The branch, v4-17-test has been updated
via d8fa74a176e smbd: Fix case normalization in for directories
via d7d81510c38 s3: smbd: Fix log spam. Change a normal error message
from DBG_ERR (level 0) to DBG_INFO (level 5).
via 72d3c4f6799 smbd: Prevent creation of vetoed files
via ad60260323c CI: add a test creating a vetoed file
via 0fba21c1bfa dsdb/tests: Double number of expressions in
large_ldap.py ldap_timeout test
via e9e902f7393 dsdb/tests: Move SD modification on class-created
objects to classSetUp
from 7fe8a7d710d s3: libcli: Refuse to connect to any server with zero
values for max_trans_size, max_read_size, max_write_size.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test
- Log -----------------------------------------------------------------
commit d8fa74a176ef6078075865479157b5560d0f66cf
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 17 10:02:37 2023 +0100
smbd: Fix case normalization in for directories
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Fri Feb 24 08:46:14 UTC 2023 on atb-devel-224
(cherry picked from commit bf9130d375b6c401bb79fc1a0911975814759e3b)
Autobuild-User(v4-17-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-17-test): Tue Apr 11 16:28:13 UTC 2023 on sn-devel-184
commit d7d81510c3855883ace3ce635a8797266a3c1ffe
Author: Jeremy Allison <j...@samba.org>
Date: Tue Feb 7 17:51:10 2023 -0800
s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level
0) to DBG_INFO (level 5).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15302
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224
(cherry picked from commit e8abe52df2d3ae533b3f874a885856f26ba5ec7e)
commit 72d3c4f6799ff8f300711a306c46439eb5acf674
Author: Ralph Boehme <s...@samba.org>
Date: Wed Apr 5 11:03:52 2023 +0200
smbd: Prevent creation of vetoed files
The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation
case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.
In order to correctly distinguish between the cases
1) file doesn't exist, we may be creating it, return
2) a vetoed a file
we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen
NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND
or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was
vetoed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224
(cherry picked from commit 8b23a4a7eca9b8f80cc4113bb8cf9bb7bd5b4807)
commit ad60260323c799a053729ed06dbdd85555d5c5c6
Author: Ralph Boehme <s...@samba.org>
Date: Wed Apr 5 11:32:09 2023 +0200
CI: add a test creating a vetoed file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 2e8954d5be3336f1c4c2cf033209f632ad84e712)
commit 0fba21c1bfab48382acacd502e03d478a26a64b1
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Apr 6 08:59:17 2023 +1200
dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test
By slowing the filter down more this makes the test reliable on the
autobuild host.
This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit 479634e4cd6543d489eb4700aebde1a479b94fe5)
commit e9e902f7393ef4f4cb3f1cc69acde402c761c2d4
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Apr 6 08:54:02 2023 +1200
dsdb/tests: Move SD modification on class-created objects to classSetUp
These modifications persist, so should be done at the class level,
not in the test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit e1c0c2066c2f29bb614e3386b796eec3cb289aea)
-----------------------------------------------------------------------
Summary of changes:
source3/script/tests/test_veto_files.sh | 47 +++++++++++++++++++++++++++++++++
source3/smbd/filename.c | 18 ++++++++++---
source3/smbd/open.c | 2 +-
source4/dsdb/tests/python/large_ldap.py | 20 +++++++-------
4 files changed, 72 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/script/tests/test_veto_files.sh
b/source3/script/tests/test_veto_files.sh
index 9f0526bd54c..5ecfb53b8a4 100755
--- a/source3/script/tests/test_veto_files.sh
+++ b/source3/script/tests/test_veto_files.sh
@@ -84,6 +84,42 @@ EOF
fi
}
+smbclient_create_expect_error()
+{
+ filename="$1.$$"
+ expected_error="$2"
+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands
+ cat >"$tmpfile" <<EOF
+put $tmpfile $filename
+quit
+EOF
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD
//$SERVER/veto_files -I$SERVER_IP < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+ rm -f "$tmpfile"
+ rm -f "$SHAREPATH/$filename"
+
+ if [ $ret != 0 ]; then
+ printf "%s\n" "$out"
+ printf "failed accessing veto_files share with error %s\n"
"$ret"
+ return 1
+ fi
+
+ if [ "$expected_error" = "NT_STATUS_OK" ]; then
+ printf "%s" "$out" | grep -c "NT_STATUS_" && false
+ else
+ printf "%s" "$out" | grep "$expected_error"
+ fi
+ ret=$?
