Bug 2201 - KB885835 (MS04-044) breaks deletion of read only files
KB885835 (MS04-044) breaks deletion of read only files
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.10
All Linux
: P1 normal
: none
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-30 16:26 UTC by Richard Hanschu
Modified: 2005-08-24 10:26 UTC (History)
0 users

See Also:


Attachments
Patch (712 bytes, patch)
2005-02-22 19:21 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Hanschu 2004-12-30 16:26:20 UTC
Installation of KB885835 (aka MS04-044) breaks the ability to remove "read-only"
files. This can be replicated in Solaris 8 (Generic_117350-08)

Test configuration:
Samba 3.0.10 built on Linux 2.4.25 or Solaris 8 (Generic_117350-08)
Filesystem share with option: delete readonly = yes
Test user=richardh who belongs to group richardh
The following file structure:

drwxrwsr-x   2 richardh richardh     4096 Dec 30 15:05 ./testdir
-r--r--r--   1 root     richardh        0 Dec 30 15:05 ./testdir/testfile

Using standard bash shell, the user richardh can delete the file testfile due to
write permissions on testdir:
$ rm testfile
rm: remove write-protected regular empty file `testfile'? yes

Using smbclient, the user richardh can delete the file testfile

Using Windows2000 with all current patches *except* KB885835 the user richardh
is prompted for deletion readonly file testfile which succeeds.

Using the exact same system after installation of KB885835 and reboot (no other
changes) the user richardh is prompted for deletion of testfile but is denied
with error: "Cannot delete testfile: Access is denied. The source file may be in
use". Note: Changing permissions from 444 to 644 (still owned by root.. no
effective permissions difference for user richardh) unchecks the "Read only" box
on Windows2000 file properties and allows for deletion of file without prompt.

Uninstallation of KB885835 restores ability to delete this file.

Log level 3 dumps from Linux server
***********************************

Failed delete with KB885835 installed:
**************************************

[2004/12/30 14:45:03, 3] smbd/dir.c:dptr_create(491)
  creating new dirptr 256 for path tmp/testdir, expect_close = 1
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 79 of length 132
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBntcreateX (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(tmp/testdir/testfile) returning 0700
[2004/12/30 14:45:05, 2] smbd/open.c:open_file(245)
  richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2)
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 80 of length 76
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2291)
  call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1035
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380)
  call_trans2qfilepathinfo tmp/testdir/testfile (fnum = 10882) level=1035 call=7
total_data=0
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 81 of length 81
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2setfilepathinfo(3096)
  call_trans2setfilepathinfo(8) tmp/testdir/testfile (fnum 10882)
info_level=1013 totdata=1
[2004/12/30 14:45:05, 3] smbd/error.c:error_packet(129)
  error packet at smbd/trans2.c(3309) cmd=50 (SMBtrans2) NT_STATUS_CANNOT_DELETE
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 82 of length 45
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBclose (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/reply.c:reply_close(2772)
  close fd=-1 fnum=10882 (numopen=2)
[2004/12/30 14:45:05, 2] smbd/close.c:close_normal_file(270)
  richardh closed file tmp/testdir/testfile (numopen=1) 
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 83 of length 122
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380)
  call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1004 call=5
total_data=0
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 84 of length 132
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBntcreateX (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(tmp/testdir/testfile) returning 0700
[2004/12/30 14:45:05, 2] smbd/open.c:open_file(245)
  richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2)
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 85 of length 120
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2setfilepathinfo(3096)
  call_trans2setfilepathinfo(8) tmp/testdir/testfile (fnum 10883)
info_level=1004 totdata=40
[2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(tmp/testdir/testfile) returning 0600
[2004/12/30 14:45:05, 2] smbd/trans2.c:call_trans2setfilepathinfo(3681)
  file_set_dosmode of tmp/testdir/testfile failed (Operation not permitted)
[2004/12/30 14:45:05, 3] smbd/error.c:error_packet(105)
  error string = Operation not permitted
[2004/12/30 14:45:05, 3] smbd/error.c:error_packet(129)
  error packet at smbd/trans2.c(3682) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 86 of length 45
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBclose (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/reply.c:reply_close(2772)
  close fd=-1 fnum=10883 (numopen=2)
[2004/12/30 14:45:05, 2] smbd/close.c:close_normal_file(270)
  richardh closed file tmp/testdir/testfile (numopen=1) 
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 87 of length 74
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfsinfo(1825)
  call_trans2qfsinfo: level = 258
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 88 of length 74
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfsinfo(1825)
  call_trans2qfsinfo: level = 261
[2004/12/30 14:45:40, 3] smbd/process.c:process_smb(1091)
  Transaction 89 of length 53
[2004/12/30 14:45:40, 3] smbd/process.c:switch_message(886)
  switch message SMBecho (pid 22403) conn 0x0
[2004/12/30 14:45:40, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/12/30 14:45:40, 3] smbd/reply.c:reply_echo(3018)
  echo 1 times
[2004/12/30 14:45:40, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/12/30 14:46:14, 3] smbd/process.c:process_smb(1091)
  Transaction 90 of length 53
[2004/12/30 14:46:14, 3] smbd/process.c:switch_message(886)
  switch message SMBecho (pid 22403) conn 0x0
[2004/12/30 14:46:14, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  Transaction 83 of length 122
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380)
  call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1004 call=5
total_data=0
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 84 of length 132
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBntcreateX (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(tmp/testdir/testfile) returning 0700
[2004/12/30 14:45:05, 2] smbd/open.c:open_file(245)
  richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2)
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 85 of length 120
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/trans2.c:call_trans2setfilepathinfo(3096)
  call_trans2setfilepathinfo(8) tmp/testdir/testfile (fnum 10883)
info_level=1004 totdata=40
[2004/12/30 14:45:05, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(tmp/testdir/testfile) returning 0600
[2004/12/30 14:45:05, 2] smbd/trans2.c:call_trans2setfilepathinfo(3681)
  file_set_dosmode of tmp/testdir/testfile failed (Operation not permitted)
[2004/12/30 14:45:05, 3] smbd/error.c:error_packet(105)
  error string = Operation not permitted
[2004/12/30 14:45:05, 3] smbd/error.c:error_packet(129)
  error packet at smbd/trans2.c(3682) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED
[2004/12/30 14:45:05, 3] smbd/process.c:process_smb(1091)
  Transaction 86 of length 45
[2004/12/30 14:45:05, 3] smbd/process.c:switch_message(886)
  switch message SMBclose (pid 22403) conn 0x83541d8
[2004/12/30 14:45:05, 3] smbd/reply.c:reply_close(2772)
  close fd=-1 fnum=10883 (numopen=2)
[2004/12/30 14:45:05, 2] smbd/close.c:close_normal_file(270)


