From dab50f3953259635ba14d166472c3dbe920f1311 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 1 Oct 2020 14:40:33 +0200 Subject: [PATCH] smbd: prevent non-POSIX stat-opens of symlinks in open_file() Also adjust the test that checks for this. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- source3/smbd/open.c | 10 ++++++++++ source3/torture/torture.c | 35 +++-------------------------------- 2 files changed, 13 insertions(+), 32 deletions(-) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 361c35303f6..68621a892d9 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1458,6 +1458,16 @@ static NTSTATUS open_file(files_struct *fsp, return NT_STATUS_OBJECT_NAME_NOT_FOUND; } + if (S_ISLNK(smb_fname->st.st_ex_mode) && + !(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN)) + { + /* + * Don't allow stat opens on symlinks directly unless + * it's a POSIX open. + */ + return NT_STATUS_OBJECT_PATH_NOT_FOUND; + } + status = smbd_check_access_rights(conn, conn->cwd_fsp, smb_fname, diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 5440b7288ea..8ceaf831240 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -8041,7 +8041,6 @@ static bool run_acl_symlink_test(int dummy) char *posix_acl_sym = NULL; size_t posix_acl_len_sym = 0; struct security_descriptor *sd = NULL; - struct security_descriptor *sd_sym = NULL; TALLOC_CTX *frame = NULL; frame = talloc_stackframe(); @@ -8146,7 +8145,7 @@ static bool run_acl_symlink_test(int dummy) goto out; } - /* Open a handle on the symlink. */ + /* Try a stat-open on the symlink, should also fail. */ status = cli_ntcreate(cli, sname, 0, @@ -8159,23 +8158,8 @@ static bool run_acl_symlink_test(int dummy) &fnum, NULL); - if (!NT_STATUS_IS_OK(status)) { - printf("cli_posix_open of %s failed (%s)\n", - sname, - nt_errstr(status)); - goto out; - } - - /* Get the Windows ACL on the symlink handle. Should fail */ - status = cli_query_secdesc(cli, - fnum, - frame, - &sd_sym); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - printf("cli_query_secdesc on a symlink gave %s. " - "Should be NT_STATUS_ACCESS_DENIED.\n", - nt_errstr(status)); + if (NT_STATUS_IS_OK(status)) { + printf("Stat-open of symlink succeeded (should fail)\n"); goto out; } @@ -8193,19 +8177,6 @@ static bool run_acl_symlink_test(int dummy) goto out; } - /* Set the Windows ACL on the symlink handle. Should fail */ - status = cli_set_security_descriptor(cli, - fnum, - SECINFO_DACL, - sd); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - printf("cli_query_secdesc on a symlink gave %s. " - "Should be NT_STATUS_ACCESS_DENIED.\n", - nt_errstr(status)); - goto out; - } - /* Set the POSIX ACL on the symlink pathname. Should fail. */ status = cli_posix_setacl(cli, sname, -- 2.47.3