]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Allison <jra@samba.org> | |
3 | Date: Fri, 23 Oct 2015 14:54:31 -0700 | |
4 | Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on | |
5 | snapdir | |
6 | ||
7 | Fix originally from <partha@exablox.com> | |
8 | ||
9 | https://bugzilla.samba.org/show_bug.cgi?id=11529 | |
10 | ||
11 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
12 | Reviewed-by: David Disseldorp <ddiss@samba.org> | |
13 | --- | |
14 | source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++ | |
15 | 1 file changed, 47 insertions(+) | |
16 | ||
17 | diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c | |
18 | index fedfb53..16c1ed7 100644 | |
19 | --- a/source3/modules/vfs_shadow_copy2.c | |
20 | +++ b/source3/modules/vfs_shadow_copy2.c | |
21 | @@ -21,6 +21,8 @@ | |
22 | ||
23 | #include "includes.h" | |
24 | #include "smbd/smbd.h" | |
25 | +#include "smbd/globals.h" | |
26 | +#include "../libcli/security/security.h" | |
27 | #include "system/filesys.h" | |
28 | #include "ntioctl.h" | |
29 | ||
30 | @@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle_struct *handle, const char *fname, mod | |
31 | SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1); | |
32 | } | |
33 | ||
34 | +static bool check_access_snapdir(struct vfs_handle_struct *handle, | |
35 | + const char *path) | |
36 | +{ | |
37 | + struct smb_filename smb_fname; | |
38 | + int ret; | |
39 | + NTSTATUS status; | |
40 | + uint32_t access_granted = 0; | |
41 | + | |
42 | + ZERO_STRUCT(smb_fname); | |
43 | + smb_fname.base_name = talloc_asprintf(talloc_tos(), | |
44 | + "%s", | |
45 | + path); | |
46 | + if (smb_fname.base_name == NULL) { | |
47 | + return false; | |
48 | + } | |
49 | + | |
50 | + ret = SMB_VFS_NEXT_STAT(handle, &smb_fname); | |
51 | + if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) { | |
52 | + TALLOC_FREE(smb_fname.base_name); | |
53 | + return false; | |
54 | + } | |
55 | + | |
56 | + status = smbd_check_open_rights(handle->conn, | |
57 | + &smb_fname, | |
58 | + SEC_DIR_LIST, | |
59 | + &access_granted); | |
60 | + if (!NT_STATUS_IS_OK(status)) { | |
61 | + DEBUG(0,("user does not have list permission " | |
62 | + "on snapdir %s\n", | |
63 | + smb_fname.base_name)); | |
64 | + TALLOC_FREE(smb_fname.base_name); | |
65 | + return false; | |
66 | + } | |
67 | + TALLOC_FREE(smb_fname.base_name); | |
68 | + return true; | |
69 | +} | |
70 | + | |
71 | static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname) | |
72 | { | |
73 | SHADOW2_NEXT(RMDIR, (handle, name), int, -1); | |
74 | @@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2_data(vfs_handle_struct *handle, | |
75 | SMB_STRUCT_DIRENT *d; | |
76 | TALLOC_CTX *tmp_ctx = talloc_new(handle->data); | |
77 | char *snapshot; | |
78 | + bool ret; | |
79 | ||
80 | snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle); | |
81 | if (snapdir == NULL) { | |
82 | @@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2_data(vfs_handle_struct *handle, | |
83 | talloc_free(tmp_ctx); | |
84 | return -1; | |
85 | } | |
86 | + ret = check_access_snapdir(handle, snapdir); | |
87 | + if (!ret) { | |
88 | + DEBUG(0,("access denied on listing snapdir %s\n", snapdir)); | |
89 | + errno = EACCES; | |
90 | + talloc_free(tmp_ctx); | |
91 | + return -1; | |
92 | + } | |
93 | ||
94 | p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0); | |
95 | ||
96 | -- | |
97 | 2.5.0 | |
98 |