Jeremy Allison [Wed, 17 Aug 2022 18:43:47 +0000 (11:43 -0700)]
s3: smbd: Plumb close_type parameter through close_file_in_loop(), file_close_conn()
Allows close_file_in_loop() to differentiate between SHUTDOWN_CLOSE
(previously it only used this close type) and ERROR_CLOSE - called
on error from smbXsrv_tcon_disconnect() in the error path. In that
case we want to close the fd, but not run any delete-on-close actions.
Signed-off-by: Jeremy Allison <jra@samba.org> Reivewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Aug 18 14:10:18 UTC 2022 on sn-devel-184
Jeremy Allison [Wed, 17 Aug 2022 18:35:29 +0000 (11:35 -0700)]
s3: smbd: Add "enum file_close_type close_type" parameter to close_cnum().
Not yet used, but needed so we can differentiate between
SHUTDOWN_CLOSE and ERROR_CLOSE in smbXsrv_tcon_disconnect()
if we fail to chdir. In that case we want to close the fd,
but not run any delete-on-close actions.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Aug 17 11:03:54 UTC 2022 on sn-devel-184
Jeremy Allison [Fri, 22 Jul 2022 15:28:03 +0000 (16:28 +0100)]
s3/smbd: Use after free when iterating smbd_server_connection->connections
Change conn_free() to just use a destructor. We now
catch any other places where we may have forgetten to
call conn_free() - it's implicit on talloc_free(conn).
Based on code from Noel Power <noel.power@suse.com>.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Aug 17 09:54:06 UTC 2022 on sn-devel-184
If chdir_current_service(tcon->compat) fails, we return status without ever having
called close_cnum(tcon->compat, vuid), leaving the conn pointer left in the linked
list sconn->connections.
The caller frees tcon and (by ownership) tcon->compat, still leaving the
freed tcon->compat pointer on the sconn->connections linked list.
When deadtime_fn() fires and walks the sconn->connections list it
indirects this freed pointer. We must call close_cnum() on error also.
Valgrind trace from Noel Power <noel.power@suse.com> is:
==6432== Invalid read of size 8
==6432== at 0x52CED3A: conn_lastused_update (conn_idle.c:38)
==6432== by 0x52CEDB1: conn_idle_all (conn_idle.c:54)
==6432== by 0x5329971: deadtime_fn (smb2_process.c:1566)
==6432== by 0x5DA2339: smbd_idle_event_handler (util_event.c:45)
==6432== by 0x685F2F8: tevent_common_invoke_timer_handler (tevent_timed.c:376)
==6432== Address 0x19074b88 is 232 bytes inside a block of size 328 free'd
==6432== at 0x4C3451B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6432== by 0x5B38521: _tc_free_internal (talloc.c:1222)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B385C5: _talloc_free_internal (talloc.c:1248)
==6432== by 0x5B3988D: _talloc_free (talloc.c:1792)
==6432== by 0x5349B22: smbd_smb2_flush_send_queue (smb2_server.c:4828)
==6432== Block was alloc'd at
==6432== at 0x4C332EF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6432== by 0x5B378D9: __talloc_with_prefix (talloc.c:783)
==6432== by 0x5B37A73: __talloc (talloc.c:825)
==6432== by 0x5B37E0C: _talloc_named_const (talloc.c:982)
==6432== by 0x5B3A8ED: _talloc_zero (talloc.c:2421)
==6432== by 0x539873A: conn_new (conn.c:70)
==6432== by 0x532D692: make_connection_smb2 (smb2_service.c:909)
==6432== by 0x5352B5E: smbd_smb2_tree_connect (smb2_tcon.c:344)
https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Noel Power <npower@samba.org>
Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Aug 17 07:14:21 UTC 2022 on sn-devel-184
s3:vfs.h: change SMB_VFS_INTERFACE_VERSION to 48 for 4.18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 16 11:51:36 UTC 2022 on sn-devel-184
Jeremy Allison [Thu, 11 Aug 2022 17:03:58 +0000 (10:03 -0700)]
s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive().
Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for final component.