+ if [ $ret != 0 ]; then
+ printf "%s\n" "$out"
+ printf "failed - should get %s doing \"put %s\"\n"
"$expected_error" "$filename"
+ return 1
+ fi
+}
+
#
# Using the share "[veto_files]" ensure we
# cannot fetch a veto'd file or file in a veto'd directory.
@@ -133,6 +169,16 @@ test_get_veto_file()
return 0
}
+test_create_veto_file()
+{
+ # Test creating files
+ smbclient_create_expect_error "veto_name_file"
"NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1
+ smbclient_create_expect_error "veto_name_dir/file_inside_dir"
"NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1
+ smbclient_create_expect_error "dir1/veto_name_file"
"NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1
+
+ return 0
+}
+
do_cleanup
# Using hash2, veto_name_file\"mangle == VHXE5P~M
@@ -194,6 +240,7 @@ touch
"$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/file_inside_dir"
mkdir "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir"
touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir/file_inside_dir"
+testit "create_veto_file" test_create_veto_file || failed=$((failed + 1))
testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1))
do_cleanup
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 326c2812bb2..84e790a24bc 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -840,7 +840,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) {
DBG_DEBUG("veto files rejecting last component %s\n",
smb_fname_str_dbg(smb_fname_rel));
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return NT_STATUS_NETWORK_OPEN_RESTRICTION;
}
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
@@ -906,7 +906,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
DBG_DEBUG("veto files rejecting last component %s\n",
smb_fname_str_dbg(smb_fname_rel));
TALLOC_FREE(cache_key.data);
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return NT_STATUS_NETWORK_OPEN_RESTRICTION;
}
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
@@ -936,7 +936,7 @@ lookup:
if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) {
DBG_DEBUG("veto files rejecting last component %s\n",
smb_fname_str_dbg(smb_fname_rel));
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return NT_STATUS_NETWORK_OPEN_RESTRICTION;
}
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
@@ -1153,6 +1153,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
char *substitute = NULL;
size_t unparsed = 0;
+ status = normalize_filename_case(conn, dirname, ucf_flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("normalize_filename_case %s failed: %s\n",
+ dirname,
+ nt_errstr(status));
+ goto fail;
+ }
+
status = openat_pathref_dirfsp_nosymlink(
mem_ctx,
conn,
@@ -1341,6 +1349,10 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
goto done;
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_OPEN_RESTRICTION)) {
+ /* A vetoed file, pretend it's not there */
+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index c24c55d6a76..dbf4e40adf4 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3389,7 +3389,7 @@ NTSTATUS smbd_calculate_access_mask_fsp(struct
files_struct *dirfsp,
rejected_share_access = access_mask & ~(fsp->conn->share_access);
if (rejected_share_access) {
- DBG_ERR("Access denied on file %s: "
+ DBG_INFO("Access denied on file %s: "
"rejected by share access mask[0x%08X] "
"orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n",
fsp_str_dbg(fsp),
diff --git a/source4/dsdb/tests/python/large_ldap.py
b/source4/dsdb/tests/python/large_ldap.py
index 0da79da6f73..cd8176363b5 100644
--- a/source4/dsdb/tests/python/large_ldap.py
+++ b/source4/dsdb/tests/python/large_ldap.py
@@ -146,6 +146,14 @@ class LargeLDAPTest(samba.tests.TestCase):
"sAMAccountName": user_name,
"jpegPhoto": b'a' * (2 * 1024 * 1024)})
+ ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x
+ dn = ldb.Dn(cls.ldb, "cn=" + user_name + "," + str(cls.ou_dn))
+
+ # add an ACE that denies access to the above random attr
+ # for a not-existing user. This makes each SD distinct
+ # and so will slow SD parsing.
+ cls.sd_utils.dacl_add_ace(dn, ace)
+
@classmethod
def tearDownClass(cls):
# Remake the connection for tear-down (old Samba drops the socket)
@@ -290,19 +298,9 @@ class LargeLDAPTest(samba.tests.TestCase):
session_info=system_session(lp),
lp=lp)
- for x in range(200):
- user_name = self.USER_NAME + format(x, "03")
- ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x
- dn = ldb.Dn(self.ldb, "cn=" + user_name + "," + str(self.ou_dn))
-
- # add an ACE that denies access to the above random attr
- # for a not-existing user. This makes each SD distinct
- # and so will slow SD parsing.
- self.sd_utils.dacl_add_ace(dn, ace)
-
# Create a large search expression that will take a long time to
# evaluate.
- expression = f'(jpegPhoto=*X*)' * 1000
+ expression = '(jpegPhoto=*X*)' * 2000
expression = f'(|{expression})'
# Perform the LDAP search.
--
Samba Shared Repository
