886) switch message SMBecho (pid 22403) conn 0x0 [2004/12/30 14:45:40, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/12/30 14:45:40, 3] smbd/reply.c:reply_echo(3018) echo 1 times [2004/12/30 14:45:40, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/12/30 14:46:14, 3] smbd/process.c:process_smb(1091) Transaction 90 of length 53 [2004/12/30 14:46:14, 3] smbd/process.c:switch_message(886) switch message SMBecho (pid 22403) conn 0x0 [2004/12/30 14:46:14, 3] smbd/sec_ctx.c:set_sec_ctx(288) Transaction 83 of length 122 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380) call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1004 call=5 total_data=0 [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 84 of length 132 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBntcreateX (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111) unix_mode(tmp/testdir/testfile) returning 0700 [2004/12/30 14:45:05, 2] smbd/open.c:open_file(245) richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2) [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 85 of length 120 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2setfilepathinfo(3096) call_trans2setfilepathinfo(8) tmp/testdir/testfile (fnum 10883) info_level=1004 totdata=40 [2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111) unix_mode(tmp/testdir/testfile) returning 0600 [2004/12/30 14:45:05, 2] smbd/trans2.c:call_trans2setfilepathinfo(3681) file_set_dosmode of tmp/testdir/testfile failed (Operation not permitted) [2004/12/30 14:45:05, 3] smbd/error.c:error_packet(105) error string = Operation not permitted [2004/12/30 14:45:05, 3] smbd/error.c:error_packet(129) error packet at smbd/trans2.c(3682) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED [2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091) Transaction 86 of length 45 [2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886) switch message SMBclose (pid 22403) conn 0x83541d8 [2004/12/30 14:45:05, 3] smbd/reply.c:reply_close(2772) close fd=-1 fnum=10883 (numopen=2) [2004/12/30 14:45:05, 2] smbd/close.c:close_normal_file(270) Successful delete without patch: **************************** [2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380) call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1004 call=5 total_data=0 [2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091) Transaction 197 of length 122 [2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22428) conn 0x83541f0 [2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1035 [2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380) call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1035 call=5 total_data=0 [2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091) Transaction 198 of length 86 [2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886) switch message SMBunlink (pid 22428) conn 0x83541f0 [2004/12/30 15:21:33, 3] smbd/reply.c:reply_unlink(1691) reply_unlink : tmp/testdir/testfile [2004/12/30 15:21:33, 3] smbd/dosmode.c:unix_mode(111) unix_mode(tmp/testdir/testfile) returning 0700 [2004/12/30 15:21:33, 2] smbd/open.c:open_file(245) richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2) [2004/12/30 15:21:33, 2] smbd/close.c:close_normal_file(270) richardh closed file tmp/testdir/testfile (numopen=1) [2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_check_notify(99) kernel_check_notify: kernel change notify on tmp/testdir fd[0]=26 (signals_received=2) [2004/12/30 15:21:33, 3] smbd/error.c:error_packet(105) error string = Bad file descriptor [2004/12/30 15:21:33, 3] smbd/error.c:error_packet(129) error packet at smbd/notify.c(55) cmd=160 (SMBnttrans) NT code 0x0000010c [2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_remove_notify(144) kernel_remove_notify: fd=-1 [2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_check_notify(99) kernel_check_notify: kernel change notify on tmp/testdir fd[0]=25 (signals_received=1) [2004/12/30 15:21:33, 3] smbd/error.c:error_packet(105) error string = Bad file descriptor [2004/12/30 15:21:33, 3] smbd/error.c:error_packet(129) error packet at smbd/notify.c(55) cmd=160 (SMBnttrans) NT code 0x0000010c [2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_remove_notify(144) kernel_remove_notify: fd=-1 [2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091) Transaction 199 of length 74 [2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 22428) conn 0x83541f0 [2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfsinfo(1825) call_trans2qfsinfo: level = 1007 [2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091) Transaction 200 of length 88 [2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886) switch message SMBnttrans (pid 22428) conn 0x83541f0 [2004/12/30 15:21:33, 3] smbd/nttrans.c:call_nt_transact_notify_change(1798) call_nt_transact_notify_change [2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_register_notify(189) kernel change notify on tmp/testdir (ntflags=0x3 flags=0x1e) fd=25 [2004/12/30 15:21:33, 3] smbd/nttrans.c:call_nt_transact_notify_change(1810) call_nt_transact_notify_change: notify change called on directory name = tmp/testdir [2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091) Happy to provide any more help. Lack of ability to delete readonly files breaks software like MKS that sets files readonly and then does a copy/delete/rename to allow for editing. -Richard
The new patch KB885250 (MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution) also causes this same behavior. That is after installation of the patch, users can not delete read-only files in directories that they have write permissions on. There are now two critical MS patches that can not be installed while mantaining interop with Samba as required by MKS and other tools.... -Richard
It would help a lot to send full sniffs for the failure case against Samba, as well as the successful case of a similar setup against windows from the patched client. A debug level 10 (!) log of the failing smbd helps as well. Thanks, Volker
I can't delete the file using smbclient. [public] comment = Public Access share path = /export/u1/public read only = No create mask = 0644 inherit permissions = Yes inherit acls = Yes include = /usr/local/samba/lib/%G.conf msdfs root = Yes # ls -ld /export/u1/public drwxrwxrwx 16 root root 4096 Feb 22 17:05 . # ls -ld afile -r--r--r-- 1 root root 0 Feb 22 17:05 afile # smbstatus Samba version 3.0.12pre1-SVN-build-5497 PID Username Group Machine ------------------------------------------------------------------- 10067 jerry users drizzt Service pid machine Connected at ------------------------------------------------------- public 10067 drizzt Tue Feb 22 17:04:39 2005 smb: \> dir afile afile R 0 Tue Feb 22 17:05:19 2005 64384 blocks of size 1048576. 33074 blocks available smb: \> del afile NT_STATUS_CANNOT_DELETE deleting remote file \afile
sorry missed the part of 'dleet readonly = yes' This might be related to bug 2227
not the same as the xp sp2 bug. The client sends a SET_FILE_INFO request to clear the read only bit which is what returns the "access denied". jeremy, the trace is at samba.org:~jerry/bugs/2201/dump2.pcap I tried adding 'dos filemode = yes' but that didn't work (possibly related to bug 2239).
Looking at the capture Jerry sent this is an aspect of the same XP change. (ie. yes it is the same bug :-). MS no longer use the SMBunlink call they always open with delete intent, set the delete on close flag and close. We're not checking for "lp_delete_readonly" on setting the delete on close flag. I'll fix this, but I do also want to check into denying the removal of the aRONLY flag with setfileinfo in this case. Jeremy.
Created attachment 977 [details] Patch Ok, I'm closing this one as I'm pretty sure this fixes it. I still want to look at setting the dos attributes in this case however. Jeremy.
Attached patch should fix. Jeremy.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.