| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Ensure we don't dereference an array with an index of -1.
Jeremy.
|
|
make access decisions.
Jeremy.
|
|
|
|
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy.
|
|
|
|
and 0 in the places where it does.
Jeremy
|
|
behavior.
Cause all exit paths to go through one place, where all cleanup is
done. change_to_root_user() for pathname operations that should succeed if
the path exists, even if the connecting user has no access.
For example, a share can now be defined with a path of /root/only/access
(where /root/only/access is a directory path with all components only
accessible to root e.g. root owned, permissions 700 on every component).
Non-root users will now correctly connect, but get ACCESS_DENIED on
all activities (which matches Windows behavior). Previously, non-root
users would get NT_STATUS_BAD_NETWORK_NAME on doing a TConX to this
share, even though it's a perfectly valid share path (just not accessible
to them).
This change was inspired by the research I did for bug #7126, which
was reported by bepi@adria.it.
As this is a change in a core function, I'm proposing to leave
this only in master for 3.6.0, not back-port to any existing releases.
This should give us enough time to decide if this is the way we want this to
behave (as Windows) or if we prefer the previous behavior.
Jeremy.
|
|
This hasn't been turned on or been capable of doing so for
many years now. Makes this jumbo function smaller...
Jeremy.
|
|
NT_STATUS_OBJECT_PATH_INVALID error"
This reverts commit 2fdd8b10c6abadd27c579e772c0482214d2363a5.
This fix is incorrect. The original code works as desired,
I made a mistake here.
Jeremy.
|
|
NT_STATUS_OBJECT_PATH_INVALID error
As tridge's comment says, we should be ignoring ACCESS_DENIED
on the share path in a TconX call, instead allowing the mount
and having individual SMB calls fail (as Windows does). The
original code erroneously caught SMB_VFS_STAT != 0 and errored
out on that.
Jeremy.
|
|
Jeremy.
|
|
Volker.
Create widelinks_warning(int snum) to cover the message needed in make_connection.
Jeremy.
|
|
are incompatible.
Volker pointed out that the preexec scripts get passed the conn->connectpath
as a parameter, so call canonicalize_connect_path() both *before* and after
the preexec scripts. Ignore errors on the call before the preexec scripts,
as the path may not exist until created by the preexec scripts.
Jeremy.
|
|
This way we avoid any chance that a configuration reload may turn
back on wide links when unix extensions are enabled.
|
|
extensions" are incompatible.
Make sure we match the previous allow widelinks behavior, in that
non-root preexec scripts can create share directories for a share
definition.
Jeremy
|
|
incompatible.
Bug reported by Ralf Zimmermann <r.zimmermann@siegnetz.de>. Reproduced by jra.
If the target directory of a share doesn't exist, but is designed to
be created by a "root preexec" script call, then the widelinks check
is done too early - thus preventing the user from connecting to the
share.
Fix is to re-arrange the order of checks in make_connection_snum()
to always do the following order of operations:
(1). Turn off wide links if unix extensions = yes.
(2). Call any root preexec scripts.
(3). Canonicalize the share path to remove any symlinks (ie. end
up with the realpath in the connection_struct).
Jeremy.
|
|
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Jeremy.
|
|
The destname malloc size was not taking into account the 1 extra byte
needed if a string without a leading '/' was passed in and that slash
was added.
This would cause the '\0' byte to be written past the end of the
malloced destname string and corrupt whatever heap memory was there.
This problem would be hit if a share name was given in smb.conf without
a leading '/' and if it was the exact size of the allocated STRDUP memory
which in some implementations of malloc is a power of 2.
|
|
I don't think we need to log the fact that a user gave a wrong sharename in Explorer with the highest log level.
The level of this was not very consistent:
service.c: DEBUG(3,("find_service() failed to find service %s\n", service));
service.c: DEBUG(0,("%s (%s) couldn't find service %s\n",
smb2_tcon.c: DEBUG(1,("smbd_smb2_tree_connect: couldn't find service %s\n",
This changes the last two to 3 as the first one.
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
|
|
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
|
|
Office 2003.
Confirmation from reporter that this fixes the issue in master on ext3/ext4.
Back-ports to follow.
Jeremy.
|
|
share.
Jeremy.
|
|
On filesystems that can't store less than one second timestamps,
round the incoming timestamp set requests so the client can't discover
that a time set request has been truncated by the filesystem.
Needs backporting to 3.4, 3.3, 3.2 and (even) 3.0.
