The branch, v4-17-test has been updated via d8fa74a176e smbd: Fix case normalization in for directories via d7d81510c38 s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). via 72d3c4f6799 smbd: Prevent creation of vetoed files via ad60260323c CI: add a test creating a vetoed file via 0fba21c1bfa dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test via e9e902f7393 dsdb/tests: Move SD modification on class-created objects to classSetUp from 7fe8a7d710d s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log ----------------------------------------------------------------- commit d8fa74a176ef6078075865479157b5560d0f66cf Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 17 10:02:37 2023 +0100 smbd: Fix case normalization in for directories Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Fri Feb 24 08:46:14 UTC 2023 on atb-devel-224 (cherry picked from commit bf9130d375b6c401bb79fc1a0911975814759e3b) Autobuild-User(v4-17-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-17-test): Tue Apr 11 16:28:13 UTC 2023 on sn-devel-184 commit d7d81510c3855883ace3ce635a8797266a3c1ffe Author: Jeremy Allison <j...@samba.org> Date: Tue Feb 7 17:51:10 2023 -0800 s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15302 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224 (cherry picked from commit e8abe52df2d3ae533b3f874a885856f26ba5ec7e) commit 72d3c4f6799ff8f300711a306c46439eb5acf674 Author: Ralph Boehme <s...@samba.org> Date: Wed Apr 5 11:03:52 2023 +0200 smbd: Prevent creation of vetoed files The problem is when checking for vetoed names on the last path component in openat_pathref_fsp_case_insensitive() we return NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller filename_convert_dirfsp_nosymlink() this is treated as the "file creation case" causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK. In order to correctly distinguish between the cases 1) file doesn't exist, we may be creating it, return 2) a vetoed a file we need 2) to return a more specific error to filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224 (cherry picked from commit 8b23a4a7eca9b8f80cc4113bb8cf9bb7bd5b4807) commit ad60260323c799a053729ed06dbdd85555d5c5c6 Author: Ralph Boehme <s...@samba.org> Date: Wed Apr 5 11:32:09 2023 +0200 CI: add a test creating a vetoed file BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 2e8954d5be3336f1c4c2cf033209f632ad84e712) commit 0fba21c1bfab48382acacd502e03d478a26a64b1 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 6 08:59:17 2023 +1200 dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test By slowing the filter down more this makes the test reliable on the autobuild host. This is not a long-term solution, but is a quick tweak that can be done today to address current issues with getting commits past the host-based (compared with cloud-based) autobuild. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> (cherry picked from commit 479634e4cd6543d489eb4700aebde1a479b94fe5) commit e9e902f7393ef4f4cb3f1cc69acde402c761c2d4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 6 08:54:02 2023 +1200 dsdb/tests: Move SD modification on class-created objects to classSetUp These modifications persist, so should be done at the class level, not in the test. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> (cherry picked from commit e1c0c2066c2f29bb614e3386b796eec3cb289aea) ----------------------------------------------------------------------- Summary of changes: source3/script/tests/test_veto_files.sh | 47 +++++++++++++++++++++++++++++++++ source3/smbd/filename.c | 18 ++++++++++--- source3/smbd/open.c | 2 +- source4/dsdb/tests/python/large_ldap.py | 20 +++++++------- 4 files changed, 72 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/script/tests/test_veto_files.sh b/source3/script/tests/test_veto_files.sh index 9f0526bd54c..5ecfb53b8a4 100755 --- a/source3/script/tests/test_veto_files.sh +++ b/source3/script/tests/test_veto_files.sh @@ -84,6 +84,42 @@ EOF fi } +smbclient_create_expect_error() +{ + filename="$1.$$" + expected_error="$2" + tmpfile=$PREFIX/smbclient_interactive_prompt_commands + cat >"$tmpfile" <<EOF +put $tmpfile $filename +quit +EOF + + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/veto_files -I$SERVER_IP < $tmpfile 2>&1' + eval echo "$cmd" + out=$(eval "$cmd") + ret=$? + rm -f "$tmpfile" + rm -f "$SHAREPATH/$filename" + + if [ $ret != 0 ]; then + printf "%s\n" "$out" + printf "failed accessing veto_files share with error %s\n" "$ret" + return 1 + fi + + if [ "$expected_error" = "NT_STATUS_OK" ]; then + printf "%s" "$out" | grep -c "NT_STATUS_" && false + else + printf "%s" "$out" | grep "$expected_error" + fi + ret=$? + if [ $ret != 0 ]; then + printf "%s\n" "$out" + printf "failed - should get %s doing \"put %s\"\n" "$expected_error" "$filename" + return 