mirror of
https://github.com/samba-team/samba.git
synced 2025-01-07 17:18:11 +03:00
23bc760ec5
When using vfs_streams_xattr, for a pathref handle of a stream the system fd
will be a fake fd created by pipe() in vfs_fake_fd().
For the following callchain we wrongly pass a stream fsp to
SMB_VFS_FGET_NT_ACL():
SMB_VFS_CREATE_FILE(..., "file:stream", ...)
=> open_file():
if (open_fd):
-> taking the else branch:
-> smbd_check_access_rights_fsp(stream_fsp)
-> SMB_VFS_FGET_NT_ACL(stream_fsp)
This is obviously wrong and can lead to strange permission errors when using
vfs_acl_xattr:
in vfs_acl_xattr we will try to read the stored ACL by calling
fgetxattr(fake-fd) which of course faild with EBADF. Now unfortunately the
vfs_acl_xattr code ignores the specific error and handles this as if there was
no ACL stored and subsequently runs the code to synthesize a default ACL
according to the setting of "acl:default acl style".
As the correct access check for streams has already been carried out by calling
check_base_file_access() from create_file_unixpath(), the above problem is not
a security issue: it can only lead to "decreased" permissions resulting in
unexpected ACCESS_DENIED errors.
The fix is obviously going to be calling
smbd_check_access_rights_fsp(stream_fsp->base_fsp).
This test verifies that deleting a file works when the stored NT ACL grants
DELETE_FILE while the basic POSIX permissions (used in the acl_xattr fallback
code) do not.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
124 lines
3.8 KiB
Bash
Executable File
124 lines
3.8 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# this verifies that deleting a stream uses the correct ACL
|
|
# when using vfs_acl_xattr.
|
|
#
|
|
|
|
if [ $# -lt 9 ]; then
|
|
echo "Usage: $0 SERVER SERVER_IP USERNAME PASSWORD PREFIX SMBCLIENT SMBCACLS NET SHARE"
|
|
exit 1
|
|
fi
|
|
|
|
SERVER="$1"
|
|
SERVER_IP="$2"
|
|
USERNAME="$3"
|
|
PASSWORD="$4"
|
|
PREFIX="$5"
|
|
SMBCLIENT="$6"
|
|
SMBCACLS="$7"
|
|
NET="$8"
|
|
SHARE="$9"
|
|
|
|
SMBCLIENT="$VALGRIND ${SMBCLIENT}"
|
|
SMBCACLS="$VALGRIND ${SMBCACLS}"
|
|
NET="$VALGRIND ${NET}"
|
|
|
|
incdir=$(dirname $0)/../../../testprogs/blackbox
|
|
. $incdir/subunit.sh
|
|
|
|
|
|
setup_testfile()
|
|
{
|
|
touch $PREFIX/file
|
|
echo stream > $PREFIX/stream
|
|
|
|
$SMBCLIENT //$SERVER/$SHARE -U $USERNAME%$PASSWORD -c "mkdir dir" || return 1
|
|
$SMBCLIENT //$SERVER/$SHARE -U $USERNAME%$PASSWORD -c "lcd $PREFIX; put file dir/file" || return 1
|
|
$SMBCLIENT //$SERVER/$SHARE -U $USERNAME%$PASSWORD -c "lcd $PREFIX; put stream dir/file:stream" || return 1
|
|
|
|
rm $PREFIX/file
|
|
rm $PREFIX/stream
|
|
|
|
#
|
|
# Add full control ACE to the file and an ACL without "DELETE" on the
|
|
# parent directory
|
|
#
|
|
|
|
$SMBCACLS //$SERVER/$SHARE -U $USERNAME%$PASSWORD -S "ACL:Everyone:ALLOWED/0x0/0x1bf" dir || return 1
|
|
