1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

404 Commits

Author SHA1 Message Date
Volker Lendecke
e2fbe361ba smbd: Remove the offset argument from ReadDirName()
Nobody does anything with this anymore, we just call ReadDirName() in
sequence or do a RewindDir(). So we don't have to look at offsets as
given by the file system anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-13 23:33:39 +00:00
Ralph Boehme
8b23a4a7ec smbd: Prevent creation of vetoed files
The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.

In order to correctly distinguish between the cases

1) file doesn't exist, we may be creating it, return
2) a vetoed a file

we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr  6 23:03:50 UTC 2023 on atb-devel-224
2023-04-06 23:03:50 +00:00
Ralph Boehme
e0ac0a2562 smbd: RIP DFS pathname processing in filename_convert_dirfsp_nosymlink()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-31 05:12:32 +00:00
Jeremy Allison
31f5c714c6 s3: smbd: Add assertion to filename_convert_dirfsp_nosymlink() that shows SMB2 is *never* dealing with a DFS path here.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-31 05:12:32 +00:00
Jeremy Allison
3f84a6df45 s3: smbd: Fix fsp/fd leak when looking up a non-existent stream name on a file.
When open_stream_pathref_fsp() returns
NT_STATUS_OBJECT_NAME_NOT_FOUND, smb_fname_rel->fsp
has been set to NULL, so we must free base_fsp separately
to prevent fd-leaks when opening a stream that doesn't
exist.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar  3 16:37:27 UTC 2023 on atb-devel-224
2023-03-03 16:37:27 +00:00
Volker Lendecke
bf9130d375 smbd: Fix case normalization in for directories
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Feb 24 08:46:14 UTC 2023 on atb-devel-224
2023-02-24 08:46:14 +00:00
Volker Lendecke
636daef0fe smbd: Hide the SMB1 posix symlink behaviour behind UCF_LCOMP_LNK_OK
This will be used in the future to also open symlinks as reparse
points, so this won't be specific to only SMB1 posix extensions.

I have tried to avoid additional flags for several weeks by making
openat_pathref_fsp or other flavors of this to always open fsp's with
symlink O_PATH opens, because I think NT_STATUS_OBJECT_NAME_NOT_FOUND
with a valid stat is a really bad and racy way to express that we just
hit a symlink, but I miserably failed. Adding additional flags (another one
will follow) is wrong, but I don't see another way right now.

Signed-off-by: Volker Lendecke <vl@samba.org>
2022-12-22 19:50:34 +00:00
Volker Lendecke
70b515be9c smbd: Simplify filename_convert_dirfsp_nosymlink()
Avoid a nested if, the "&&" is easier to understand for me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-22 19:50:34 +00:00
Volker Lendecke
aff8b4fde7 smbd: Simplify filename_convert_dirfsp_nosymlink()
Factor out the symlink-case into a more obvious if-statement with less
indentation.

Review with git show -b

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-22 19:50:34 +00:00
Volker Lendecke
6e89a16df4 smbd: Reduce indentation in ucf_flags_from_smb_request()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-22 19:50:34 +00:00
Volker Lendecke
17bbd6ec4c smbd: Add "posix" flag to openat_pathref_dirfsp_nosymlink()
Don't do the get_real_filename() retry if we're in posix context of if
the connection is case sensitive.

The whole concept of case sensivity blows my brain. In SMB1 without
posix extensions it's a per-request thing. In SMB2 without posix
extensions this should just depend on "case sensitive = yes/no", and
in future SMB2 posix extensions this will become a per-request thing
again, depending on the existence of the posix create context.

Then there are other semantics that are attached to posix-ness, which
have nothing to do with case sensivity. See for example merge request
2819 and bug 8776, or commit f0e1137425. Also see
check_path_syntax_internal().

