CVE-2017-2619 regression breaks symlinks to directories

Further investigation shows that these regressions seem to be related to this in the upstream source:

https://github.com/samba-team/samba/commits/v4-6-test/source3/smbd/dir.c

This is a series of 7 commits related to the above-referenced CVE in this file.

Related bugs:

https://bugzilla.samba.org/show_bug.cgi?id=12860

and

https://bugzilla.samba.org/show_bug.cgi?id=12496

I didn't quite dive into this yet. Adding https://bugzilla.samba.org/show_bug.cgi?id=12721 which may also be related.

I have setup 4 reproducer VMs. All running the base OS and installed only required packages for Samba. Here are the results:

SMBClient Xenial Yakkety Zesty Artful
Link to root Y Y Y Y
Link to directory Y Y Y Y
Link to file N N N N

* On Link to file via smbclient, error given is:
NT_STATUS_ACCESS_DENIED opening remote file \opt\smb.conf

Windows Xenial Yakkety Zesty Artful
Link to root Y N N N
Link to directory N N N N
Link to file N N N N

* On Link to root on Windows, the “N” gives error “The directory name is invalid”

Version of Samba on each is:
Xenial 4.3.11+dfsg-0ubuntu0.16.04.7
Yakkety 4.4.5+dfsg-2ubuntu5.6
Zesty 4.5.8+dfsg-0ubuntu0.17.04.2
Artful 4.5.8+dfsg-2ubuntu3

Artful was daily iso downloaded from here on 6/28/2017:
http://cdimage.ubuntu.com/ubuntu-server/daily/current/artful-server-amd64.iso
MD5Sum: ad2f3ef5db99cf91a34903fa61a0c2f2

Adding update-regression until provde that it is not.
It is too late to stop the updates with that (~3 months) but still tagging correctly seems right.

@Marc - since you backported the CVE could you take a look?

@Dave - Could you share your testcase (I assume you have a script of some sort)

@Andreas - once Dave shared his test, do you think we could make a subset of the testcase into the dep8 tests you have started to add. Extending the md5sum checks with something like a symlink creation and path checks?

Shell script attached to be run on fresh install of Xenial.

Powershell commands to test functionality below:

Set-Location \\smb-xenial\reproducer\opt\root
Get-ChildItem
Set-Location \\smb-xenial\reproducer\opt\opt
Get-ChildItem
Get-Content \\smb-xenial\reproducer\opt\smb.conf

The first location works, the last two do not. These were run on a Windows 7 desktop VM.

Ok, checking out what's going on here.

Note: if you use smbclient with -m SMB2, which is what windows7+ uses, you will see the same failure when doing "ls /opt/opt/*":

root@xenial-samba-symlink-1701073:~# smbclient //localhost/cve-root -U ubuntu%ubuntu -c "ls /opt/opt/*"
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
  . D 0 Fri Jun 30 18:51:00 2017
  .. D 0 Fri Jun 30 18:11:18 2017
  smb.conf N 1245 Fri Jun 30 18:50:58 2017
  root D 0 Fri Jun 30 18:11:18 2017
  opt D 0 Fri Jun 30 18:51:00 2017

  246776448 blocks of size 1024. 246351744 blocks available

root@xenial-samba-symlink-1701073:~# smbclient //localhost/cve-root -U ubuntu%ubuntu -c "ls /opt/opt/*" -m SMB2
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED listing \opt\opt\*
root@xenial-samba-symlink-1701073:~#

I'm still investigating, I'm not getting the exact errors described in the upstream samba bug. They hint that it may depend on the kernel version as well. I'll stop trying with lxd and use VMs because of that.

Confirmed. The bug will happen wherever opening a symlink to a directory with O_DIRECTORY||O_NOFOLLOW returns ENOTDIR instead of ELOOP (and you have to be using protocol SMB2 or higher):

xenial:
andreas@nsn7:~$ mkdir -p /tmp/cve/a
andreas@nsn7:~$ ln -s /tmp/cve/a /tmp/cve/b
andreas@nsn7:~$ python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 40] Too many levels of symbolic links: '/tmp/cve/b'
andreas@nsn7:~$

Same thing on artful:
root@15-89:~# mkdir -p /tmp/cve/a
root@15-89:~# ln -s /tmp/cve/a /tmp/cve/b
root@15-89:~# python -c 'import os; os.open("/tmp/cve/b", os.O_DIRECTORY|os.O_NOFOLLOW)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
OSError: [Errno 20] Not a directory: '/tmp/cve/b'
root@15-89:~#

Samba is only checking for ELOOP, which means the ENOTDIR error surfaces:
(my [cve] share points at /cve)
root@15-89:~# ls -la /cve
total 12
drwxr-xr-x 3 root root 4096 Jun 30 19:20 .
drwxr-xr-x 24 root root 4096 Jun 30 19:20 ..
drwxr-xr-x 2 root root 4096 Jun 30 19:20 a
lrwxrwxrwx 1 root root 1 Jun 30 19:20 b -> a
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB2 -c "ls /b/"
WARNING: The "syslog" option is deprecated
Domain=[ARTFUL] OS=[] Server=[]
NT_STATUS_NOT_A_DIRECTORY listing \b\
root@15-89:~#

When using SMB1 (which is the default, so you get the same without specifying -m):
root@15-89:~# smbclient //localhost/cve -U ubuntu%ubuntu -m SMB -c "ls /b/"
WARNING: Ignoring invalid value 'SMB' for parameter 'client max protocol'
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Ubuntu]
  b D 0 Fri Jun 30 19:20:37 2017

  30831504 blocks of size 1024. 23550704 blocks available

On my xenial LXD samba container, it works all the time, and my host is xenial too, so it's the right kernel. I'll double check with a VM, though.