Successful delete without patch:
 ****************************

[2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380)
  call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1004 call=5
total_data=0
[2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091)
  Transaction 197 of length 122
[2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22428) conn 0x83541f0
[2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1035
[2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380)
  call_trans2qfilepathinfo tmp/testdir/testfile (fnum = -1) level=1035 call=5
total_data=0
[2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091)
  Transaction 198 of length 86
[2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886)
  switch message SMBunlink (pid 22428) conn 0x83541f0
[2004/12/30 15:21:33, 3] smbd/reply.c:reply_unlink(1691)
  reply_unlink : tmp/testdir/testfile
[2004/12/30 15:21:33, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(tmp/testdir/testfile) returning 0700
[2004/12/30 15:21:33, 2] smbd/open.c:open_file(245)
  richardh opened file tmp/testdir/testfile read=Yes write=No (numopen=2)
[2004/12/30 15:21:33, 2] smbd/close.c:close_normal_file(270)
  richardh closed file tmp/testdir/testfile (numopen=1) 
[2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_check_notify(99)
  kernel_check_notify: kernel change notify on tmp/testdir fd[0]=26
(signals_received=2)
[2004/12/30 15:21:33, 3] smbd/error.c:error_packet(105)
  error string = Bad file descriptor
[2004/12/30 15:21:33, 3] smbd/error.c:error_packet(129)
  error packet at smbd/notify.c(55) cmd=160 (SMBnttrans) NT code 0x0000010c
[2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_remove_notify(144)
  kernel_remove_notify: fd=-1
[2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_check_notify(99)
  kernel_check_notify: kernel change notify on tmp/testdir fd[0]=25
(signals_received=1)
[2004/12/30 15:21:33, 3] smbd/error.c:error_packet(105)
  error string = Bad file descriptor
[2004/12/30 15:21:33, 3] smbd/error.c:error_packet(129)
  error packet at smbd/notify.c(55) cmd=160 (SMBnttrans) NT code 0x0000010c
[2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_remove_notify(144)
  kernel_remove_notify: fd=-1
[2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091)
  Transaction 199 of length 74
[2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886)
  switch message SMBtrans2 (pid 22428) conn 0x83541f0
[2004/12/30 15:21:33, 3] smbd/trans2.c:call_trans2qfsinfo(1825)
  call_trans2qfsinfo: level = 1007
[2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091)
  Transaction 200 of length 88
[2004/12/30 15:21:33, 3] smbd/process.c:switch_message(886)
  switch message SMBnttrans (pid 22428) conn 0x83541f0
[2004/12/30 15:21:33, 3] smbd/nttrans.c:call_nt_transact_notify_change(1798)
  call_nt_transact_notify_change
[2004/12/30 15:21:33, 3] smbd/notify_kernel.c:kernel_register_notify(189)
  kernel change notify on tmp/testdir (ntflags=0x3 flags=0x1e) fd=25
[2004/12/30 15:21:33, 3] smbd/nttrans.c:call_nt_transact_notify_change(1810)
  call_nt_transact_notify_change: notify change called on directory name =
tmp/testdir
[2004/12/30 15:21:33, 3] smbd/process.c:process_smb(1091)


