ACCESS_DENIED with symlinks within a root ("/") share

Bug #1702529 reported by Dave Kettmann on 2017-07-05
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Medium
Dariusz Gadomski
Trusty
Medium
Dariusz Gadomski
Xenial
Medium
Dariusz Gadomski
Zesty
Medium
Dariusz Gadomski

Bug Description

[Impact]

 * In case of accessing directories chdir to it directly instead of its parent directory. This changes how dir symlinks are handled in root shares and leads to avoiding the ACCESS_DENIED ISSUE.

[Test Case]

 1. Prepare smb server with a share:
[rootshare]
   guest ok = yes
   path = /
   wide links = no
   follow symlinks = yes
 2. On the server:
mkdir -p /srv/dir
ln -s /srv/dir /srv/symdir.
 3. Connect from a client:
smbclient -m smb3 //server/rootshare -c "cd srv\symdir; dir"

[Regression Potential]

 * When accessing broken symlinks share's base directory is accessed. This however seems to be consistent with a pre-fix behavior.

 * One autopkgtest failure has been found, nothing related to samba so another bug has been reported (LP: #1713098) against gvfs DEP8 test.

For more details:
   - https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1702529/comments/18

[Other Info]

This fix is included in Samba 4.6.7 release so Artful and Debian both have it already.

Original bug description:

See Samba bug: https://bugzilla.samba.org/show_bug.cgi?id=12873 for more information and test case. Also view LP bug: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1701073 for more information.

CVE References

Dave Kettmann (dkettman) wrote :

From Samba bug:

I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.

For the test I used 4.6.5 with the patch for bug #12860.

This is the smb.conf:
[global]
    server string = %h server (Samba, Ubuntu)
    netbios name = xenial
    server role = standalone server
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb

[rootfs]
    path = /
    follow symlinks = yes
    wide links = no
    read only = no
    guest ok = no
    browseable = yes

/opt has this:
root@xenial-samba-rootfs:~# ls -lah /opt
total 5.0K
drwxr-xr-x 3 root root 6 Jul 3 20:01 .
drwxr-xr-x 22 root root 22 Jun 19 23:52 ..
-rw-r--r-- 1 root root 6 Jul 3 20:01 file.txt
lrwxrwxrwx 1 root root 16 Jul 3 20:01 symlink-to-directory -> target-directory
lrwxrwxrwx 1 root root 8 Jul 3 20:01 symlink-to-file -> file.txt
drwxr-xr-x 2 root root 2 Jul 3 20:01 target-directory

This worked with 4.3.8 without the CVE-2017-2619 patch:
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
  . D 0 Mon Jul 3 20:01:36 2017
  .. D 0 Mon Jul 3 20:01:49 2017

        244825344 blocks of size 1024. 244392448 blocks available

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-to-file of size 6 as \opt\symlink-to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)

But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED listing \opt\symlink-to-directory\*

root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_ACCESS_DENIED opening remote file \opt\symlink-to-file

Changed in samba (Ubuntu):
status: New → Confirmed
Changed in samba (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Dariusz Gadomski (dgadomski)
status: Confirmed → In Progress
Dariusz Gadomski (dgadomski) wrote :

Looks like this has been fixed as a side effect of https://git.samba.org/?p=samba.git;a=commit;h=b886a9443d49f6e27fa3863d87c9e24d12e62874

So I'll abandon my patch and use the one from upstream.

Artful is not affected - 4.6.7 has the patch already.
Tested it successfully for Trusty, Xenial and Zesty. Debdiffs are being prepared.

description: updated
Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Trusty.

Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Xenial.

Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Zesty.

tags: added: sts sts-sru-needed
description: updated
Eric Desrochers (slashd) on 2017-08-23
Changed in samba (Ubuntu Trusty):
importance: Undecided → Medium
Changed in samba (Ubuntu Xenial):
importance: Undecided → Medium
Changed in samba (Ubuntu Zesty):
importance: Undecided → Medium
Changed in samba (Ubuntu Trusty):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in samba (Ubuntu Xenial):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in samba (Ubuntu Zesty):
assignee: nobody → Dariusz Gadomski (dgadomski)
Changed in samba (Ubuntu Trusty):
status: New → In Progress
Changed in samba (Ubuntu Xenial):
status: New → In Progress
Changed in samba (Ubuntu Zesty):
status: New → In Progress
Changed in samba (Ubuntu):
status: In Progress → Fix Released
description: updated
Eric Desrochers (slashd) wrote :

Sponsored for Zesty, Xenial and Trusty.

tags: added: sts-sponsor-done

Hello Dave, or anyone else affected,

Accepted samba into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-0ubuntu0.17.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Brian Murray (brian-murray) wrote :

Hello Dave, or anyone else affected,

Accepted samba into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Dave, or anyone else affected,

Accepted samba into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Eric Desrochers (slashd) wrote :

There is some regressions found in samba for Xenial as follow:
(see pending sru page[1] for more details (buildlog, etc ...)

*Regression in autopkgtest for gvfs (ppc64el): test log

This one seems to be related to a timeout, I just restarted the test a few minutes ago, let's see the outcome for the 2nd run.

