ACCESS_DENIED with symlinks within a root ("/") share

From Samba bug:

I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.

For the test I used 4.6.5 with the patch for bug #12860.

This is the smb.conf:
[global]
    server string = %h server (Samba, Ubuntu)
    netbios name = xenial
    server role = standalone server
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb

[rootfs]
    path = /
    follow symlinks = yes
    wide links = no
    read only = no
    guest ok = no
    browseable = yes

/opt has this:
root@xenial-samba-rootfs:~# ls -lah /opt
total 5.0K
drwxr-xr-x 3 root root 6 Jul 3 20:01 .
drwxr-xr-x 22 root root 22 Jun 19 23:52 ..
-rw-r--r-- 1 root root 6 Jul 3 20:01 file.txt
lrwxrwxrwx 1 root root 16 Jul 3 20:01 symlink-to-directory -> target-directory
lrwxrwxrwx 1 root root 8 Jul 3 20:01 symlink-to-file -> file.txt
drwxr-xr-x 2 root root 2 Jul 3 20:01 target-directory

This worked with 4.3.8 without the CVE-2017-2619 patch:
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
  . D 0 Mon Jul 3 20:01:36 2017
  .. D 0 Mon Jul 3 20:01:49 2017

        244825344 blocks of size 1024. 244392448 blocks available

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-to-file of size 6 as \opt\symlink-to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)

But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED listing \opt\symlink-to-directory\*

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED opening remote file \opt\symlink-to-file

Looks like this has been fixed as a side effect of https://git.samba.org/?p=samba.git;a=commit;h=b886a9443d49f6e27fa3863d87c9e24d12e62874

So I'll abandon my patch and use the one from upstream.

Artful is not affected - 4.6.7 has the patch already.
Tested it successfully for Trusty, Xenial and Zesty. Debdiffs are being prepared.

SRU proposal for Trusty.

SRU proposal for Xenial.

SRU proposal for Zesty.

Sponsored for Zesty, Xenial and Trusty.

Hello Dave, or anyone else affected,

Accepted samba into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-0ubuntu0.17.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Dave, or anyone else affected,

Accepted samba into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Dave, or anyone else affected,

Accepted samba into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

There is some regressions found in samba for Xenial as follow:
(see pending sru page[1] for more details (buildlog, etc ...)

*Regression in autopkgtest for gvfs (ppc64el): test log

This one seems to be related to a timeout, I just restarted the test a few minutes ago, let's see the outcome for the 2nd run.

*Regression in autopkgtest for gvfs (amd64): test log

I also restarted this one just in case .... but it will need investigation if fails again.... at first glance it seems like the last successful autokpkgtest for this particular test was with "samba/2:4.3.11+dfsg-0ubuntu0.16.04.2" last year (2016-11-10 ). Since then the package received a series of SECURITY fixes via "xenial-security" channel which doesn't seem to have been tested in the autopkgtest infra until now. Meaning that the regression found may or may not be related to this current SRU but from a previous SECURITY fix, note that this could also be a false positive. This is why it will require investigation if the 2nd run fails again.

[1] - https://people.canonical.com/~ubuntu-archive/pending-sru.html

- Eric

Additionally, Note that Trusty and Zesty report no autopkgtest failure in the pending SRU page.

Only Xenial does.

- Eric

I've seen the gvfs test failures before in artful. The ones that are failing are related to ftp, not samba, as far as I can tell:

ftp:// anonymous (API with flag) ... FAIL
ftp:// authenticated (API) ... FAIL
ftp:// authenticated (CLI) ... FAIL

They passed in a subsequent run triggered via the UI in the excuses page.

The 2nd run of "gvfs [xenial/ppc64el]" passed but "gvfs [xenial/amd64]" still fails as follow :

FAILED (failures=3, errors=1)
=== command failed, showing Samba log files ===
--- /var/log/samba/log.nmbd ---
[2017/08/25 13:53:56.757205, 0] ../lib/util/become_daemon.c:135(daemon_status)
  STATUS=daemon 'nmbd' : No local IPv4 non-loopback interfaces available, waiting for interface ...NOTE: NetBIOS name resolution is not supported for Internet Protocol Version 6 (IPv6).
--- /var/log/samba/log.smbd ---
[2017/08/25 13:53:56.815267, 0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
autopkgtest [13:54:38]: test integration: -----------------------]
autopkgtest [13:54:38]: test integration: - - - - - - - - - - results - - - - - - - - - -
integration FAIL non-zero exit status 1
autopkgtest [13:54:39]: @@@@@@@@@@@@@@@@@@@@ summary
integration FAIL non-zero exit status 1
Exit request sent.
Creating nova instance adt-xenial-amd64-gvfs-20170825-134910 from image ubuntu/ubuntu-xenial-daily-amd64-server-20170822-disk1.img (UUID bbd67b9f-5714-41ab-8072-a4dfc1ad85d5)...

Do you have a link for this last failure?

Andreas,

Right I also notice the same failure :

ftp:// anonymous (API with flag) ... FAIL
ftp:// anonymous (CLI with option) ... Error mounting location: Location is already mounted
ERROR
ftp:// authenticated (API) ... FAIL
ftp:// authenticated (CLI) ... FAIL

So it's just a matter of re-running the test until it succeed ? (even if ran 2 time already ? )

- Eric

yes, I do have a link (buildlog) :

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/g/gvfs/20170825_135452_c32a9@/log.gz

I have just retried the gvfs autopkgtests locally and all tests pass there (log attached).

What I run was:
autopkgtest -l autopkgtests.log --apt-pocket=proposed -U gvfs_1.28.2-1ubuntu1~16.04.2.dsc -- qemu adt-xenial-amd64-cloud.img

It may be something related to the autopkgtest infrastructure.

I don't see a samba failure there, just those ftp errors. I think it showed the samba logs "just because", trying to help.

Those gvfs dep8 tests need a careful look. I filed https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1713098 about that

I have verified the following version of samba this morning:
- Trusty: 4.3.11+dfsg-0ubuntu0.14.04.11
- Xenial: 4.3.11+dfsg-0ubuntu0.16.04.10
- Zesty: 4.5.8+dfsg-0ubuntu0.17.04.6

I run it in a testing environment that was originally used to reproduce this issue. On all 3 the issue is gone.

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.11

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.11) trusty; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:36:59 +0200

The verification of the Stable Release Update for samba has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.10

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.10) xenial; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:43:46 +0200

This bug was fixed in the package samba - 2:4.5.8+dfsg-0ubuntu0.17.04.6

---------------
samba (2:4.5.8+dfsg-0ubuntu0.17.04.6) zesty; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:50:15 +0200