From: Uri Simchoni <uri@samba.org>
Date: Thu, 4 Aug 2016 11:59:23 +0000 (+0300)
Subject: smbd: allow reading files based on FILE_EXECUTE access right
X-Git-Tag: samba-4.3.12~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfb366dc108a1c6e21525a53d5c315f2d8d45240;p=thirdparty%2Fsamba.git

smbd: allow reading files based on FILE_EXECUTE access right

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12149

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Aug 18 18:58:22 CEST 2016 on sn-devel-144

(backported from commit a6073e6130d39dac58f1e6ea9f41ec4ab34c3e29)
---

diff --git a/selftest/knownfail b/selftest/knownfail
index 3e70adb7a86..40ac69657b4 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -340,10 +340,7 @@
 # we don't allow auth_level_connect anymore...
 #
 ^samba3.blackbox.rpcclient.*ncacn_np.*with.*connect.*rpcclient # we don't allow auth_level_connect anymore
-#new read tests fail
+#nt-vfs server blocks read with execute access
 ^samba4.smb2.read.access
-^samba3.smb2.read.access
-#new copychunk tests fail
+#ntvfs server blocks copychunk with execute access on read handle
 ^samba4.smb2.ioctl.copy_chunk_bad_access
-^samba3.smb2.ioctl.copy_chunk_bad_access
-^samba3.smb2.ioctl fs_specific.copy_chunk_bad_access
diff --git a/source3/smbd/smb2_glue.c b/source3/smbd/smb2_glue.c
index b41775d882b..0bb34be454f 100644
--- a/source3/smbd/smb2_glue.c
+++ b/source3/smbd/smb2_glue.c
@@ -48,6 +48,22 @@ struct smb_request *smbd_smb2_fake_smb_request(struct smbd_smb2_request *req)
 			 FLAGS2_32_BIT_ERROR_CODES |
 			 FLAGS2_LONG_PATH_COMPONENTS |
 			 FLAGS2_IS_LONG_NAME;
+
+	/* This is not documented in revision 49 of [MS-SMB2] but should be
+	 * added in a later revision (and torture test smb2.read.access
+	 * as well as smb2.ioctl_copy_chunk_bad_access against
+	 * Server 2012R2 confirms this)
+	 *
+	 * If FILE_EXECUTE is granted to a handle then the SMB2 server
+	 * acts as if FILE_READ_DATA has also been granted. We must still
+	 * keep the original granted mask, because with ioctl requests,
+	 * access checks are made on the file handle, "below" the SMB2
+	 * server, and the object store below the SMB layer is not aware
+	 * of this arrangement (see smb2.ioctl.copy_chunk_bad_access
+	 * torture test).
+	 */
+	smbreq->flags2 |= FLAGS2_READ_PERMIT_EXECUTE;
+
 	if (IVAL(inhdr, SMB2_HDR_FLAGS) & SMB2_HDR_FLAG_DFS) {
 		smbreq->flags2 |= FLAGS2_DFS_PATHNAMES;
 	}