summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-03-05 22:47:50 +1100
committerAndrew Tridgell <tridge@samba.org>2010-03-05 23:07:32 +1100
commitdae9d20e14cafb7b688a7aa3f3680dafd727fa3f (patch)
tree0e85aba360736efa7163f3ef21b86d24b30785bd
parentf7c97c8597a2ac375983909c26027abde060edb4 (diff)
downloadsamba-dae9d20e14cafb7b688a7aa3f3680dafd727fa3f.tar.gz
samba-dae9d20e14cafb7b688a7aa3f3680dafd727fa3f.tar.bz2
samba-dae9d20e14cafb7b688a7aa3f3680dafd727fa3f.zip
s4-pvfs: set default for perm override based on system features
If the system has O_NOFOLLOW and O_DIRECTORY then we allow for overrides by default. If not, then we disable by default, as we will be more vulnerable to symlink attacks
-rw-r--r--source4/ntvfs/posix/vfs_posix.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/source4/ntvfs/posix/vfs_posix.c b/source4/ntvfs/posix/vfs_posix.c
index f22f1d4817..05bdd0a8aa 100644
--- a/source4/ntvfs/posix/vfs_posix.c
+++ b/source4/ntvfs/posix/vfs_posix.c
@@ -39,6 +39,7 @@ static void pvfs_setup_options(struct pvfs_state *pvfs)
{
struct share_config *scfg = pvfs->ntvfs->ctx->config;
const char *eadb;
+ bool def_perm_override = false;
if (share_bool_option(scfg, SHARE_MAP_HIDDEN, SHARE_MAP_HIDDEN_DEFAULT))
pvfs->flags |= PVFS_FLAG_MAP_HIDDEN;
@@ -58,7 +59,14 @@ static void pvfs_setup_options(struct pvfs_state *pvfs)
pvfs->flags |= PVFS_FLAG_FAKE_OPLOCKS;
if (share_bool_option(scfg, PVFS_AIO, false))
pvfs->flags |= PVFS_FLAG_LINUX_AIO;
- if (share_bool_option(scfg, PVFS_PERM_OVERRIDE, true))
+
+#if defined(O_DIRECTORY) && defined(O_NOFOLLOW)
+ /* set PVFS_PERM_OVERRIDE by default only if the system
+ * supports the necessary capabilities to make it secure
+ */
+ def_perm_override = true;
+#endif
+ if (share_bool_option(scfg, PVFS_PERM_OVERRIDE, def_perm_override))
pvfs->flags |= PVFS_FLAG_PERM_OVERRIDE;
/* file perm options */