ACCESS_DENIED with symlinks within a root ("/") share
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Unknown
|
Unknown
|
|||
samba (Ubuntu) |
Fix Released
|
Medium
|
Dariusz Gadomski | ||
Trusty |
Fix Released
|
Medium
|
Dariusz Gadomski | ||
Xenial |
Fix Released
|
Medium
|
Dariusz Gadomski | ||
Zesty |
Fix Released
|
Medium
|
Dariusz Gadomski |
Bug Description
[Impact]
* In case of accessing directories chdir to it directly instead of its parent directory. This changes how dir symlinks are handled in root shares and leads to avoiding the ACCESS_DENIED ISSUE.
[Test Case]
1. Prepare smb server with a share:
[rootshare]
guest ok = yes
path = /
wide links = no
follow symlinks = yes
2. On the server:
mkdir -p /srv/dir
ln -s /srv/dir /srv/symdir.
3. Connect from a client:
smbclient -m smb3 //server/rootshare -c "cd srv\symdir; dir"
[Regression Potential]
* When accessing broken symlinks share's base directory is accessed. This however seems to be consistent with a pre-fix behavior.
* One autopkgtest failure has been found, nothing related to samba so another bug has been reported (LP: #1713098) against gvfs DEP8 test.
For more details:
- https:/
[Other Info]
This fix is included in Samba 4.6.7 release so Artful and Debian both have it already.
Original bug description:
See Samba bug: https:/
CVE References
Changed in samba (Ubuntu): | |
status: | New → Confirmed |
Changed in samba (Ubuntu): | |
importance: | Undecided → Medium |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
status: | Confirmed → In Progress |
description: | updated |
tags: | added: sts sts-sru-needed |
description: | updated |
Changed in samba (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in samba (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in samba (Ubuntu Zesty): | |
importance: | Undecided → Medium |
Changed in samba (Ubuntu Trusty): | |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
Changed in samba (Ubuntu Xenial): | |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
Changed in samba (Ubuntu Zesty): | |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
Changed in samba (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in samba (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in samba (Ubuntu Zesty): | |
status: | New → In Progress |
Changed in samba (Ubuntu): | |
status: | In Progress → Fix Released |
description: | updated |
description: | updated |
From Samba bug:
I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.
For the test I used 4.6.5 with the patch for bug #12860.
This is the smb.conf: snew\s* \spassword: * %n\n *Retype\ snew\s* \spassword: * %n\n *password\ supdated\ ssuccessfully* . samba/log. %m samba/panic- action %d
[global]
server string = %h server (Samba, Ubuntu)
netbios name = xenial
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\
unix password sync = Yes
syslog = 0
log file = /var/log/
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/
idmap config * : backend = tdb
[rootfs]
path = /
follow symlinks = yes
wide links = no
read only = no
guest ok = no
browseable = yes
/opt has this: samba-rootfs: ~# ls -lah /opt to-directory -> target-directory
root@xenial-
total 5.0K
drwxr-xr-x 3 root root 6 Jul 3 20:01 .
drwxr-xr-x 22 root root 22 Jun 19 23:52 ..
-rw-r--r-- 1 root root 6 Jul 3 20:01 file.txt
lrwxrwxrwx 1 root root 16 Jul 3 20:01 symlink-
lrwxrwxrwx 1 root root 8 Jul 3 20:01 symlink-to-file -> file.txt
drwxr-xr-x 2 root root 2 Jul 3 20:01 target-directory
This worked with 4.3.8 without the CVE-2017-2619 patch: samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink- to-directory/ *"
root@xenial-
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
. D 0 Mon Jul 3 20:01:36 2017
.. D 0 Mon Jul 3 20:01:49 2017
244825344 blocks of size 1024. 244392448 blocks available
root@xenial- samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink- to-file" to-file of size 6 as \opt\symlink- to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-
But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:
root@xenial- samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink- to-directory/ *" ACCESS_ DENIED listing \opt\symlink- to-directory\ *
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_
root@xenial- samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink- to-file" ACCESS_ DENIED opening remote file \opt\symlink- to-file
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_