From: Volker Lendecke <vl@samba.org>
Date: Thu, 3 Apr 2025 08:04:42 +0000 (+0200)
Subject: vfs: Fix "wide links = yes"
X-Git-Tag: samba-4.22.1~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dadfa06573f3958f88b235c4d2e5ecedab78f6c5;p=thirdparty%2Fsamba.git

vfs: Fix "wide links = yes"

vfs_wide_links hides symlinks from the rest of smbd, and it implicitly
follows symlinks. Also, O_PATH will expose symlinks to the rest of
smbd, remove that.

We also need to do this for posix paths, as deep inside
rename_internals we want to avoid case-insensitive lookups by setting
SMB_FILENAME_POSIX_PATH.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15841

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 16 20:56:33 UTC 2025 on atb-devel-224

(cherry picked from commit 9e637a28bd0b5adc2d90df9ca4a1c864a648b0f4)
---

diff --git a/source3/modules/vfs_widelinks.c b/source3/modules/vfs_widelinks.c
index 4339f6de9e0..df00d72707d 100644
--- a/source3/modules/vfs_widelinks.c
+++ b/source3/modules/vfs_widelinks.c
@@ -354,15 +354,17 @@ static int widelinks_openat(vfs_handle_struct *handle,
 				struct widelinks_config,
 				return -1);
 
-	if (config->active &&
-	    (config->cwd != NULL) &&
-	    !(smb_fname->flags & SMB_FILENAME_POSIX_PATH))
-	{
+	if (config->active && (config->cwd != NULL)) {
 		/*
 		 * Module active, openat after chdir (see note 1b above) and not
 		 * a POSIX open (POSIX sees symlinks), so remove O_NOFOLLOW.
 		 */
 		how.flags = (how.flags & ~O_NOFOLLOW);
+#ifdef O_PATH
+		how.flags = (how.flags & ~O_PATH);
+#endif
+		how.resolve = (how.resolve &
+			       ~(VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS));
 	}
 
 	ret = SMB_VFS_NEXT_OPENAT(handle,