Note we have to call the check before each call to
openat_pathref_fsp(), as each call may be using a
different filesystem name. The first name is the
one passed into openat_pathref_fsp_case_insensitive()
by the caller, the second one is a name retrieved from
get_real_filename_cache_key(), and the third one is the name
retrieved from get_real_filename_at(). The last two
calls may have demangled the client given name into
a veto'ed path on the filesystem.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 16 08:26:54 UTC 2022 on sn-devel-184
Jeremy Allison [Thu, 11 Aug 2022 16:55:56 +0000 (09:55 -0700)]
s3: smbd: Add IS_VETO_PATH check to openat_pathref_dirfsp_nosymlink().
Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component.
Note IS_VETO_PATH only looks at the last component, so we must
do it during the directory walk on each component.
Note, we also have to check after a call to get_real_filename_at()
as it may have demangled the client sent name into a filesystem
name that matches the "veto files" parameter.
Jeremy Allison [Thu, 11 Aug 2022 16:51:11 +0000 (09:51 -0700)]
s3: tests: Add samba3.blackbox.test_veto_files.
Shows we currently don't look at smb.conf veto files parameter
when opening a file or directory. Checks multi-component paths.
Also checks veto files that might be hidden behind a mangled
name.
When O_PATH is specified in flags, flag bits other than O_CLOEXEC,
O_DIRECTORY, and O_NOFOLLOW are ignored.
In preparation to use openat2(), which gives an error instead of
ignoring flags, we better remove unexpected flags, callers typically
pass O_RDONLY and O_NONBLOCK.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
s3:smbd: let openat_pathref_dirfsp_nosymlink() do a verification loop against . and .. first
I guess we should catch NT_STATUS_OBJECT_NAME_INVALID first,
currently the check is already done in check_path_syntax*,
but we may remove it in future.
But the most important reason for this is the
openat2(RESOLVE_NO_SYMLINK) optimization, which will
be introduced in the following commits.
Review with: git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Fri, 3 Jun 2022 14:45:41 +0000 (16:45 +0200)]
vfs: define VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS
This will allow us to make use of openat2(RESOLVE_NO_SYMLINKS) soon.
The caller should check if connection_struct.open_how_resolve contains
VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS before using it, this avoids waisting
cpu time. But even then the caller must be prepared to handle -1/ENOSYS.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
vfs_io_uring: hide a possible definition of struct open_how in liburing/compat.h
liburing.h will include liburing/compat.h, which either includes
linux/openat2.h or defines struct open_how itself.
This will help with the following changes, which will provide
openat2() via libreplace's system/filesys.h, either including
linux/openat2.h or defining open_how ourself.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 12 21:50:23 UTC 2022 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 12 19:18:25 UTC 2022 on sn-devel-184
Jeremy Allison [Mon, 8 Aug 2022 20:18:56 +0000 (13:18 -0700)]
s3: smbd: In filename_convert_dirfsp_nosymlink(), cope with an MS-DFS link as the terminal component.
If the terminal component was an MSDFS link, openat_pathref_fsp_case_insensitive() will
return NT_STATUS_OBJECT_NAME_NOT_FOUND with a VALID_STAT of a symlink.
If this is the case, check if we actually found a terminal MS-DFS link
at the end of the pathname and return NT_STATUS_PATH_NOT_COVERED.
Jeremy Allison [Mon, 8 Aug 2022 18:16:17 +0000 (11:16 -0700)]
s3: smbd: Add dfs_filename_convert(). Simple wrapper around parse_dfs_path().
Not yet used.
This is what we will use to replace dfs_redirect() in the filename
conversion code. Keep as a wrapper for now as we might want to
add some error checking around the 'hostname' and 'service'
returns.
Jeremy Allison [Fri, 5 Aug 2022 19:16:44 +0000 (12:16 -0700)]
s3: smbd: Add new function check_path_syntax_smb2_msdfs() for SMB2 MSDFS paths.
#ifdef'ed out as static and not yet used.
We can't just call check_path_syntax() on these as
they are of the form hostname\share[\extrapath]
(where [\extrapath] is optional).
hostname here can be an IPv6 ':' separated address,
which check_path_syntax() fails on due to the streamname
processing.
NB. This also has to cope with out existing (broken)
libsmbclient libraries that sometimes set the DFS
flag and then send a local pathname. Cope by just
calling the normal check_path_syntax() on the
whole pathname in that case.