Happy to provide any more help. Lack of ability to delete readonly files breaks
software like MKS that sets files readonly and then does a copy/delete/rename to
allow for editing. 

-Richard
Comment 1 Richard Hanschu 2005-02-10 12:24:26 UTC
The new patch KB885250 (MS05-011: Vulnerability in Server Message Block Could
Allow Remote Code Execution) also causes this same behavior. That is after
installation of the patch, users can not delete read-only files in directories
that they have write permissions on. 

There are now two critical MS patches that can not be installed while mantaining
interop with Samba as required by MKS and other tools.... 

-Richard
Comment 2 Volker Lendecke 2005-02-11 01:44:13 UTC
It would help a lot to send full sniffs for the failure case against Samba, as well as the successful case of a similar setup against windows from the patched client. A debug level 10 (!) log of the failing smbd helps as well.  Thanks,  Volker 
Comment 3 Gerald (Jerry) Carter 2005-02-22 16:12:54 UTC
I can't delete the file using smbclient.


[public]
        comment = Public Access share
        path = /export/u1/public
        read only = No
        create mask = 0644
        inherit permissions = Yes
        inherit acls = Yes
        include = /usr/local/samba/lib/%G.conf
        msdfs root = Yes


# ls -ld /export/u1/public
drwxrwxrwx  16 root root 4096 Feb 22 17:05 .

# ls -ld afile
-r--r--r--  1 root root 0 Feb 22 17:05 afile

# smbstatus

Samba version 3.0.12pre1-SVN-build-5497
PID     Username      Group         Machine
-------------------------------------------------------------------
10067   jerry         users         drizzt

Service      pid     machine       Connected at
-------------------------------------------------------
public       10067   drizzt        Tue Feb 22 17:04:39 2005



smb: \> dir afile
  afile            R        0  Tue Feb 22 17:05:19 2005

                64384 blocks of size 1048576. 33074 blocks available

smb: \> del afile
NT_STATUS_CANNOT_DELETE deleting remote file \afile

Comment 4 Gerald (Jerry) Carter 2005-02-22 16:16:33 UTC
sorry missed the part of 'dleet readonly = yes'

This might be related to bug 2227
Comment 5 Gerald (Jerry) Carter 2005-02-22 16:35:13 UTC
not the same as the xp sp2 bug. The client sends 
a SET_FILE_INFO request to clear the read only bit
which is what returns the "access denied".

jeremy, the trace is at samba.org:~jerry/bugs/2201/dump2.pcap

I tried adding 'dos filemode = yes' but that didn't work
(possibly related to bug 2239).
Comment 6 Jeremy Allison 2005-02-22 19:19:41 UTC
Looking at the capture Jerry sent this is an aspect of the same XP change.
(ie. yes it is the same bug :-).

MS no longer use the SMBunlink call they always open with delete intent, set
the delete on close flag and close. We're not checking for "lp_delete_readonly"
on setting the delete on close flag. I'll fix this, but I do also want to check
into denying the removal of the aRONLY flag with setfileinfo in this case.
Jeremy.
Comment 7 Jeremy Allison 2005-02-22 19:21:07 UTC
Created attachment 977 [details]
Patch

Ok, I'm closing this one as I'm pretty sure this fixes it. I still want to
look at setting the dos attributes in this case however.
Jeremy.
Comment 8 Jeremy Allison 2005-02-22 19:23:52 UTC
Attached patch should fix.
Jeremy.
Comment 9 Gerald (Jerry) Carter 2005-08-24 10:26:20 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.