]>
Commit | Line | Data |
---|---|---|
77ecb239 AF |
1 | From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Allison <jra@samba.org> | |
3 | Date: Tue, 5 Jan 2016 11:18:12 -0800 | |
4 | Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function | |
5 | that can be used to prevent operations on a symlink. | |
6 | ||
7 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
8 | ||
9 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
10 | Reviewed-by: Michael Adam <obnox@samba.org> | |
11 | --- | |
12 | source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++ | |
13 | 1 file changed, 28 insertions(+) | |
14 | ||
15 | diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c | |
16 | index 26b6523..7f47579 100644 | |
17 | --- a/source3/smbd/trans2.c | |
18 | +++ b/source3/smbd/trans2.c | |
19 | @@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn, | |
20 | files_struct *fsp, | |
21 | const SMB_STRUCT_STAT *psbuf); | |
22 | ||
23 | +/**************************************************************************** | |
24 | + Check if an open file handle or pathname is a symlink. | |
25 | +****************************************************************************/ | |
26 | + | |
27 | +static NTSTATUS refuse_symlink(connection_struct *conn, | |
28 | + const files_struct *fsp, | |
29 | + const char *name) | |
30 | +{ | |
31 | + SMB_STRUCT_STAT sbuf; | |
32 | + const SMB_STRUCT_STAT *pst = NULL; | |
33 | + | |
34 | + if (fsp) { | |
35 | + pst = &fsp->fsp_name->st; | |
36 | + } else { | |
37 | + int ret = vfs_stat_smb_fname(conn, | |
38 | + name, | |
39 | + &sbuf); | |
40 | + if (ret == -1) { | |
41 | + return map_nt_error_from_unix(errno); | |
42 | + } | |
43 | + pst = &sbuf; | |
44 | + } | |
45 | + if (S_ISLNK(pst->st_ex_mode)) { | |
46 | + return NT_STATUS_ACCESS_DENIED; | |
47 | + } | |
48 | + return NT_STATUS_OK; | |
49 | +} | |
50 | + | |
51 | /******************************************************************** | |
52 | Roundup a value to the nearest allocation roundup size boundary. | |
53 | Only do this for Windows clients. | |
54 | -- | |
55 | 2.5.0 | |
56 | ||
57 | ||
58 | From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001 | |
59 | From: Jeremy Allison <jra@samba.org> | |
60 | Date: Tue, 5 Jan 2016 10:38:28 -0800 | |
61 | Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a | |
62 | POSIX file handle on a symlink. | |
63 | ||
64 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
65 | ||
66 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
67 | Reviewed-by: Michael Adam <obnox@samba.org> | |
68 | --- | |
69 | source3/smbd/nttrans.c | 6 ++++++ | |
70 | 1 file changed, 6 insertions(+) | |
71 | ||
72 | diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c | |
73 | index 4c145e0..7255600 100644 | |
74 | --- a/source3/smbd/nttrans.c | |
75 | +++ b/source3/smbd/nttrans.c | |
76 | @@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn, | |
77 | return NT_STATUS_ACCESS_DENIED; | |
78 | } | |
79 | ||
80 | + if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) { | |
81 | + DEBUG(10, ("ACL get on symlink %s denied.\n", | |
82 | + fsp_str_dbg(fsp))); | |
83 | + return NT_STATUS_ACCESS_DENIED; | |
84 | + } | |
85 | + | |
86 | if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER| | |
87 | SECINFO_GROUP|SECINFO_SACL)) { | |
88 | /* Don't return SECINFO_LABEL if anything else was | |
89 | -- | |
90 | 2.5.0 | |
91 | ||
92 | ||
93 | From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001 | |
94 | From: Jeremy Allison <jra@samba.org> | |
95 | Date: Tue, 5 Jan 2016 10:52:50 -0800 | |
96 | Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a | |
97 | POSIX file handle on a symlink. | |
98 | ||
99 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
100 | ||
101 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
102 | Reviewed-by: Michael Adam <obnox@samba.org> | |
103 | --- | |
104 | source3/smbd/nttrans.c | 6 ++++++ | |
105 | 1 file changed, 6 insertions(+) | |
106 | ||
