s3: Test for CVE-2017-2619 regression with "follow symlinks = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Back-ported from commit 782172a9bef0040981d20e49519b13dd744df6a0

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 619ae1eafaa201266fa2c706c472732ba5fc1ee8..938c4595552adf74b64b066c1be1ed9dd4b9ecdb 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1191,6 +1191,9 @@ sub provision($$$$$$$$)
        my $shadow_shrdir="$shadow_basedir/share";
        push(@dirs,$shadow_shrdir);
 
+       my $nosymlinks_shrdir="$shrdir/nosymlinks";
+       push(@dirs,$nosymlinks_shrdir);
+
        # this gets autocreated by winbindd
        my $wbsockdir="$prefix_abs/winbindd";
        my $wbsockprivdir="$lockdir/winbindd_privileged";
@@ -1717,6 +1720,10 @@ sub provision($$$$$$$$)
        copy = tmp
        acl_xattr:ignore system acls = yes
        acl_xattr:default acl style = windows
+[nosymlinks]
+       copy = tmp
+       path = $nosymlinks_shrdir
+       follow symlinks = no
 [kernel_oplocks]
        copy = tmp
        kernel oplocks = yes

diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index 5e3db5d365b86cd710ed57a50ac1e626a0bf2f6c..f13fd348fe5a20d1c18a3350ac4bd4b52042f0a3 100755 (executable)
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -1071,6 +1071,75 @@ done
 
 LOGDIR=$(mktemp -d ${PREFIX}/${LOGDIR_PREFIX}_XXXXXX)
 
+# Test follow symlinks can't access symlinks
+test_nosymlinks()
+{
+# Setup test dirs.
+    slink_name="$LOCAL_PATH/nosymlinks/source"
+    slink_target="$LOCAL_PATH/nosymlinks/target"
+    mkdir_target="$LOCAL_PATH/nosymlinks/a"
+
+    rm -f $slink_target
+    rm -f $slink_name
+    rm -rf $mkdir_target
+
+    touch $slink_target
+    ln -s $slink_target $slink_name
+
+# Getting a file through a symlink name should fail.
+    tmpfile=$PREFIX/smbclient_interactive_prompt_commands
+    cat > $tmpfile <<EOF
+get source
+quit
+EOF
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/nosymlinks -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+    rm -f $tmpfile
+
+    if [ $ret != 0 ] ; then
+       echo "$out"
+       echo "failed accessing nosymlinks with error $ret"
+       false
+       return
+    fi
+
+    echo "$out" | grep 'NT_STATUS_ACCESS_DENIED'
+    ret=$?
+    if [ $ret != 0 ] ; then
+       echo "$out"
+       echo "failed - should get NT_STATUS_ACCESS_DENIED getting \\nosymlinks\\source"
+       false
+    fi
+
+# But we should be able to create and delete directories.
+    cat > $tmpfile <<EOF
+mkdir a
+mkdir a\\b
+quit
+EOF
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/nosymlinks -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
+    eval echo "$cmd"
+    out=`eval $cmd`
+    ret=$?
+    rm -f $tmpfile
+
+    if [ $ret != 0 ] ; then
+       echo "$out"
+       echo "failed accessing nosymlinks with error $ret"
+       false
+       return
+    fi
+
+    echo "$out" | grep 'NT_STATUS'
+    ret=$?
+    if [ $ret == 0 ] ; then
+       echo "$out"
+       echo "failed - NT_STATUS_XXXX doing mkdir a; mkdir a\\b on \\nosymlinks"
+       false
+    fi
+}
 
 testit "smbclient -L $SERVER_IP" $SMBCLIENT -L $SERVER_IP -N -p 139 || failed=`expr $failed + 1`
 testit "smbclient -L $SERVER -I $SERVER_IP" $SMBCLIENT -L $SERVER -I $SERVER_IP -N -p 139 -c quit || failed=`expr $failed + 1`
@@ -1155,6 +1224,10 @@ testit "Ensure widelinks are restricted" \
     test_widelinks || \
     failed=`expr $failed + 1`
 
+testit "follow symlinks = no" \
+    test_nosymlinks || \
+    failed=`expr $failed + 1`
+
 testit "rm -rf $LOGDIR" \
     rm -rf $LOGDIR || \
     failed=`expr $failed + 1`