Jeremy Allison [Sat, 6 Aug 2022 02:27:33 +0000 (19:27 -0700)]
s3: smbd: Fix cosmetic bug logging pathnames from Linux kernel clients using SMB1 DFS calls.
The Linux kernel SMB1 client has a bug - it sends
DFS pathnames as:
\\server\share\path
instead of:
\server\share\path
Causing us to mis-parse server,share,remaining_path here
and jump into 'goto local_path' at 'share\path' instead
of 'path'.
This doesn't cause an error as the limits on share names
are similar to those on pathnames.
parse_dfs_path() which we call before filename parsing
copes with this by calling trim_char on the leading '\'
characters before processing.
Do the same here so logging of pathnames looks better.
How did I find this ? Lots and lots of manual
testing with the Linux kernel client to make
sure all the recent changes haven't broken Linux
SMB1/2/3 DFS :-).
Sometimes the bottleneck is the smbtorture process.
In order to bring the smbd process to 100% cpu, you can use
'--option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4"'
and run multiple instances of the test at the same time,
which both talk to the same smbd process.
This is a very useful test to show how many requests are possible
at the raw SMB2 layer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 11 19:23:37 UTC 2022 on sn-devel-184
This improves 'time smbtorture3 //foo/bar -U% local-g-lock-ping-pong -o 50000000'
from ~1.400.000 to ~3.400.000 operations per second any a testsystem.
As we also use TDB_VOLATILE for locking.tdb, this is a much more
realistic test now.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:passdb: Consolidate error checking in fetch_ldap_pw()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 11 06:34:56 UTC 2022 on sn-devel-184
Ralph Boehme [Wed, 27 Jul 2022 16:40:21 +0000 (18:40 +0200)]
vfs_default: assert all passed in fsp's and names are non-stream type
Enforce fsp is a non-stream one in as many VFS operations as possible in
vfs_default. We really need an assert here instead of returning an error, as
otherwise he can have very hard to diagnose bugs.
Ralph Boehme [Fri, 29 Jul 2022 12:56:41 +0000 (14:56 +0200)]
smbd: ignore request to set the SPARSE attribute on streams
As per MS-FSA 2.1.1.5 this is a per stream attribute, but our backends don't
support it in a consistent way, therefor just pretend success and ignore the
request.
Ralph Boehme [Wed, 27 Jul 2022 11:37:32 +0000 (13:37 +0200)]
CI: add a test trying to delete a stream on a pathref ("stat open") handle
When using vfs_streams_xattr, for a pathref handle of a stream the system fd
will be a fake fd created by pipe() in vfs_fake_fd().
For the following callchain we wrongly pass a stream fsp to
SMB_VFS_FGET_NT_ACL():
SMB_VFS_CREATE_FILE(..., "file:stream", ...)
=> open_file():
if (open_fd):
-> taking the else branch:
-> smbd_check_access_rights_fsp(stream_fsp)
-> SMB_VFS_FGET_NT_ACL(stream_fsp)
This is obviously wrong and can lead to strange permission errors when using
vfs_acl_xattr:
in vfs_acl_xattr we will try to read the stored ACL by calling
fgetxattr(fake-fd) which of course faild with EBADF. Now unfortunately the
vfs_acl_xattr code ignores the specific error and handles this as if there was
no ACL stored and subsequently runs the code to synthesize a default ACL
according to the setting of "acl:default acl style".
As the correct access check for streams has already been carried out by calling
check_base_file_access() from create_file_unixpath(), the above problem is not
a security issue: it can only lead to "decreased" permissions resulting in
unexpected ACCESS_DENIED errors.
The fix is obviously going to be calling
smbd_check_access_rights_fsp(stream_fsp->base_fsp).
This test verifies that deleting a file works when the stored NT ACL grants
DELETE_FILE while the basic POSIX permissions (used in the acl_xattr fallback
code) do not.
Allows passing on "user." xattr to the backend. This can be useful for testing
specific aspects of operation on streams when "streams_xattr" is configured as
stream filesystem backend.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Aug 10 14:14:04 UTC 2022 on sn-devel-184
projects / thirdparty / samba.git / log