107 | diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c | |
108 | index 7255600..d2102ca 100644 | |
109 | --- a/source3/smbd/nttrans.c | |
110 | +++ b/source3/smbd/nttrans.c | |
111 | @@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd, | |
112 | return NT_STATUS_OK; | |
113 | } | |
114 | ||
115 | + if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) { | |
116 | + DEBUG(10, ("ACL set on symlink %s denied.\n", | |
117 | + fsp_str_dbg(fsp))); | |
118 | + return NT_STATUS_ACCESS_DENIED; | |
119 | + } | |
120 | + | |
121 | if (psd->owner_sid == NULL) { | |
122 | security_info_sent &= ~SECINFO_OWNER; | |
123 | } | |
124 | -- | |
125 | 2.5.0 | |
126 | ||
127 | ||
128 | From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001 | |
129 | From: Jeremy Allison <jra@samba.org> | |
130 | Date: Tue, 5 Jan 2016 11:22:12 -0800 | |
131 | Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a | |
132 | symlink. | |
133 | ||
134 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
135 | ||
136 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
137 | Reviewed-by: Michael Adam <obnox@samba.org> | |
138 | --- | |
139 | source3/smbd/trans2.c | 6 ++++++ | |
140 | 1 file changed, 6 insertions(+) | |
141 | ||
142 | diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c | |
143 | index 7f47579..2f01e87 100644 | |
144 | --- a/source3/smbd/trans2.c | |
145 | +++ b/source3/smbd/trans2.c | |
146 | @@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, | |
147 | uint16 num_def_acls; | |
148 | bool valid_file_acls = True; | |
149 | bool valid_def_acls = True; | |
150 | + NTSTATUS status; | |
151 | ||
152 | if (total_data < SMB_POSIX_ACL_HEADER_SIZE) { | |
153 | return NT_STATUS_INVALID_PARAMETER; | |
154 | @@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, | |
155 | return NT_STATUS_INVALID_PARAMETER; | |
156 | } | |
157 | ||
158 | + status = refuse_symlink(conn, fsp, smb_fname->base_name); | |
159 | + if (!NT_STATUS_IS_OK(status)) { | |
160 | + return status; | |
161 | + } | |
162 | + | |
163 | DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n", | |
164 | smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp), | |
165 | (unsigned int)num_file_acls, | |
166 | -- | |
167 | 2.5.0 | |
168 | ||
169 | ||
170 | From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001 | |
171 | From: Jeremy Allison <jra@samba.org> | |
172 | Date: Tue, 5 Jan 2016 11:24:36 -0800 | |
173 | Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a | |
174 | symlink. | |
175 | ||
176 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
177 | ||
178 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
179 | Reviewed-by: Michael Adam <obnox@samba.org> | |
180 | --- | |
181 | source3/smbd/trans2.c | 7 +++++++ | |
182 | 1 file changed, 7 insertions(+) | |
183 | ||
184 | diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c | |
185 | index 2f01e87..3a098d1 100644 | |
186 | --- a/source3/smbd/trans2.c | |
187 | +++ b/source3/smbd/trans2.c | |
188 | @@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, | |
189 | uint16 num_file_acls = 0; | |
190 | uint16 num_def_acls = 0; | |
191 | ||
192 | + status = refuse_symlink(conn, | |
193 | + fsp, | |
194 | + smb_fname->base_name); | |
195 | + if (!NT_STATUS_IS_OK(status)) { | |
196 | + return status; | |
197 | + } | |
198 | + | |
199 | if (fsp && fsp->fh->fd != -1) { | |
200 | file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp); | |
201 | } else { | |
202 | -- | |
203 | 2.5.0 | |
204 | ||
205 | ||
206 | From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001 | |
207 | From: Jeremy Allison <jra@samba.org> | |
208 | Date: Tue, 5 Jan 2016 11:05:48 -0800 | |
209 | Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows | |
210 | removal of code duplication. | |
211 | ||
212 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
213 | ||
214 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
215 | Reviewed-by: Michael Adam <obnox@samba.org> | |
216 | --- | |
217 | source3/smbd/trans2.c | 13 +++++-------- | |
