Bug 6583 - Samba server ignores FILE_OPEN_FOR_BACKUP_INTENT
Samba server ignores FILE_OPEN_FOR_BACKUP_INTENT
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: File services
unspecified
All Linux
: P2 enhancement
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-29 00:00 UTC by Steve French
Modified: 2017-04-18 17:46 UTC (History)
6 users (show)

See Also:


Attachments
wireshark trace showing backup intent flag (7.25 KB, application/octet-stream)
2009-07-29 13:47 UTC, Steve French
no flags Details
patch to force Linux cifs client to send FILE_OPEN_FOR_BACKUP_INTENT on SMB NTCreateX (628 bytes, text/x-diff)
2009-07-29 13:49 UTC, Steve French
no flags Details
Adds into smb.h the definitions for all missing create options (1.36 KB, text/x-diff)
2009-07-29 15:05 UTC, Steve French
no flags Details
Create a file on a remote share with an empty ACL, then try to open it with FILE_FLAG_BACKUP_SEMANTICS. (38.00 KB, application/octet-stream)
2010-02-26 13:47 UTC, Michael Reissner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steve French 2009-07-29 00:00:00 UTC
CreateOption: CREATE_OPEN_BACKUP_INTENT (0x00004000) is ignored by Samba server on open (NTCreateX SMB), but Windows uses it to allow a privileged user to open a file for which it does not have permission (without this flag the admin user should get access denied trying to open the file).
Comment 1 Jeremy Allison 2009-07-29 13:01:08 UTC
Do you have a test case for this, or a use case to show how it is supposed to work ?
Jeremy.
Comment 2 Steve French 2009-07-29 13:42:45 UTC
MS says FILE_OPEN_FOR_BACKUP_INTENT (SMB NTCreateX  CreateOption):

"The file is being opened or created for the purposes of either a backup or a restore operation. Thus, the server may make appropriate checks to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur."

Similar text is in the description of the local Windows open call.  Various applications (not just backup/restore) e.g. Cygwin, set this flag in order to allow a privileged user (Admin or backup operator) to access files which they otherwise would not have permission to access - but only when this flag is set.
Comment 3 Steve French 2009-07-29 13:47:36 UTC
Created attachment 4481 [details]
wireshark trace showing backup intent flag

Same user (Administrator) mounted to Windows 2003 Domain Controller.  Frame 5 shows the failure (without BACKUP_INTENT flag) and Frame 47 shows the same but with BACKUP_INTENT flag succeeding.

This (with and without flag) was done by trivial modification to Linux cifs client since the customer test case was large, complex
Comment 4 Steve French 2009-07-29 13:49:24 UTC
Created attachment 4482 [details]
patch to force Linux cifs client to send FILE_OPEN_FOR_BACKUP_INTENT on SMB NTCreateX

I tried backup intent flag by rebuilding cifs.ko (Linux client) with this trivial patch.
Comment 5 Steve French 2009-07-29 14:48:00 UTC
Note that Samba 4 defines the flag with a different name:

and that currently Samba 4 torture test for the FindFirst version is the only place where the flag seems to be used (in /torture/raw/search.c)

The defines for this flag, and the NO COMRPESSION option, are included in the libcli/raw/smb.h for Samba 4 (and similarly in Linux cifs client, and in MS-SMB doc):

#define NTCREATEX_OPTIONS_BACKUP_INTENT             0x4000
#define NTCREATEX_OPTIONS_NO_COMPRESSION            0x8000

There is a similar flag on FindFirst (see trans2.h)
Comment 6 Steve French 2009-07-29 15:05:24 UTC
Created attachment 4483 [details]
Adds into smb.h the definitions for all missing create options
Comment 7 Volker Lendecke 2009-08-21 09:37:34 UTC
Pushed the patch, but the feature needs much more discussion.

Volker
Comment 8 Steve French 2009-09-17 20:47:24 UTC
FYI - I also had forwarded a Win32 test case for this earlier in the summer to jra - any update?
Comment 9 Steve French 2009-10-02 15:16:51 UTC
Per-jra discussion - make blocker for 3.5.

