From c0ddfc126716457f3bfc19e4aa30a632abb21073 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Aug 2014 13:58:38 +0200 Subject: [PATCH] s3:smbd: mask security_information input values with SMB_SUPPORTED_SECINFO_FLAGS Sometimes Windows clients doesn't filter SECINFO_[UN]PROTECTED_[D|S]ACL flags before sending the security_information to the server. security_information = SECINFO_PROTECTED_DACL| SECINFO_DACL results in a NULL dacl being returned from an GetSecurityDecriptor request. This happens because posix_get_nt_acl_common() has the following logic: if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) { ... create DACL ... } I'm not sure if the logic is correct or wrong in this place (I guess it's wrong...). But what I know is that the SMB server should filter the given security_information flags before passing to the filesystem. [MS-SMB2] 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY ... The server MUST ignore any flag value in the AdditionalInformation field that is not specified in section 2.2.37. Section 2.2.37 lists: OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION SACL_SECURITY_INFORMATION LABEL_SECURITY_INFORMATION ATTRIBUTE_SECURITY_INFORMATION SCOPE_SECURITY_INFORMATION BACKUP_SECURITY_INFORMATION Bug: https://bugzilla.samba.org/show_bug.cgi?id=10773 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- source3/smbd/nttrans.c | 7 ++++--- source3/smbd/posix_acls.c | 4 ++++ source3/smbd/smb2_getinfo.c | 3 ++- source3/smbd/smb2_setinfo.c | 3 ++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 0d3cd079980..dd90b6bb7c0 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2086,7 +2086,8 @@ static void call_nt_transact_query_security_desc(connection_struct *conn, status = smbd_do_query_security_desc(conn, talloc_tos(), fsp, - security_info_wanted, + security_info_wanted & + SMB_SUPPORTED_SECINFO_FLAGS, max_data_count, &marshalled_sd, &sd_size); @@ -2179,8 +2180,8 @@ static void call_nt_transact_set_security_desc(connection_struct *conn, return; } - status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent); - + status = set_sd_blob(fsp, (uint8 *)data, data_count, + security_info_sent & SMB_SUPPORTED_SECINFO_FLAGS); if (!NT_STATUS_IS_OK(status)) { reply_nterror(req, status); return; diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 2685f6ab910..a49a5490456 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3287,6 +3287,10 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, num_profile_acls = 3; } + /* + * TODO: is this logic with SECINFO_PROTECTED_DACL, correct? + * See bug #10773. + */ if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) { /* diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 449aeb3f5f4..bbc838dcc27 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -478,7 +478,8 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, state, fsp, /* Security info wanted. */ - in_additional_information, + in_additional_information & + SMB_SUPPORTED_SECINFO_FLAGS, in_output_buffer_length, &p_marshalled_sd, &sd_size); diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c index d88f7ac8a28..cda8abc2bd9 100644 --- a/source3/smbd/smb2_setinfo.c +++ b/source3/smbd/smb2_setinfo.c @@ -311,7 +311,8 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx, status = set_sd_blob(fsp, in_input_buffer.data, in_input_buffer.length, - in_additional_information); + in_additional_information & + SMB_SUPPORTED_SECINFO_FLAGS); if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(req, status); return tevent_req_post(req, ev); -- 2.47.2