s3: smbd: In filename_convert_dirfsp(), don't let an SMB1+POSIX client see a symlink...

This isn't 100% correct, but it gets us close enough
to the old behavior for SMB1+POSIX libsmbclient. If we went through a
symlink, and we got NT_STATUS_ACCESS_DENIED on the directory
containing the target, just don't allow the client to see the
intermediate path.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index a9a998db7c5d74e78ad298b1eefddb25ec709c24..8ccd350410bac284306f340996b36d11aca88600 100644 (file)
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -3095,6 +3095,22 @@ next:
                &substitute,
                &unparsed);
 
+#if defined(WITH_SMB1SERVER)
+       /*
+        * This isn't 100% correct, but it gets us close enough
+        * to the old behavior for SMB1+POSIX libsmbclient. If we went through a
+        * symlink, and we got NT_STATUS_ACCESS_DENIED on the directory
+        * containing the target, just don't allow the client to see the
+        * intermediate path.
+        */
+       if (!conn->sconn->using_smb2 &&
+                       (ucf_flags & UCF_POSIX_PATHNAMES) &&
+                       symlink_redirects > 0 &&
+                       NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+               return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+       }
+#endif
+
        if (!NT_STATUS_EQUAL(status, NT_STATUS_STOPPED_ON_SYMLINK)) {
                return status;
        }