r933: When using widelinks = no, use realpath to canonicalize the

connection path on connection create for the user. We'll be
checking all symlinked paths are below this directory.
Jeremy.
(This used to be commit b562fe9fbca4971059b913959bbaca02af42c1a4)

3 files changed, 41 insertions, 2 deletions

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 5e5f572691..67329b51e6 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -135,7 +135,7 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen
 		if (SMB_VFS_STAT(conn,name,&st) == 0) {
 			*pst = st;
 		}
-		DEBUG(5,("conversion finished %s -> %s\n",orig_path, name));
+		DEBUG(5,("conversion finished \"\" -> %s\n",name));
 		return(True);
 	}
 
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index c74537c299..192a043bf5 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -499,6 +499,20 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
 		return NULL;
 	}
 
+	/*
+	 * If widelinks are disallowed we need to canonicalise the
+	 * connect path here to ensure we don't have any symlinks in
+	 * the connectpath. We will be checking all paths on this
+	 * connection are below this directory. We must do this after
+	 * the VFS init as we depend on the realpath() pointer in the vfs table. JRA.
+	 */
+	if (!lp_widelinks(snum)) {
+		pstring s;
+		pstrcpy(s,conn->connectpath);
+		canonicalize_path(conn, s);
+		string_set(&conn->connectpath,s);
+	}
+
 /* ROOT Activities: */	
 	/* check number of connections */
 	if (!claim_connection(conn,
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index a415e0470e..86f180e543 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -784,6 +784,31 @@ char *vfs_GetWd(connection_struct *conn, char *path)
 	return (path);
 }
 
+BOOL canonicalize_path(connection_struct *conn, pstring path)
+{
+#ifdef REALPATH_TAKES_NULL
+	char *resolved_name = SMB_VFS_REALPATH(conn,path,NULL);
+	if (!resolved_name) {
+		return False;
+	}
+	pstrcpy(path, resolved_name);
+	SAFE_FREE(resolved_name);
+	return True;
+#else
+#ifdef PATH_MAX
+        char resolved_name_buf[PATH_MAX+1];
+#else
+        pstring resolved_name_buf;
+#endif
+	char *resolved_name = SMB_VFS_REALPATH(conn,path,resolved_name_buf);
+	if (!resolved_name) {
+		return False;
+	}
+	pstrcpy(path, resolved_name);
+	return True;
+#endif /* REALPATH_TAKES_NULL */
+}
+
 /*******************************************************************
  Reduce a file name, removing .. elements and checking that
  it is below dir in the heirachy. This uses realpath.
@@ -879,7 +904,7 @@ BOOL reduce_name(connection_struct *conn, pstring fname)
 	}
 
 	if (strncmp(conn->connectpath, resolved_name, con_path_len) != 0) {
-		DEBUG(2, ("reduce_name: Bad access attemt: %s is a symlink outside the share path", fname));
+		DEBUG(2, ("reduce_name: Bad access attempt: %s is a symlink outside the share path", fname));
 		if (free_resolved_name)
 			SAFE_FREE(resolved_name);
 		return False;