diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-03-05 22:47:50 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-03-05 23:07:32 +1100 |
commit | dae9d20e14cafb7b688a7aa3f3680dafd727fa3f (patch) | |
tree | 0e85aba360736efa7163f3ef21b86d24b30785bd /source4 | |
parent | f7c97c8597a2ac375983909c26027abde060edb4 (diff) | |
download | samba-dae9d20e14cafb7b688a7aa3f3680dafd727fa3f.tar.gz samba-dae9d20e14cafb7b688a7aa3f3680dafd727fa3f.tar.bz2 samba-dae9d20e14cafb7b688a7aa3f3680dafd727fa3f.zip |
s4-pvfs: set default for perm override based on system features
If the system has O_NOFOLLOW and O_DIRECTORY then we allow for
overrides by default. If not, then we disable by default, as we will
be more vulnerable to symlink attacks
Diffstat (limited to 'source4')
-rw-r--r-- | source4/ntvfs/posix/vfs_posix.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/source4/ntvfs/posix/vfs_posix.c b/source4/ntvfs/posix/vfs_posix.c index f22f1d4817..05bdd0a8aa 100644 --- a/source4/ntvfs/posix/vfs_posix.c +++ b/source4/ntvfs/posix/vfs_posix.c @@ -39,6 +39,7 @@ static void pvfs_setup_options(struct pvfs_state *pvfs) { struct share_config *scfg = pvfs->ntvfs->ctx->config; const char *eadb; + bool def_perm_override = false; if (share_bool_option(scfg, SHARE_MAP_HIDDEN, SHARE_MAP_HIDDEN_DEFAULT)) pvfs->flags |= PVFS_FLAG_MAP_HIDDEN; @@ -58,7 +59,14 @@ static void pvfs_setup_options(struct pvfs_state *pvfs) pvfs->flags |= PVFS_FLAG_FAKE_OPLOCKS; if (share_bool_option(scfg, PVFS_AIO, false)) pvfs->flags |= PVFS_FLAG_LINUX_AIO; - if (share_bool_option(scfg, PVFS_PERM_OVERRIDE, true)) + +#if defined(O_DIRECTORY) && defined(O_NOFOLLOW) + /* set PVFS_PERM_OVERRIDE by default only if the system + * supports the necessary capabilities to make it secure + */ + def_perm_override = true; +#endif + if (share_bool_option(scfg, PVFS_PERM_OVERRIDE, def_perm_override)) pvfs->flags |= PVFS_FLAG_PERM_OVERRIDE; /* file perm options */ |