This patch uses the same flags as openat_pathref_fsp_case_insensitive()
does, but I am 100% certain this is wrong in a subtle way.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Dec 15 11:30:04 UTC 2022 on sn-devel-184
2022-12-15 11:30:04 +00:00
Volker Lendecke
453f846e18 smbd: No dfs_filename_convert() in filename_convert_smb1_search_path()
We further down call filename_convert_dirfsp(), which also has this
call. No need to copy that code here as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-12-05 15:06:32 +00:00
Volker Lendecke
c14b8dc0aa smbd: Factor out safe_symlink_target_path()
Small refactoring to make filename_convert_dirfsp() itself a bit
shorter using a subroutine.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-22 18:27:33 +00:00
Volker Lendecke
6404c3f64b smbd: Cut long lines
This is recent enough to justify just a README.Coding formatting change

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-10-27 18:18:36 +00:00
Volker Lendecke
80856941bf smbd: Remove a comment left by copy&paste
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-10-27 18:18:36 +00:00
Volker Lendecke
d385058ce7 CVE-2022-3592 smbd: Slightly simplify filename_convert_dirfsp()
subdir_of() calculates the share-relative rest for us, don't do the
strlen(connectpath) calculation twice. subdir_of() also checks that
the target properly ends on a directory. With just strncmp a symlink
to x->/aa/etc would qualify as in share /a, so a "get x/passwd" leads to a
pretty unfortunate result. This is the proper fix for bug 15207, so we
need to change the expected error code to OBJECT_PATH_NOT_FOUND

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Oct 25 11:27:02 UTC 2022 on sn-devel-184
2022-10-25 11:27:02 +00:00
Volker Lendecke
bfe07fda67 lib: Move extract_snapshot_token() to util_path.c
Make it available to replace clistr_is_previous_version_path() in
libsmb/

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-09-19 17:23:31 +00:00
Volker Lendecke
3a37e4155c smbd: Catch streams on non-stream shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Sep  2 15:56:56 UTC 2022 on sn-devel-184
2022-09-02 15:56:56 +00:00
Jeremy Allison
1654eae11b s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive().
Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for final component.

Note we have to call the check before each call to
openat_pathref_fsp(), as each call may be using a
different filesystem name. The first name is the
one passed into openat_pathref_fsp_case_insensitive()
by the caller, the second one is a name retrieved from
get_real_filename_cache_key(), and the third one is the name
retrieved from get_real_filename_at(). The last two
calls may have demangled the client given name into
a veto'ed path on the filesystem.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 16 08:26:54 UTC 2022 on sn-devel-184
2022-08-16 08:26:54 +00:00
Jeremy Allison
78e4aac76d s3: smbd: Remove unix_convert() and associated functions.
All code now uses filename_convert_dirfsp() for race-free
filename conversion.

Best viewed with:
$ git show --patience

               ----------------
              /                \
             /       REST       \
            /         IN         \
           /         PEACE        \
          /                        \
          |                        |
          |      unix_convert      |
          |                        |
          |                        |
          |       9th August       |
          |          2022          |
          |                        |
          |                        |
         *|     *  *  *            | *
_________)/\\_//(\/(/\)/\//\/\///\/|_)_______

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 12 19:18:25 UTC 2022 on sn-devel-184
2022-08-12 19:18:25 +00:00
Jeremy Allison
d20b60c320 s3: smbd: Remove call to dfs_redirect() from filename_convert_dirfsp_nosymlink().
Use dfs_filename_convert() instead. There are now no more callers of dfs_redirect().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-08-12 18:19:31 +00:00
Jeremy Allison
fcf19d91c0 s3: smbd: Remove call to dfs_redirect() from filename_convert_smb1_search_path().
Use dfs_filename_convert() instead. Code is now much simpler.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-08-12 18:19:31 +00:00
Jeremy Allison
d80bedc3c4 s3: smbd: In filename_convert_dirfsp_nosymlink(), cope with an MS-DFS link as the terminal component.
If the terminal component was an MSDFS link, openat_pathref_fsp_case_insensitive() will
return NT_STATUS_OBJECT_NAME_NOT_FOUND with a VALID_STAT of a symlink.

