From: Jeremy Allison <jra@samba.org>
Date: Wed, 17 Jun 2015 17:23:30 +0000 (-0700)
Subject: s3: smbd: Use separate flag to track become_root()/unbecome_root() state.
X-Git-Tag: samba-4.1.20~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e700e9d4312a77066b344a763b2f05be7190e257;p=thirdparty%2Fsamba.git

s3: smbd: Use separate flag to track become_root()/unbecome_root() state.

Early function exit can mean backup_priv is set but we haven't called
become_root(). *Lots* of work by the reviewers went in to checking this
isn't a security issue.

Found by Codenomicon at the Redmond plugfest.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11339

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 25 22:14:58 CEST 2015 on sn-devel-104

(cherry picked from commit e2c4b8967d33b610f9f076c614352e4b8fc7c558)
---

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 2f2bbf6e067..a6a8b5db7c6 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2363,6 +2363,7 @@ static void call_trans2findfirst(connection_struct *conn,
 	struct smbd_server_connection *sconn = req->sconn;
 	uint32_t ucf_flags = (UCF_SAVE_LCOMP | UCF_ALWAYS_ALLOW_WCARD_LCOMP);
 	bool backup_priv = false;
+	bool as_root = false;
 
 	if (total_params < 13) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -2428,6 +2429,7 @@ close_if_end = %d requires_resume_key = %d backup_priv = %d level = 0x%x, max_da
 
 	if (backup_priv) {
 		become_root();
+		as_root = true;
 		ntstatus = filename_convert_with_privilege(ctx,
 				conn,
 				req,
@@ -2683,7 +2685,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 	}
  out:
 
-	if (backup_priv) {
+	if (as_root) {
 		unbecome_root();
 	}
 
@@ -2737,6 +2739,7 @@ static void call_trans2findnext(connection_struct *conn,
 	struct dptr_struct *dirptr;
 	struct smbd_server_connection *sconn = req->sconn;
 	bool backup_priv = false; 
+	bool as_root = false;
 
 	if (total_params < 13) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -2905,6 +2908,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 
 	if (backup_priv) {
 		become_root();
+		as_root = true;
 	}
 
 	/*
@@ -2996,7 +3000,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd
 		dptr_close(sconn, &dptr_num); /* This frees up the saved mask */
 	}
 
-	if (backup_priv) {
+	if (as_root) {
 		unbecome_root();
 	}