A code change since the SeBackup code was added to the tree now means that we indirect through a null token pointer when evaluating ACLs. Andrew Bartlett <abartlet@samba.org> wrote: Thanks to a hint Jeremy gave me on a private list, I think I know the issue. We fault here, because token == NULL. > /usr/local/samba/sbin/smbd: #8 <signal handler called> > /usr/local/samba/sbin/smbd: No symbol table info available. > /usr/local/samba/sbin/smbd: #9 0xb695556a in security_token_has_sid > (token=0x0, sid=0x99f3790) at ../libcli/security/security_token.c:109 > /usr/local/samba/sbin/smbd: i = 0 > /usr/local/samba/sbin/smbd: #10 0xb6955bb4 in se_access_check > (sd=0x99f35d0, token=0x0, access_desired=1, access_granted=0xbf8dae78) > at ../libcli/security/access_check.c:229 > /usr/local/samba/sbin/smbd: ace = 0x99f3760 > /usr/local/samba/sbin/smbd: i = 0 > /usr/local/samba/sbin/smbd: bits_remaining = 1 > /usr/local/samba/sbin/smbd: explicitly_denied_bits = 0 > /usr/local/samba/sbin/smbd: owner_rights_allowed = 0 > /usr/local/samba/sbin/smbd: owner_rights_denied = 0 > /usr/local/samba/sbin/smbd: owner_rights_default = true > /usr/local/samba/sbin/smbd: __FUNCTION__ = "se_access_check" > /usr/local/samba/sbin/smbd: #11 0xb6955e26 in se_file_access_check > (sd=0x99f35d0, token=0x0, priv_open_requested=true, access_desired=1, > access_granted=0xbf8dae78) at ../libcli/security/access_check.c:340 > /usr/local/samba/sbin/smbd: bits_remaining = 149295168 > /usr/local/samba/sbin/smbd: status = {v = 161424512} > /usr/local/samba/sbin/smbd: __FUNCTION__ = "se_file_access_check" > /usr/local/samba/sbin/smbd: #12 0xb748ae21 in smbd_check_access_rights > (conn=0x99a98d8, smb_fname=0x99f2eb0, use_privs=true, access_mask=1) at > ../source3/smbd/open.c:137 > /usr/local/samba/sbin/smbd: status = {v = 0} > /usr/local/samba/sbin/smbd: sd = 0x99f35d0 > /usr/local/samba/sbin/smbd: rejected_share_access = 0 > /usr/local/samba/sbin/smbd: rejected_mask = 1 > /usr/local/samba/sbin/smbd: __FUNCTION__ = > "smbd_check_access_rights" > /usr/local/samba/sbin/smbd: #13 0xb742cd73 in dptr_create > (conn=0x99a98d8, req=0x99f2590, fsp=0x0, path=0x99f2870 > "Administrator/Application Data/LibreOffice", old_handle=false, > expect_close=true, spid=1344, wcard=0x99f28d0 "3", wcard_has_wild=false, > attr=22, dptr_ret=0xbf8daf94) at ../source3/smbd/dir.c:534 > /usr/local/samba/sbin/smbd: ret = 0 > /usr/local/samba/sbin/smbd: backup_intent = true Here we know the this is a trans2 with backup intent (due to Jeremy's recent backup privileges work). > /usr/local/samba/sbin/smbd: smb_dname = 0x99f2eb0 > /usr/local/samba/sbin/smbd: status = {v = 0} > /usr/local/samba/sbin/smbd: sconn = 0x99e8fa8 > /usr/local/samba/sbin/smbd: dptr = 0x0 > /usr/local/samba/sbin/smbd: dir_hnd = 0x94ce0e0 > /usr/local/samba/sbin/smbd: __FUNCTION__ = "dptr_create" > /usr/local/samba/sbin/smbd: #14 0xb7471c50 in call_trans2findfirst > (conn=0x99a98d8, req=0x99f2590, pparams=0x911fe1c, total_params=104, > ppdata=0x911fe24, total_data=0, max_data_bytes=16384) at > ../source3/smbd/trans2.c:2499 > /usr/local/samba/sbin/smbd: backup_priv = true > /usr/local/samba/sbin/smbd: __FUNCTION__ = "call_trans2findfirst" At line 2393 of source3/smbd/trans2.c we call become_root(). We correctly unbecome_root() later, but in the meantime we call dptr_create(), which calls smbc_check_access_rights() and eventually calls get_current_nttok(). Because we are in a become_root(), the token is NULL, and so we segfault.
Created attachment 8109 [details] git-am fix for 4.0.0rc
Created attachment 8114 [details] updated version of the patch This is the slightly updated version of the patch that is currently in autobuild for master. Two changes: 1) my reviewed-by tag in the commit message 2) minor indentation fix in debug and panic argument strings. Michael
given that my updated patch essentially carries my review tag in the commit messages plus a minor intentation change, I regard this "review +" as sufficient and hand the bug to Karolin for inclusion into 4.0.0rcX Michael
Pushed to autobuild-v4-0-test. Closing out bug report. Thanks!