If this is the case, check if we actually found a terminal MS-DFS link
at the end of the pathname and return NT_STATUS_PATH_NOT_COVERED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-08-12 18:19:31 +00:00
Jeremy Allison
07ef9e3029 s3: smbd: In filename_convert_dirfsp_nosymlink(), allow a NT_STATUS_PATH_NOT_COVERED error to be returned.
openat_pathref_dirfsp_nosymlink() can now return NT_STATUS_PATH_NOT_COVERED.
Don't convert this automatically into NT_STATUS_OBJECT_PATH_NOT_FOUND.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15144

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-08-12 18:19:31 +00:00
Jeremy Allison
5075df4575 s3: smbd: Remove ugly SMB1-specific hack to filename_convert_dirfsp()
This was added due to the error code check in test_symlink_traversal_smb1_posix.sh.
After careful consideration I've realized the error code expected here
is incorrect, and not providing any security benefit.

We already check that trying to fetch a file/traverse through a
symlink that points outside of a share returns NT_STATUS_OBJECT_PATH_NOT_FOUND,
and this is enforced in the symlink checks already inside filename_convert_dirfsp().

If a symlink points to a directory within the share for which
the user has no permissions (as is tested here), then there's no
benefit in mapping the error code from NT_STATUS_ACCESS_DENIED
to NT_STATUS_OBJECT_PATH_NOT_FOUND, as we are not providing any
extra information about the filesystem state the user cannot already
obtain by normal SMB1+POSIX calls.

Change the error code expected in this single test from NT_STATUS_OBJECT_PATH_NOT_FOUND
to NT_STATUS_ACCESS_DENIED.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Aug  5 10:24:23 UTC 2022 on sn-devel-184
2022-08-05 10:24:22 +00:00
Jeremy Allison
5c9404f753 s3: smbd: Remove the ucf_flags parameter from extract_snapshot_token().
Now we always call check_path_syntaxXXX(), even on DFS names
we no longer need this. It was a BAD change, and I should feel BAD :-).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-05 09:24:30 +00:00
Jeremy Allison
f24ef117cf s3: smbd: Change srvstr_get_path_internal() to always call check_path_syntaxXXX(), even on DFS pathnames.
The original design decision to just copy a DFS path and let
parse_dfs_path() take care of it was a horrible mistake.

Fix srvstr_get_path_internal() to always return a
/server/share/path (i.e. a path separated with '/', not '\').

This is a more complex change than I like to allow
DFS path procesing in srvstr_get_path_internal() but
needed as clients (including Samba smbclient) have a
rather "fuzzy" idea of what constitutes a valid DFS path.
If we detect the DFS path isn't valid here we have to
fall back to treating it as a local path.

I also need to modify the DFS parsing in
filename_convert_smb1_search_path() to cope with only '/'
separators.

This also means parse_dfs_path() needs changing to
cope.

The changes here are best reviewed by just applying
the fix and looking at the modified functions:

srvstr_get_path_internal()
parse_dfs_path()

For parse_dfs_path() it's mostly removing bad code
and makes parse_dfs_path() much easier to read.

These changes will enable me to remove some ugly mistakes made
adding ucf_flags to extract_snapshot_token(), as
we can now always assume canonicalized paths.

This is a little messy, but has to be done in
one chunk as the change to srvstr_get_path_internal()
depends on the change to parse_dfs_path().

Thanks to Volker for the insight that made this
cleanup possible.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-05 09:24:30 +00:00
Jeremy Allison
87835c69cc s3: smbd: In filename_convert_dirfsp_nosymlink() only use synthetic_smb_fname_split() for fake_files, not printer shares too.
Printer shares can have real filenames.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
ffc19ac985 s3: smbd: Remove filename_convert().
(\  _  /)
                            ( \ O / )
                             (// \\)
                                X
                               / \
                              /___\
                       _____/      \\_____
                      |         +         ||
                      |                   ||
                      |  filename_convert ||
                      |                   ||
                      |                   ||
                      |                   ||
                      |                   ||
                      |  _     ___   _    ||
                      | | \     |   | \   ||
                      | |  |    |   |  |  ||
                      | |_/     |   |_/   ||
                      | | \     |   |     ||
                      | |  \    |   |     ||
                      | |   \. _|_. | .   ||
                      |                   ||
              *     * | *   **    * **    |**     **
               \)),.,\(/.,(//,,..,,\||(,,.,\\,.((//