218 | 1 file changed, 5 insertions(+), 8 deletions(-) | |
219 | ||
220 | diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c | |
221 | index 3a098d1..6fdd1da 100644 | |
222 | --- a/source3/smbd/trans2.c | |
223 | +++ b/source3/smbd/trans2.c | |
224 | @@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, | |
225 | size_t num_names; | |
226 | ssize_t sizeret = -1; | |
227 | ||
228 | + if (pnames) { | |
229 | + *pnames = NULL; | |
230 | + } | |
231 | + *pnum_names = 0; | |
232 | + | |
233 | if (!lp_ea_support(SNUM(conn))) { | |
234 | - if (pnames) { | |
235 | - *pnames = NULL; | |
236 | - } | |
237 | - *pnum_names = 0; | |
238 | return NT_STATUS_OK; | |
239 | } | |
240 | ||
241 | @@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, | |
242 | ||
243 | if (sizeret == 0) { | |
244 | TALLOC_FREE(names); | |
245 | - if (pnames) { | |
246 | - *pnames = NULL; | |
247 | - } | |
248 | - *pnum_names = 0; | |
249 | return NT_STATUS_OK; | |
250 | } | |
251 | ||
252 | -- | |
253 | 2.5.0 | |
254 | ||
255 | ||
256 | From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001 | |
257 | From: Jeremy Allison <jra@samba.org> | |
258 | Date: Tue, 5 Jan 2016 11:29:38 -0800 | |
259 | Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's | |
260 | available on a symlink. | |
261 | ||
262 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
263 | ||
264 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
265 | Reviewed-by: Michael Adam <obnox@samba.org> | |
266 | --- | |
267 | source3/smbd/trans2.c | 9 +++++++++ | |
268 | 1 file changed, 9 insertions(+) | |
269 | ||
270 | diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c | |
271 | index 6fdd1da..8b6e4b2 100644 | |
272 | --- a/source3/smbd/trans2.c | |
273 | +++ b/source3/smbd/trans2.c | |
274 | @@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, | |
275 | char **names, **tmp; | |
276 | size_t num_names; | |
277 | ssize_t sizeret = -1; | |
278 | + NTSTATUS status; | |
279 | ||
280 | if (pnames) { | |
281 | *pnames = NULL; | |
282 | @@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, | |
283 | return NT_STATUS_OK; | |
284 | } | |
285 | ||
286 | + status = refuse_symlink(conn, fsp, fname); | |
287 | + if (!NT_STATUS_IS_OK(status)) { | |
288 | + /* | |
289 | + * Just return no EA's on a symlink. | |
290 | + */ | |
291 | + return NT_STATUS_OK; | |
292 | + } | |
293 | + | |
294 | /* | |
295 | * TALLOC the result early to get the talloc hierarchy right. | |
296 | */ | |
297 | -- | |
298 | 2.5.0 | |
299 | ||
300 | ||
301 | From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001 | |
302 | From: Jeremy Allison <jra@samba.org> | |
303 | Date: Tue, 5 Jan 2016 11:33:48 -0800 | |
304 | Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink. | |
305 | ||
306 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 | |
307 | ||
308 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
309 | Reviewed-by: Michael Adam <obnox@samba.org> | |
310 | --- | |
311 | source3/smbd/trans2.c | 7 +++++++ | |
312 | 1 file changed, 7 insertions(+) | |
313 | ||
314 | diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c | |
315 | index 8b6e4b2..98fd2af 100644 | |
316 | --- a/source3/smbd/trans2.c | |
317 | +++ b/source3/smbd/trans2.c | |
318 | @@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, | |
319 | const struct smb_filename *smb_fname, struct ea_list *ea_list) | |
320 | { | |
321 | char *fname = NULL; | |
322 | + NTSTATUS status; | |
323 | ||
324 | if (!lp_ea_support(SNUM(conn))) { | |
325 | return NT_STATUS_EAS_NOT_SUPPORTED; | |
326 | @@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, | |
327 | return NT_STATUS_ACCESS_DENIED; | |
328 | } | |
329 | ||
330 | + status = refuse_symlink(conn, fsp, smb_fname->base_name); | |
331 | + if (!NT_STATUS_IS_OK(status)) { | |
332 | + return status; | |
333 | + } | |
334 | + | |
335 | + | |
336 | /* For now setting EAs on streams isn't supported. */ | |
337 | fname = smb_fname->base_name; | |
338 | ||
339 | -- | |
340 | 2.5.0 | |
341 |