Jeremy
|
|
They're both only used in the context of a function,
so we can make them stack variables.
metze
|
|
This can be NULL for faked connection structs used in the rpc server
or printing code.
metze
|
|
this changes the level of logs caused by users trying to access shares
or subdirectories for which they do not have access to in the ACL
this can fill up the samba log even with log level 0 and is more an
expected kind of logs that IMHO should not be logged with such a high
level.
All other errors while chdir() will still be logged with level 0
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
|
|
s3: Make smbd aware of permission change of usershare. Since usershare are relatively volatile and
non-previledge users must disconnect from smbd and reconnect to it to make share permission in effect.
For now. This is a feature request and I think we need
to design it a little differently so as not to touch
core change_to_user() code.
Jeremy.
|
|
relatively volatile and non-previledge users must disconnect from smbd and reconnect to it to make share permission in effect.
|
|
This patch introduces two new temporary helper functions
vfs_stat_smb_fname and vfs_lstat_smb_fname. They basically allowed me
to call the new smb_filename version of stat, while avoiding plumbing
it through callers that are still too inconvenient. As the conversion
moves along, I will be able to remove callers of this, with the goal
being to remove all callers.
There was also a bug in create_synthetic_smb_fname_split (also a
temporary utility function) that caused it to incorrectly handle
filenames with ':'s in them when in posix mode. This is now fixed.
|
|
metze
|
|
metze
|
|
metze
|
|
This patch introduces
struct stat_ex {
dev_t st_ex_dev;
ino_t st_ex_ino;
mode_t st_ex_mode;
nlink_t st_ex_nlink;
uid_t st_ex_uid;
gid_t st_ex_gid;
dev_t st_ex_rdev;
off_t st_ex_size;
struct timespec st_ex_atime;
struct timespec st_ex_mtime;
struct timespec st_ex_ctime;
struct timespec st_ex_btime; /* birthtime */
blksize_t st_ex_blksize;
blkcnt_t st_ex_blocks;
};
typedef struct stat_ex SMB_STRUCT_STAT;
It is really large because due to the friendly libc headers playing macro
tricks with fields like st_ino, so I renamed them to st_ex_xxx.
Why this change? To support birthtime, we already have quite a few #ifdef's at
places where it does not really belong. With a stat struct that we control, we
can consolidate the nanosecond timestamps and the birthtime deep in the VFS
stat calls.
At this moment it is triggered by a request to support the birthtime field for
GPFS. GPFS does not extend the system level struct stat, but instead has a
separate call that gets us the additional information beyond posix. Without
being able to do that within the VFS stat calls, that support would have to be
scattered around the main smbd code.
It will very likely break all the onefs modules, but I think the changes will
be reasonably easy to do.
|
|
I don't think we should unconditionally send every refused connection attempt
to a share to syslog, that's where all debug level 0 messages end up.
|
|
instead of reading the registry directly with tdb and activating the
configure options by hand.
This eliminates the need for repeating checks done in loadparm.
For instance it disables registry shares without path in the server
as is the case with text based shares.
Michael
|
|
We keep the seqnum/mid mapping in the smb_request structure.
This also moves one global variable into the
smbd_server_connection struct.
metze
|
|
We need to store the "force group" uid separately from the
conn->server_info token as we need to apply it separately also.
Volker PLEASE CHECK !
Jeremy.
|
|
The goal is to move all this variables into a big context structure.
metze
|
|
This only applies to a setup with "registry shares = yes"
Michael
(cherry picked from commit 288fa94ac7cfdf7457b5098c33fc840bed3d5410)
(cherry picked from commit e85526b184e66f86b7faa9d0a37288a09c12c19e)
|
|
|
|
|
|
(This used to be commit 8dd94d448bc5ad067024c56c6ef498bc88a396b2)
|
|
No functional change, this is a preparation for more current_user ref removal
(This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445)
|
|
Jeremy.
(This used to be commit 5d22ca00bcdf49dcb35468400ac8cc3c57808d0d)
|
|
(This used to be commit 344d69f95e217d16213eaa6b53141af6ab459708)
|
|
This required to pass around the domain a bit
(This used to be commit 17b0db20d28d1b737c5e86b78106657e8ca5ce9c)
|
|
(This used to be commit 368454a27cb53a408ec416cbf37235b304592fb5)
|
|
(This used to be commit 2834dacc8d49f77fe55fb5d7e3eb2dda431d1d3d)
|
|
(This used to be commit a3738aef59e97d4533010b048534d937d36c0950)
|
|
Now that we have a token that is correctly set up with gids already, this saves
manual translation of the SIDs to GIDs.
(This used to be commit 6136a6d9d7301c65f37e2bf485681138cddd8bd2)
|
