sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share).

Browse Source 
New tests for fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
Jeremy Allison 2015-07-09 13:57:58 -07:00 committed by Stefan Metzmacher
parent 7606c0db25
commit cc137fa386
2 changed files with 90 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
selftest/target/Samba3.pm
View File

@ -1118,6 +1118,12 @@ sub provision($$$$$$$$)
my $manglenames_shrdir="$shrdir/manglenames";
push(@dirs,$manglenames_shrdir);
my $widelinks_shrdir="$shrdir/widelinks";
push(@dirs,$widelinks_shrdir);
my $widelinks_linkdir="$shrdir/widelinks_foo";
push(@dirs,$widelinks_linkdir);
# this gets autocreated by winbindd
my $wbsockdir="$prefix_abs/winbindd";
my $wbsockprivdir="$lockdir/winbindd_privileged";
@ -1207,6 +1213,25 @@ sub provision($$$$$$$$)
my $manglename_target = "$manglenames_shrdir/foo:bar";
mkdir($manglename_target, 0777);
##
## create symlinks for widelinks tests.
##
my $widelinks_target = "$widelinks_linkdir/target";
unless (open(WIDELINKS_TARGET, ">$widelinks_target")) {
warn("Unable to open $widelinks_target");
return undef;
}
close(WIDELINKS_TARGET);
chmod 0666, $widelinks_target;
##
## This link should get ACCESS_DENIED
##
symlink "$widelinks_target", "$widelinks_shrdir/source";
##
## This link should be allowed
##
symlink "$widelinks_shrdir", "$widelinks_shrdir/dot";
my $conffile="$libdir/server.conf";
my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/lib/nss_wrapper/nss_wrapper.pl";
@ -1512,6 +1537,11 @@ sub provision($$$$$$$$)
path = $shrdir/%R
guest ok = yes
[widelinks_share]
path = $widelinks_shrdir
wide links = no
guest ok = yes
[fsrvp_share]
path = $shrdir
comment = fake shapshots using rsync

60
source3/script/tests/test_smbclient_s3.sh
View File

@ -1003,6 +1003,62 @@ EOF
fi
}
# Test wide links are restricted.
test_widelinks()
{
tmpfile=$PREFIX/smbclient_interactive_prompt_commands
cat > $tmpfile <<EOF
cd dot
ls
quit
EOF
cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/widelinks_share -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"
out=`eval $cmd`
ret=$?
rm -f $tmpfile
if [ $ret != 0 ] ; then
echo "$out"
echo "failed accessing widelinks_share with error $ret"
false
return
fi
echo "$out" | grep 'NT_STATUS'
ret=$?
if [ $ret == 0 ] ; then
echo "$out"
echo "failed - NT_STATUS_XXXX listing \\widelinks_share\\dot"
false
fi
cat > $tmpfile <<EOF
allinfo source
quit
EOF
cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/widelinks_share -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"
out=`eval $cmd`
ret=$?
rm -f $tmpfile
if [ $ret != 0 ] ; then
echo "$out"
echo "failed accessing widelinks_share with error $ret"
false
return
fi
# This should fail with NT_STATUS_ACCESS_DENIED
echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
ret=$?
if [ $ret != 0 ] ; then
echo "$out"
echo "failed - should get NT_STATUS_ACCESS_DENIED listing \\widelinks_share\\source"
false
fi
}
LOGDIR_PREFIX=test_smbclient_s3
@ -1095,6 +1151,10 @@ testit "creating a :stream at root of share" \
test_toplevel_stream || \
failed=`expr $failed + 1`
testit "Ensure widelinks are restricted" \
test_widelinks || \
failed=`expr $failed + 1`
testit "rm -rf $LOGDIR" \
rm -rf $LOGDIR || \
failed=`expr $failed + 1`