Biggest obstacle now is getting a good smb-torture case for this, and related ACL (raw/acls.c is too narrow) and deal with the foreign sid issue in constructing a repeatable test case (repeatable test case needed obviously for build verification and future functional testing, and so we don't regress ACLs in the future or across different ACL backends).
Comment 10 Jeremy Allison 2010-01-25 11:46:37 UTC
Re-prioritizing to enhancement as this isn't going to make the 3.5.0 release.
Jeremy.
Comment 11 Michael Reissner 2010-02-26 13:47:34 UTC
Created attachment 5428 [details]
Create a file on a remote share with an empty ACL, then try to open it with FILE_FLAG_BACKUP_SEMANTICS.

To use this test, run
  BackupIntentTest.exe your_config.txt

where your_config.txt looks like:
server=YOUR_SERVER
share=YOUR_SHARE
user_1=USER@YOUR.DOMAIN
pswd_1=USER1PSWD
priv_user=USER_W_BACKUP_PRIVS@YOUR.DOMIN
priv_pswd=PRIVPSWD

It creates the file as user_1, with an empty ACL.  Then, it tries to open the file as the user that's running the test: this should not be allowed.  It finally impersonates the privileged user, with the Backup privilege enabled, and opens the file for reading with the FILE_FLAG_BACKUP_SEMANTICS flag, which should be allowed.
Comment 12 Jeremy Allison 2010-02-26 19:15:07 UTC
Great ! Thanks a lot. I'll take a look at implementing this for 3.5.1.

Jeremy.
Comment 13 Karolin Seeger 2010-05-20 02:52:44 UTC
Updating product.
Comment 14 Hemanth 2016-12-12 23:26:19 UTC
Hi,
We are using 4.3.11 stack and observing the same issue. i.e Server simply ignores when the create request coming with BACKUP INTENT flag and enforcing the user to have required permissions on the object though he has backup privileges.


Also, I found these checks in se_file_access_check().

  /* Check if we should override with privileges. */
  if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
      security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
    bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
  }
  if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
      security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
    bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
  }

Priv and Restore flags are defined as:

#define SEC_RIGHTS_PRIV_BACKUP  ( SEC_STD_READ_CONTROL|SEC_FLAG_SYSTEM_SECURITY|SEC_RIGHTS_FILE_READ|SEC_DIR_TRAVERSE )
#define SEC_RIGHTS_PRIV_RESTORE ( SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|SEC_FLAG_SYSTEM_SECURITY|SEC_RIGHTS_FILE_WRITE|SEC_DIR_ADD_FILE|SEC_DIR_ADD_SUBDIR|SEC_STD_DELETE )


Here we seem to be checking for SYSTEM SECURITY + Read perms as Backup right and SYSTEM SECURITY + Write perms for Restore rights. 

In our case, create request came with BACKUP intent and with write access.

SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
    Create Request (0x05)
        StructureSize: 0x0039
        Oplock: No oplock (0x00)
        Impersonation: Impersonation (2)
        Create Flags: 0x0000000000000000
        Access Mask: 0x00100191
            .... .... .... .... .... .... .... ...1 = Read: READ access
            .... .... .... .... .... .... .... ..0. = Write: NO write access
            .... .... .... .... .... .... .... .0.. = Append: NO append access
            .... .... .... .... .... .... .... 0... = Read EA: NO read extended attributes access
            .... .... .... .... .... .... ...1 .... = Write EA: WRITE EXTENDED ATTRIBUTES access
            .... .... .... .... .... .... ..0. .... = Execute: NO execute access
            .... .... .... .... .... .... .0.. .... = Delete Child: NO delete child access
            .... .... .... .... .... .... 1... .... = Read Attributes: READ ATTRIBUTES access
            .... .... .... .... .... ...1 .... .... = Write Attributes: WRITE ATTRIBUTES access
            .... .... .... ...0 .... .... .... .... = Delete: NO delete access
            .... .... .... ..0. .... .... .... .... = Read Control: Read access is NOT granted to owner, group and ACL of the SID
            .... .... .... .0.. .... .... .... .... = Write DAC: Owner may NOT write to the DAC
            .... .... .... 0... .... .... .... .... = Write Owner: Can NOT write owner (take ownership)
            .... .... ...1 .... .... .... .... .... = Synchronize: Can wait on handle to SYNCHRONIZE on completion of I/O
            .... ...0 .... .... .... .... .... .... = System Security: System security is NOT set
            .... ..0. .... .... .... .... .... .... = Maximum Allowed: Maximum allowed is NOT set
            ...0 .... .... .... .... .... .... .... = Generic All: Generic all is NOT set
            ..0. .... .... .... .... .... .... .... = Generic Execute: Generic execute is NOT set
            .0.. .... .... .... .... .... .... .... = Generic Write: Generic write is NOT set
            0... .... .... .... .... .... .... .... = Generic Read: Generic read is NOT set
        File Attributes: 0x00000010
        Share Access: 0x00000003, Read, Write
        Disposition: Open If (if file exists open it, else create it) (3)
        Create Options: 0x00004021
            .... .... .... .... .... .... .... ...1 = Directory: File being created/opened must be a directory
            .... .... .... .... .... .... .... ..0. = Write Through: Writes need not flush buffered data before completing
            .... .... .... .... .... .... .... .0.. = Sequential Only: The file might not only be accessed sequentially
            .... .... .... .... .... .... .... 0... = Intermediate Buffering: Intermediate buffering is allowed
            .... .... .... .... .... .... ...0 .... = Sync I/O Alert: Operations NOT necessarily synchronous
            .... .... .... .... .... .... ..1. .... = Sync I/O Nonalert: All operations SYNCHRONOUS, waits not subject to alert
            .... .... .... .... .... .... .0.. .... = Non-Directory: File being created/opened must be a directory
            .... .... .... .... .... .... 0... .... = Create Tree Connection: Create Tree Connections is NOT set
            .... .... .... .... .... ...0 .... .... = Complete If Oplocked: Complete if oplocked is NOT set
            .... .... .... .... .... ..0. .... .... = No EA Knowledge: The client understands extended attributes
            .... .... .... .... .... .0.. .... .... = 8.3 Only: The client understands long file names
            .... .... .... .... .... 0... .... .... = Random Access: The file will not be accessed randomly
            .... .... .... .... ...0 .... .... .... = Delete On Close: The file should not be deleted when it is closed
            .... .... .... .... ..0. .... .... .... = Open By FileID: OpenByFileID is NOT set
            .... .... .... .... .1.. .... .... .... = Backup Intent: This is a create with BACKUP INTENT
            .... .... .... .... 0... .... .... .... = No Compression: Compression is allowed for Open/Create
            .... .... ...0 .... .... .... .... .... = Reserve Opfilter: Reserve Opfilter is NOT set
            .... .... ..0. .... .... .... .... .... = Open Reparse Point: Normal open
            .... .... .0.. .... .... .... .... .... = Open No Recall: Open no recall is NOT set
            .... .... 0... .... .... .... .... .... = Open For Free Space query: This is NOT an open for free space query
        Filename: final-rc.gchild.child1.automation.nutanix.com\genfinal
        ExtraInfo SMB2_CREATE_DURABLE_HANDLE_REQUEST SMB2_CREATE_ALLOCATION_SIZE SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST SMB2_CREATE_QUERY_ON_DISK_ID


Would like to know if there is any work in progress to fix this issue. Looks like mostly we will need to check if the create flags has the BACKUP INTENT option, we will need to check if the incoming user has the BACKUP Privilege. Let me know if there is any thing else which we need to worry about.
Comment 15 Jeremy Allison 2016-12-12 23:50:12 UTC
I fixed this for directory listing with backup intent, but not for the open. Should be fairly simple but *beware* of the security implications when you get an access denied and then decide to override as root...
Comment 16 Hemanth 2016-12-13 00:14:07 UTC
(In reply to Jeremy Allison from comment #15)

As Steve updated in comment #2, MS-SMB2 spec seems to be suggesting to override all the permissions if the open request comes with this flag and the user has the necessary privileges(though it is not very clear if some or all can be overriden). Windows seems to be allowing this case without any warning. Shouldn't we follow the windows here?
Comment 17 Jeremy Allison 2016-12-13 00:26:33 UTC
Oh yes, absolutely we should. The reason we haven't is that people usually set up a special share for Samba backups, with "admin users = XXX" set for a path that mirrors the regular share they want to back up. This does the same thing as 'backup intent' but can be done with existing code.
Comment 18 Jeremy Allison 2017-04-18 17:45:53 UTC
You know, I think I fixed this a long time ago.... There's certainly code in smbd that implements this.
Comment 19 Jeremy Allison 2017-04-18 17:46:41 UTC
(In reply to Jeremy Allison from comment #18)

Oh never mind, I'm thinking of the directory listing code.