$SMBCACLS //$SERVER/$SHARE -U $USERNAME%$PASSWORD -a "ACL:Everyone:ALLOWED/0x0/0x101ff" dir/file || return 1
|
|
}
|
|
|
|
remove_testfile()
|
|
{
|
|
$SMBCACLS //$SERVER/$SHARE -U $USERNAME%$PASSWORD -S "ACL:Everyone:ALLOWED/0x0/0x101ff" dir/file || return 1
|
|
$SMBCACLS //$SERVER/$SHARE -U $USERNAME%$PASSWORD -S "ACL:Everyone:ALLOWED/0x0/0x101ff" dir || return 1
|
|
$SMBCLIENT //$SERVER/$SHARE -U $USERNAME%$PASSWORD -c "rm dir/file" || return 1
|
|
$SMBCLIENT //$SERVER/$SHARE -U $USERNAME%$PASSWORD -c "rmdir dir" || return 1
|
|
}
|
|
|
|
set_win_owner()
|
|
{
|
|
local owner=$1
|
|
|
|
$SMBCACLS //$SERVER/$SHARE dir/file -U $USERNAME%$PASSWORD -C "$owner" || return 1
|
|
}
|
|
|
|
delete_stream()
|
|
{
|
|
#
|
|
# Setup a file with a stream where we're not the owner and
|
|
# have delete rights. Bug 15126 would trigger a fallback to
|
|
# "acl_xattr:default acl style" because fetching the stored
|
|
# ACL would fail. The stored ACL allows deleting the stream
|
|
# but the synthesized default ACL does not, so the deletion
|
|
# of the stream should work, but it fails if we have the bug.
|
|
#
|
|
|
|
# Now try deleting the stream
|
|
out=$($SMBCLIENT //$SERVER/$SHARE -U $USERNAME%$PASSWORD -c "wdel 0x20 dir/file:stream") || return 1
|
|
|
|
#
|
|
# Bail out in case we get any sort of NT_STATUS_* error, should be
|
|
# NT_STATUS_ACCESS_DENIED, but let's not slip through any other error.
|
|
#
|
|
echo "$out" | grep NT_STATUS_ && return 1
|
|
|
|
return 0
|
|
}
|
|
|
|
win_owner_is()
|
|
{
|
|
local expected_owner=$1
|
|
local actual_owner
|
|
|
|
$SMBCACLS //$SERVER/$SHARE dir/file -U $USERNAME%$PASSWORD
|
|
actual_owner=$($SMBCACLS //$SERVER/$SHARE dir/file -U $USERNAME%$PASSWORD | sed -rn 's/^OWNER:(.*)/\1/p')
|
|
echo "actual_owner = $actual_owner"
|
|
if ! test "x$actual_owner" = "x$expected_owner"; then
|
|
echo "Actual owner of dir/file is $actual_owner', expected $expected_owner"
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
# Create a testfile
|
|
testit "create testfile" setup_testfile $SHARE || exit 1
|
|
|
|
# Grant SeRestorePrivilege to the user so we can change the owner
|
|
testit "grant SeRestorePrivilege" $NET rpc rights grant $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || exit 1
|
|
|
|
# We have SeRestorePrivilege, so both give and take ownership must succeed
|
|
testit "give owner with SeRestorePrivilege" set_win_owner "$SERVER\user1" || exit 1
|
|
testit "verify owner" win_owner_is "$SERVER/user1" || exit 1
|
|
|
|
# Now try to remove the stream on the testfile
|
|
testit "delete stream" delete_stream $SHARE afile || exit 1
|
|
|
|
# Remove testfile
|
|
testit "remove testfile" remove_testfile $SHARE || exit 1
|
|
|
|
# Revoke SeRestorePrivilege, give ownership must fail now with NT_STATUS_INVALID_OWNER
|
|
testit "revoke SeRestorePrivilege" $NET rpc rights revoke $USERNAME SeRestorePrivilege -U $USERNAME%$PASSWORD -I $SERVER_IP || exit 1
|
|
|
|
exit 0
|