Suplementary patch for bug #7104 - "wide links" and "unix extensions" are incompatible.

Bug reported by Ralf Zimmermann <r.zimmermann@siegnetz.de>. Reproduced by jra.

If the target directory of a share doesn't exist, but is designed to
be created by a "root preexec" script call, then the widelinks check
is done too early - thus preventing the user from connecting to the
share.

Fix is to re-arrange the order of checks in make_connection_snum()
to always do the following order of operations:

(1). Turn off wide links if unix extensions = yes.
(2). Call any root preexec scripts.
(3). Canonicalize the share path to remove any symlinks (ie. end
up with the realpath in the connection_struct).

Jeremy.

1 files changed, 28 insertions, 27 deletions

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 8039d16586..9d3da8352a 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -850,25 +850,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 		return NULL;
 	}
 
-	/*
-	 * If widelinks are disallowed we need to canonicalise the connect
-	 * path here to ensure we don't have any symlinks in the
-	 * connectpath. We will be checking all paths on this connection are
-	 * below this directory. We must do this after the VFS init as we
-	 * depend on the realpath() pointer in the vfs table. JRA.
-	 */
-	if (!lp_widelinks(snum)) {
-		if (!canonicalize_connect_path(conn)) {
-			DEBUG(0, ("canonicalize_connect_path failed "
-			"for service %s, path %s\n",
-				lp_servicename(snum),
-				conn->connectpath));
-			conn_free(conn);
-			*pstatus = NT_STATUS_BAD_NETWORK_NAME;
-			return NULL;
-		}
-	}
-
 	if ((!conn->printer) && (!conn->ipc)) {
 		conn->notify_ctx = notify_init(conn, server_id_self(),
 					       smbd_messaging_context(),
@@ -877,6 +858,14 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 	}
 
 /* ROOT Activities: */	
+	if (lp_unix_extensions() && lp_widelinks(snum)) {
+		DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
+			"These parameters are incompatible. "
+			"Disabling wide links for this share.\n",
+			lp_servicename(snum) ));
+		lp_do_parameter(snum, "wide links", "False");
+	}
+
 	/*
 	 * Enforce the max connections parameter.
 	 */
@@ -927,6 +916,26 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 		}
 	}
 
+	/*
+	 * If widelinks are disallowed we need to canonicalise the connect
+	 * path here to ensure we don't have any symlinks in the
+	 * connectpath. We will be checking all paths on this connection are
+	 * below this directory. We must do this after the VFS init as we
+	 * depend on the realpath() pointer in the vfs table. JRA.
+	 */
+	if (!lp_widelinks(snum)) {
+		if (!canonicalize_connect_path(conn)) {
+			DEBUG(0, ("canonicalize_connect_path failed "
+			"for service %s, path %s\n",
+				lp_servicename(snum),
+				conn->connectpath));
+			yield_connection(conn, lp_servicename(snum));
+			conn_free(conn);
+			*pstatus = NT_STATUS_BAD_NETWORK_NAME;
+			return NULL;
+		}
+	}
+
 /* USER Activites: */
 	if (!change_to_user(conn, conn->vuid)) {
 		/* No point continuing if they fail the basic checks */
@@ -1039,14 +1048,6 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 	}
 #endif
 
-	if (lp_unix_extensions() && lp_widelinks(snum)) {
-		DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
-			"These parameters are incompatible. "
-			"Disabling wide links for this share.\n",
-			lp_servicename(snum) ));
-		lp_do_parameter(snum, "wide links", "False");
-	}
-
 	/* Figure out the characteristics of the underlying filesystem. This
 	 * assumes that all the filesystem mounted withing a share path have
 	 * the same characteristics, which is likely but not guaranteed.