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
6848358363 s3: smbd: Convert filename_convert_smb1_search_path() to use filename_convert_dirfsp().
There are now no more users of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
7bd5c05fbd s3: smbd: Add returned dirfsp pointer to filename_convert_smb1_search_path().
Preparation for convertion of the last filename_convert() -> filename_convert_dirfsp().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
5a923ae36a s3: smbd: We now know get_original_lcomp() never has to deal with an MSDFS pathname.
Remove the call to dfs_redirect() within it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
4112bab9ae s3: smbd: In filename_convert_smb1_search_path(), after we have called dfs_redirect(), the path separator is always '/'.
This will allow us to remove the call to dfs_redirect() from get_original_lcomp().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
2d9938dac3 s3: smbd: Remove TWRP handing inside get_original_lcomp().
Now we know all @GMT paths are removed before get_original_lcomp()
is called, we can eliminate this code.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
5eed3f48b6 s3: smbd: Remove code for unused strip_gmt_from_raw_dfs().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
df5455c438 s3: smbd: Change filename_convert_smb1_search_path() to use extract_snapshot_token().
strip_gmt_from_raw_dfs() is now no longer used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
2ad3e63fe0 s3: smbd: Remove const from name_in parameter to filename_convert_smb1_search_path().
We're going to need to convert in place if it's an MSDFS path
with an SMB1 @GMT token.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
74715a7505 s3: smbd: Remove separate talloc_stackframe() from filename_convert_smb1_search_path().
We're soon going to change this to return dirfsp and use convert_filename_dirfsp()
so we need to return values on the passed in talloc ctx.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
7a823d44d2 s3: smbd: Allow extract_snapshot_token() to cope with MSDFS paths.
"raw" MSDFS paths are passed here as \server\share\path.

find_snapshot_token() only looks for a '/' as a separator
in SMB1 shapshot paths.

Allow extract_snapshot_token() to cope with SMB1 MSDFS paths by
converting in place, looking for the @GMT token with a '/'
separator via find_snapshot_token(), and then converting back.

Note, this a temporary measure until we handle DFS paths better
and will be removed in the next patchset.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
8b9fdc8ab1 s3: smbd: Add ucf_flags parameter to extract_snapshot_token().
Will be needed to cope with MSDFS paths which can be passed in
to this function.

Note, this a temporary measure until we handle DFS paths better
and will be removed in the next patchset.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-04 17:09:31 +00:00
Jeremy Allison
b9006f33b4 s3: smbd: Inside filename_convert_dirfsp_nosymlink(), don't require UCF_PREP_CREATEFILE when parsing a stream name that doesn't already exist.
We don't require it for a new file. Without this change, we have
to add UCF_PREP_CREATEFILE to the destination flags when we are
doing renames to a destination stream name, but not when doing
renames to a destination file name, which makes for inconsistent API use.

filename_convert_dirfsp() is now a drop in replacement
for filename_convert(), even for the ugly SMB1 POSIX
cases.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-02 19:49:32 +00:00
Jeremy Allison
2c4719a0cd s3: smbd: In filename_convert_dirfsp(), don't let an SMB1+POSIX client see a symlink to a directory with no permissions.
This isn't 100% correct, but it gets us close enough
to the old behavior for SMB1+POSIX libsmbclient. If we went through a
symlink, and we got NT_STATUS_ACCESS_DENIED on the directory
containing the target, just don't allow the client to see the
intermediate path.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-02 19:49:32 +00:00
Jeremy Allison
5249cb3d0f s3: smbd: In filename_convert_dirfsp_nosymlink(), in SMB1-only POSIX mode, allow a pathname referencing a symlink to be returned.
Doesn't contain a valid smb_fname->fsp pointer of course,
and is only used by the SMB1 code to take a reference to
a smylink name for manipulation (unlinkat, readlinkat etc.).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-02 19:49:31 +00:00
Jeremy Allison
6fd8f7fd18 s3: smbd: In filename_convert_dirfsp(), allow SMB1+POSIX to traverse non-terminal symlinks.
This is the behavior of filename_convert() and
we need to allow it for the legacy SMB1+POSIX libsmbclient
libraries already deployed out there.

