From: Ralph Boehme Date: Thu, 1 Oct 2020 12:40:33 +0000 (+0200) Subject: smbd: prevent non-POSIX stat-opens of symlinks in open_file() X-Git-Tag: samba-4.14.0rc1~338 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dab50f3953259635ba14d166472c3dbe920f1311;p=thirdparty%2Fsamba.git smbd: prevent non-POSIX stat-opens of symlinks in open_file() Also adjust the test that checks for this. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 361c35303f6..68621a892d9 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1458,6 +1458,16 @@ static NTSTATUS open_file(files_struct *fsp, return NT_STATUS_OBJECT_NAME_NOT_FOUND; } + if (S_ISLNK(smb_fname->st.st_ex_mode) && + !(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN)) + { + /* + * Don't allow stat opens on symlinks directly unless + * it's a POSIX open. + */ + return NT_STATUS_OBJECT_PATH_NOT_FOUND; + } + status = smbd_check_access_rights(conn, conn->cwd_fsp, smb_fname, diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 5440b7288ea..8ceaf831240 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -8041,7 +8041,6 @@ static bool run_acl_symlink_test(int dummy) char *posix_acl_sym = NULL; size_t posix_acl_len_sym = 0; struct security_descriptor *sd = NULL; - struct security_descriptor *sd_sym = NULL; TALLOC_CTX *frame = NULL; frame = talloc_stackframe(); @@ -8146,7 +8145,7 @@ static bool run_acl_symlink_test(int dummy) goto out; } - /* Open a handle on the symlink. */ + /* Try a stat-open on the symlink, should also fail. */ status = cli_ntcreate(cli, sname, 0, @@ -8159,23 +8158,8 @@ static bool run_acl_symlink_test(int dummy) &fnum, NULL); - if (!NT_STATUS_IS_OK(status)) { - printf("cli_posix_open of %s failed (%s)\n", - sname, - nt_errstr(status)); - goto out; - } - - /* Get the Windows ACL on the symlink handle. Should fail */ - status = cli_query_secdesc(cli, - fnum, - frame, - &sd_sym); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - printf("cli_query_secdesc on a symlink gave %s. " - "Should be NT_STATUS_ACCESS_DENIED.\n", - nt_errstr(status)); + if (NT_STATUS_IS_OK(status)) { + printf("Stat-open of symlink succeeded (should fail)\n"); goto out; } @@ -8193,19 +8177,6 @@ static bool run_acl_symlink_test(int dummy) goto out; } - /* Set the Windows ACL on the symlink handle. Should fail */ - status = cli_set_security_descriptor(cli, - fnum, - SECINFO_DACL, - sd); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - printf("cli_query_secdesc on a symlink gave %s. " - "Should be NT_STATUS_ACCESS_DENIED.\n", - nt_errstr(status)); - goto out; - } - /* Set the POSIX ACL on the symlink pathname. Should fail. */ status = cli_posix_setacl(cli, sname,