Ralph Boehme [Tue, 29 Sep 2020 08:14:47 +0000 (10:14 +0200)]
smbd: add openat_pathref_fsp()
open_pathref_fsp() opens an "embedded" fsp inside smb_fname as
smb_fname->fsp. We call such an fsp a "pathref" fsp.
On system that support O_PATH the low level openat() is done with O_PATH. On
systems that lack support for O_PATH, we impersonate the root user as a
fallback.
Setting "is_pathref" in the fsp_flags before calling fd_openat() is what
triggers the special low-level behaviour inside the VFS.
The use of pathref fsps allows updating all callers of path based VFS functions
like
Ralph Boehme [Tue, 24 Nov 2020 11:30:58 +0000 (12:30 +0100)]
smbd: convert non_widelink_open() and process_symlink_open() to return NTSTATUS
non_widelink_open() now also returns NT_STATUS_STOPPED_ON_SYMLINK in case an
attempt was made to either
1. open a symlink from a POSIX client, or
2. open a symlink from a Windows client but any of the symlink behaviour
configuring options "follow symlink", "wide links" or "allow insecure wide
links" prevents access to the symlink target
Caller open_file() has already been updated to map NT_STATUS_STOPPED_ON_SYMLINK
to NT_STATUS_NT_STATUS_OBJECT_PATH_NOT_FOUND.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 19 Oct 2020 08:19:28 +0000 (10:19 +0200)]
smbd: simplify setting and resetting fsp->fsp_name in non_widelink_open()
Instead of setting and resetting the name to the relative name every time we
call into the VFS, just set it once and reset it at the end and when recursing
via process_symlink_open().
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 13 Oct 2020 12:38:28 +0000 (14:38 +0200)]
smbd: pass a dirfsp to fd_open() and rename it to fd_openat()
For now no change in behaviour as all callers still pass conn->cwd_fsp. This
just prepared fd_openat() to deal with real dirfsp's pass by callers later on
when adding calls to fd_openat(dirfspm ...) in the directory enumeration loop.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 29 Sep 2020 08:00:21 +0000 (10:00 +0200)]
smbd: catch O_PATH opens of symlinks in in non_widelink_open()
Calling openat() with O_PATH|O_NOFOLLOW will open a handle on the symlink
itself. That would be a nice feature if it would be supported on more platforms,
but being a Linux only thing, we have to preserve the behaviour of failing to
open a handle on symlinks.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 12 Oct 2020 11:21:07 +0000 (13:21 +0200)]
smbd: already set fsp fd in non_widelink_open()
A subsequent commit will add a consumer of the fd to non_widelink_open() (by
calling SMB_VFS_FSTAT()), so we need to set the fd already here. And it makes
more sense anyway. :)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 24 Nov 2020 11:20:23 +0000 (12:20 +0100)]
vfs: add fsp flag "have_proc_fds"
This flag is used by the VFS layer to tell the FSA layer that it is allowed to
reopen an fsp by using an exisiting pathref fd with /proc/PID/fd/FD to open a
full fd.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 25 Nov 2020 04:32:19 +0000 (05:32 +0100)]
vfs: add struct connection_struct flag "have_proc_fds"
Allows the VFS layer to tell the higher layers if fds opened by the openat() VFS
implementation are visible objects inside a /proc/PID/fd/FD filesystem.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 5 Oct 2020 05:50:16 +0000 (07:50 +0200)]
smbd: use fsp_get_pathref_fd() for fstat() calls
If we can access the path to a file, by default we have FILE_READ_ATTRIBUTES
from the containing directory. See the section: "Algorithm to Check Access to an
Existing File" in MS-FSA.pdf.
So it's also safe to use a root opened pathref fd, as the root open is done on
the final component after a chdir() to the parent directory was done while still
impersonating the use. Qed.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 26 Sep 2020 19:52:52 +0000 (21:52 +0200)]
smbd: use fsp_get_io_fd() when accessing a file or it's associated metadata
In all places where we access or modify a file or it's associated metadata, we
use fsp_get_io_fd() to fetch the low-level fd from the fsp. This ensures we
don't accidentally use a pathref fsp where the fd would be opened as root on
systems lacking O_PATH.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 15 Dec 2020 06:20:55 +0000 (07:20 +0100)]
CI: skip kernel-oplocks tests on older kernels
The kernel of the gitlab shared runners container host has a bug in the
interaction between kernel oplocks and O_PATH opens which was fixed by 387e3746d01c34457d6a73688acd90428725070b in 5.3.1:
Don't actually start the OPLOCK5 test is kernel oplocks are not available,
instead of relying on the #ifdef HAVE_KERNEL_OPLOCKS_LINUX magic in torture.c.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Walker [Tue, 8 Dec 2020 15:36:10 +0000 (10:36 -0500)]
s3:smbd:trans2.c - add twrp to tmp smb_fname in smbd_do_qfsinfo
Preserve VSS-related timestamp in temporary smb_filename before
calling vfs_stat_fn() in smbd_do_qfsinfo. Otherwise, we can fail
here on smb2_getinfo requests if file does not exist outside of
shadow copy path.
Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Dec 15 15:32:18 UTC 2020 on sn-devel-184
Douglas Bagnall [Thu, 3 Dec 2020 23:57:57 +0000 (12:57 +1300)]
dbcheck: check_object() caches of lower case attr names
The construct `'name' in map(str.lower, attrs)` is doubly inefficient,
because not only is it running the lower() function too often, it is
searching linearly in a temporary iterator for membership.
So we make a set, and use that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Noel Power <npower@samba.org>
Martin Schwenke [Fri, 11 Dec 2020 04:57:37 +0000 (15:57 +1100)]
bootstrap: Update distro list in README.md
Update examples to make them valid.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Dec 15 12:03:58 UTC 2020 on sn-devel-184
Martin Schwenke [Tue, 8 Dec 2020 13:03:47 +0000 (00:03 +1100)]
bootstrap: Cope with case changes in CentOS 8 repo names
RN: Be more flexible with repository names in CentOS 8 test environments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14594 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Sun, 29 Nov 2020 19:21:21 +0000 (20:21 +0100)]
libsmb: Remove unused ads_dns_query_* routines
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 11 19:30:16 UTC 2020 on sn-devel-184
Volker Lendecke [Sun, 29 Nov 2020 17:25:32 +0000 (18:25 +0100)]
libcli: Add ads_dns_query_srv_send()/recv()
This issues the "query" for SRV records site-aware and siteless. If
there are SRV records returned without IP addresses, it will issue A
and AAAA requests, waiting up to async_dns_timeout seconds. If that
timeout is reached, ads_dns_query_srv_recv() returns whatever is
around.
Superdebug added by Jeremy <jra@samba.org> :-)
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Fri, 4 Dec 2020 15:53:54 +0000 (08:53 -0700)]
WHATSNEW: samba-tool gpo manage command
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Wed Dec 9 18:42:29 UTC 2020 on sn-devel-184
projects / thirdparty / samba.git / log