Testing this branch for artful: https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+ref/artful-samba-dir-symlink-1701073

@Andreas -- I found that symlinks to files are also broken, not just directories. Did you find this too? This was both linux and Windows, I would get an Access Denied error.

Fix confirmed for artful, test packages here: ppa:ahasenack/samba-dir-symlink-1701073

Here, let me update with a simple test case:

a) Add this share:
[tmp]
 path = /tmp
 wide links = no
 follow symlinks = yes
 browseable = yes
 read only = no
        guest ok = yes

b) run:
mkdir /tmp/target
ln -sf /tmp/target /tmp/symlink-to-target

c) failing test case:
smbclient //localhost/tmp -N -c "dir symlink-to-target/*" -m SMB2

I'll proceed with the SRU.

I haven't seen an issue with symlinks to files.

xenial is only affected if you use a newer kernel from hwe. For example:
- linux-image-4.4.0-83-generic: unaffected
- linux-image-4.8.0-58-generic: affected

Andreas, Marc - I think the case Dave described is not fully covered by the fix.

There is a config still failing: if the share is based at / (so all symlinks in the filesystem should be local to the share) with "wide links = no" no symlinks are accessible. According to my tests this affects both: file and directory symlinks).

Test case:
# server
[rootshare]
 path = /
 wide links = no
 follow symlinks = yes
 browseable = yes
 read only = no
 guest ok = yes

mkdir -p /tmp/test
ln -s /tmp/test /tmp/testlink

# client
smbclient -m smb3 //server/rootshare
cd /tmp/testlink
dir
NT_STATUS_ACCESS_DENIED listing \tmp\testlink\*

@dgadomski confirmed. This might be a different bug. We should try with the latest samba (4.6.5) and if it continues happening there, file a bug upstream.

I get the same access denied error with 4.6.5 packages, built with or without the patch for this particular regression (#12860 upstream) (my 4.6.5 artful test packages: ppa:ahasenack/samba-merge)

I think sharing the real root filesytem (/) is not a common scenario. I found one bug upstream related to sharing "/" and has been untouched by developers since late 2013.

Let's see if it was working in a previous version, then there would be a bigger incentive to have this fixed upstream.

I filed https://bugzilla.samba.org/show_bug.cgi?id=12873 for this ACCESS_DENIED issue that happens when exporting the root filesystem ("/") and using symlinks, which is what the OP wanted fixed here but we ended up diving into https://bugzilla.samba.org/show_bug.cgi?id=12860, which is another valid regression. Maybe we should have another Ubuntu bug for #12873.

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.9

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.9) trusty-security; urgency=medium

  [ Andreas Hasenack ]
  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via bad symlink resolution
    - debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
      in source3/smbd/open.c.
    - CVE-2017-9461

 -- Marc Deslauriers <email address hidden> Tue, 04 Jul 2017 08:01:55 -0400

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.8

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.8) xenial-security; urgency=medium

  [ Andreas Hasenack ]
  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via bad symlink resolution
    - debian/patches/CVE-2017-9461.patch: properly handle dangling symlinks
      in source3/smbd/open.c.
    - CVE-2017-9461

 -- Marc Deslauriers <email address hidden> Tue, 04 Jul 2017 07:56:30 -0400

This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu5.7

---------------
samba (2:4.4.5+dfsg-2ubuntu5.7) yakkety-security; urgency=medium

  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

 -- Andreas Hasenack <email address hidden> Fri, 30 Jun 2017 17:02:20 -0300

This bug was fixed in the package samba - 2:4.5.8+dfsg-0ubuntu0.17.04.3

---------------
samba (2:4.5.8+dfsg-0ubuntu0.17.04.3) zesty-security; urgency=medium

  * d/p/non-wide-symlinks-to-directories-12860.patch: fix a CVE-2017-2619
    regression which breaks symlinks to directories on certain systems
    (LP: #1701073)

 -- Andreas Hasenack <email address hidden> Fri, 30 Jun 2017 17:02:20 -0300

Reopening the artful task, since the fix isn't there.

This bug was fixed in the package samba - 2:4.6.7+dfsg-1ubuntu1

---------------
samba (2:4.6.7+dfsg-1ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1710281).
    - Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
      symlinks to directories (LP: #1701073)
  * Remaining changes:
    - debian/VERSION.patch: Update vendor string to "Ubuntu".
    - debian/smb.conf;
      + Add "(Samba, Ubuntu)" to server string.
      + Comment out the default [homes] share, and add a comment about
        "valid users = %s" to show users how to restrict access to
        \\server\username to only username.
    - debian/samba-common.config:
      + Do not change priority to high if dhclient3 is installed.
    - Add apport hook:
      + Created debian/source_samba.py.
      + debian/rules, debian/samba-common-bin.install: install hook.
    - Add extra DEP8 tests to samba (LP #1696823):
      + d/t/control: enable the new DEP8 tests
      + d/t/smbclient-anonymous-share-list: list available shares anonymously
      + d/t/smbclient-authenticated-share-list: list available shares using
        an authenticated connection
      + d/t/smbclient-share-access: create a share and download a file from it
      + d/t/cifs-share-access: access a file in a share using cifs
    - Ask the user if we can run testparm against the config file. If yes,
      include its stderr and exit status in the bug report. Otherwise, only
      include the exit status. (LP #1694334)
    - If systemctl is available, use it to query the status of the smbd
      service before trying to reload it. Otherwise, keep the same check
      as before and reload the service based on the existence of the
      initscript. (LP #1579597)
    - d/rules: Compile winbindd/winbindd statically.
    - Disable glusterfs support because it's not in main.
      MIR bug is https://launchpad.net/bugs/1274247

 -- Andreas Hasenack <email address hidden> Mon, 21 Aug 2017 17:27:08 -0300