*Regression in autopkgtest for gvfs (amd64): test log

I also restarted this one just in case .... but it will need investigation if fails again.... at first glance it seems like the last successful autokpkgtest for this particular test was with "samba/2:4.3.11+dfsg-0ubuntu0.16.04.2" last year (2016-11-10 ). Since then the package received a series of SECURITY fixes via "xenial-security" channel which doesn't seem to have been tested in the autopkgtest infra until now. Meaning that the regression found may or may not be related to this current SRU but from a previous SECURITY fix, note that this could also be a false positive. This is why it will require investigation if the 2nd run fails again.

[1] - https://people.canonical.com/~ubuntu-archive/pending-sru.html

- Eric

Eric Desrochers (slashd) wrote :

Additionally, Note that Trusty and Zesty report no autopkgtest failure in the pending SRU page.

Only Xenial does.

- Eric

Andreas Hasenack (ahasenack) wrote :

I've seen the gvfs test failures before in artful. The ones that are failing are related to ftp, not samba, as far as I can tell:

ftp:// anonymous (API with flag) ... FAIL
ftp:// authenticated (API) ... FAIL
ftp:// authenticated (CLI) ... FAIL

They passed in a subsequent run triggered via the UI in the excuses page.

Eric Desrochers (slashd) wrote :

The 2nd run of "gvfs [xenial/ppc64el]" passed but "gvfs [xenial/amd64]" still fails as follow :

FAILED (failures=3, errors=1)
=== command failed, showing Samba log files ===
--- /var/log/samba/log.nmbd ---
[2017/08/25 13:53:56.757205, 0] ../lib/util/become_daemon.c:135(daemon_status)
  STATUS=daemon 'nmbd' : No local IPv4 non-loopback interfaces available, waiting for interface ...NOTE: NetBIOS name resolution is not supported for Internet Protocol Version 6 (IPv6).
--- /var/log/samba/log.smbd ---
[2017/08/25 13:53:56.815267, 0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
autopkgtest [13:54:38]: test integration: -----------------------]
autopkgtest [13:54:38]: test integration: - - - - - - - - - - results - - - - - - - - - -
integration FAIL non-zero exit status 1
autopkgtest [13:54:39]: @@@@@@@@@@@@@@@@@@@@ summary
integration FAIL non-zero exit status 1
Exit request sent.
Creating nova instance adt-xenial-amd64-gvfs-20170825-134910 from image ubuntu/ubuntu-xenial-daily-amd64-server-20170822-disk1.img (UUID bbd67b9f-5714-41ab-8072-a4dfc1ad85d5)...

Andreas Hasenack (ahasenack) wrote :

Do you have a link for this last failure?

Eric Desrochers (slashd) wrote :

Andreas,

Right I also notice the same failure :

ftp:// anonymous (API with flag) ... FAIL
ftp:// anonymous (CLI with option) ... Error mounting location: Location is already mounted
ERROR
ftp:// authenticated (API) ... FAIL
ftp:// authenticated (CLI) ... FAIL

So it's just a matter of re-running the test until it succeed ? (even if ran 2 time already ? )

- Eric

Dariusz Gadomski (dgadomski) wrote :

I have just retried the gvfs autopkgtests locally and all tests pass there (log attached).

What I run was:
autopkgtest -l autopkgtests.log --apt-pocket=proposed -U gvfs_1.28.2-1ubuntu1~16.04.2.dsc -- qemu adt-xenial-amd64-cloud.img

It may be something related to the autopkgtest infrastructure.

Andreas Hasenack (ahasenack) wrote :

I don't see a samba failure there, just those ftp errors. I think it showed the samba logs "just because", trying to help.

Those gvfs dep8 tests need a careful look. I filed https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1713098 about that

Eric Desrochers (slashd) on 2017-08-25
description: updated
Dariusz Gadomski (dgadomski) wrote :

I have verified the following version of samba this morning:
- Trusty: 4.3.11+dfsg-0ubuntu0.14.04.11
- Xenial: 4.3.11+dfsg-0ubuntu0.16.04.10
- Zesty: 4.5.8+dfsg-0ubuntu0.17.04.6

I run it in a testing environment that was originally used to reproduce this issue. On all 3 the issue is gone.

tags: added: verification-done verification-done-trusty verification-done-xenial verification-done-zesty
removed: verification-needed verification-needed-trusty verification-needed-xenial verification-needed-zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.11

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.11) trusty; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:36:59 +0200

Changed in samba (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for samba has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.10

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.10) xenial; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:43:46 +0200

Changed in samba (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.8+dfsg-0ubuntu0.17.04.6

---------------
samba (2:4.5.8+dfsg-0ubuntu0.17.04.6) zesty; urgency=medium

  * d/p/bug_1702529_EACCESS_with_rootshare.patch:
    Handle corner case for / shares. (LP: #1702529)

 -- Dariusz Gadomski <email address hidden> Wed, 23 Aug 2017 11:50:15 +0200

Changed in samba (Ubuntu Zesty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.