When we add SMB2 POSIX we must disallow symlink
traversal over any symlinks, the client must
resolve symlinks locally.

Add a note to show this is where we need to add
an error for SMB2+POSIX names with UCF_POSIX_PATHNAMES
set.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-02 19:49:31 +00:00
Jeremy Allison
758ffebb8a s3: smbd: Fix the error processing in filename_convert_dirfsp_nosymlink() to match unix_convert() 100%
We need this in order to pass:

samba3.raw.samba3badpath
raw.chkpath
samba3.base.chkpath

Now we can convert all the SMB1 reply_openXXX functions,
and reply_checkpath().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-07-28 15:38:38 +00:00
Jeremy Allison
be8ac8df17 s3: smbd: In filename_split_lcomp() ensure we never return a streamname if posix is set.
POSIX has no streams, even on the root of a directory.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-07-28 15:38:38 +00:00
Jeremy Allison
22fae65165 s3: smbd: Inside filename_convert_dirfsp_nosymlink() ensure the returned smb_fname is always allocated off mem_ctx.
Without this, if we just return smb_fname_rel->fsp->fsp_name as the smb_fname
then we return something allocated off fsp (which itself is allocated off
the conn struct), not the passed in talloc_ctx.

Do this for both non-stream and stream returns.

This matters for two reasons.

1). If we error out after calling filename_convert_dirfsp()
but before getting to the code inside create_file_unixpath()
that takes ownership of the passed in smb_fname->fsp we will
leak the fsp as the destructor for smb_fname that closes the
fsp will never fire on return to the client, as smb_fname is
owned by smb_fname->fsp, not the talloc_tos() context.

2). Some uses of filename_convert() expect to be able
to TALLOC_FREE the returned smb_fname once they've successfully
called SMB_VFS_CREATE_FILE() as they consider the passed in smb_fname
no longer used. It would be nice to be able to just change
filename_convert() -> filename_convert_dirfsp() without
having to change the lifetime handling of smb_fname.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-07-27 16:51:34 +00:00
Volker Lendecke
8ff2fe33bd smbd: Userspace symlink eval in filename_convert_dirfsp()
This converts filename_convert_dirfsp to do symlink evaluation in user
space. It uses openat_pathref_dirfsp_nosymlink() to open the dirpath
and looks at the proper NT_STATUS_STOPPED_ON_SYMLINK response. Using
this avoids filename_convert() and thus unix_convert() completely for
the SMB2_CREATE case.

The tests

samba3.blackbox.smbclient_s3.NT1.plain.Recursive ls across MS-DFS links

now correctly stop the symlink lookup recursion with
NT_STATUS_OBJECT_PATH_NOT_FOUND. Previously we did not correcly pass up the
ELOOP coming back from the stat-call.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jul 25 12:56:08 UTC 2022 on sn-devel-184
2022-07-25 12:56:08 +00:00
Volker Lendecke
9826da77b9 smbd: Make get_real_filename_at public
We'll use this in files.c, which creates a bit of a cyclic
dependency. But files.c has all the lowlevel fsp handling, and we'll
add another routine there next which needs get_real_filename_at()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-07-25 12:04:33 +00:00
Volker Lendecke
348f19d35b smbd: open_stream_pathref_fsp() does not need a dirfsp
It opens relative to fsp->base_fsp

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-07-25 12:04:33 +00:00