1 + fi +} + # # Using the share "[veto_files]" ensure we # cannot fetch a veto'd file or file in a veto'd directory. @@ -133,6 +169,16 @@ test_get_veto_file() return 0 } +test_create_veto_file() +{ + # Test creating files + smbclient_create_expect_error "veto_name_file" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_create_expect_error "veto_name_dir/file_inside_dir" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 + smbclient_create_expect_error "dir1/veto_name_file" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + + return 0 +} + do_cleanup # Using hash2, veto_name_file\"mangle == VHXE5P~M @@ -194,6 +240,7 @@ touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/file_inside_dir" mkdir "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir" touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir/file_inside_dir" +testit "create_veto_file" test_create_veto_file || failed=$((failed + 1)) testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1)) do_cleanup diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 326c2812bb2..84e790a24bc 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -840,7 +840,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { DBG_DEBUG("veto files rejecting last component %s\n", smb_fname_str_dbg(smb_fname_rel)); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + return NT_STATUS_NETWORK_OPEN_RESTRICTION; } status = openat_pathref_fsp(dirfsp, smb_fname_rel); @@ -906,7 +906,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( DBG_DEBUG("veto files rejecting last component %s\n", smb_fname_str_dbg(smb_fname_rel)); TALLOC_FREE(cache_key.data); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + return NT_STATUS_NETWORK_OPEN_RESTRICTION; } status = openat_pathref_fsp(dirfsp, smb_fname_rel); @@ -936,7 +936,7 @@ lookup: if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { DBG_DEBUG("veto files rejecting last component %s\n", smb_fname_str_dbg(smb_fname_rel)); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + return NT_STATUS_NETWORK_OPEN_RESTRICTION; } status = openat_pathref_fsp(dirfsp, smb_fname_rel); @@ -1153,6 +1153,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( char *substitute = NULL; size_t unparsed = 0; + status = normalize_filename_case(conn, dirname, ucf_flags); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("normalize_filename_case %s failed: %s\n", + dirname, + nt_errstr(status)); + goto fail; + } + status = openat_pathref_dirfsp_nosymlink( mem_ctx, conn, @@ -1341,6 +1349,10 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( goto done; } + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_OPEN_RESTRICTION)) { + /* A vetoed file, pretend it's not there */ + status = NT_STATUS_OBJECT_NAME_NOT_FOUND; + } if (!NT_STATUS_IS_OK(status)) { goto fail; } diff --git a/source3/smbd/open.c b/source3/smbd/open.c index c24c55d6a76..dbf4e40adf4 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -3389,7 +3389,7 @@ NTSTATUS smbd_calculate_access_mask_fsp(struct files_struct *dirfsp, rejected_share_access = access_mask & ~(fsp->conn->share_access); if (rejected_share_access) { - DBG_ERR("Access denied on file %s: " + DBG_INFO("Access denied on file %s: " "rejected by share access mask[0x%08X] " "orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n", fsp_str_dbg(fsp), diff --git a/source4/dsdb/tests/python/large_ldap.py b/source4/dsdb/tests/python/large_ldap.py index 0da79da6f73..cd8176363b5 100644 --- a/source4/dsdb/tests/python/large_ldap.py +++ b/source4/dsdb/tests/python/large_ldap.py @@ -146,6 +146,14 @@ class LargeLDAPTest(samba.tests.TestCase): "sAMAccountName": user_name, "jpegPhoto": b'a' * (2 * 1024 * 1024)}) + ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x + dn = ldb.Dn(cls.ldb, "cn=" + user_name + "," + str(cls.ou_dn)) + + # add an ACE that denies access to the above random attr + # for a not-existing user. This makes each SD distinct + # and so will slow SD parsing. + cls.sd_utils.dacl_add_ace(dn, ace) + @classmethod def tearDownClass(cls): # Remake the connection for tear-down (old Samba drops the socket) @@ -290,19 +298,9 @@ class LargeLDAPTest(samba.tests.TestCase): session_info=system_session(lp), lp=lp) - for x in range(200): - user_name = self.USER_NAME + format(x, "03") - ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x - dn = ldb.Dn(self.ldb, "cn=" + user_name + "," + str(self.ou_dn)) - - # add an ACE that denies access to the above random attr - # for a not-existing user. This makes each SD distinct - # and so will slow SD parsing. - self.sd_utils.dacl_add_ace(dn, ace) - # Create a large search expression that will take a long time to # evaluate. - expression = f'(jpegPhoto=*X*)' * 1000 + expression = '(jpegPhoto=*X*)' * 2000 expression = f'(|{expression})' # Perform the LDAP search. -- Samba Shared Repository