The branch, v4-18-test has been updated
via 31d4b337cb7 smbd: Fix case normalization in for directories
via da3531910d7 tests: Show that the case sensitive large dir
optimization is broken
via 9af15e1737f tests: Move libsmb-basic to fileserver_smb1 environment
via 188d598c1d8 s3: smbd: Fix log spam. Change a normal error message
from DBG_ERR (level 0) to DBG_INFO (level 5).
via d477f6fa70a smbd: Prevent creation of vetoed files
via c3582deb5a0 CI: add a test creating a vetoed file
from dea4cb70045 dsdb/tests: Double number of expressions in
large_ldap.py ldap_timeout test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test
- Log -----------------------------------------------------------------
commit 31d4b337cb70203eac3032838a78c9c6ef48bf6e
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 17 10:02:37 2023 +0100
smbd: Fix case normalization in for directories
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Fri Feb 24 08:46:14 UTC 2023 on atb-devel-224
(cherry picked from commit bf9130d375b6c401bb79fc1a0911975814759e3b)
Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-18-test): Tue Apr 11 16:30:25 UTC 2023 on atb-devel-224
commit da3531910d7823bb46fbbb9ea5100d8b093a3cc0
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 17 15:41:12 2023 +0100
tests: Show that the case sensitive large dir optimization is broken
We don't normalize the directories
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 342d8f6a0a8bc2229332783a840c882f85a1dd4e)
commit 9af15e1737f2ec4e3096ad8d6aebabe4b3c31a8c
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 17 15:40:30 2023 +0100
tests: Move libsmb-basic to fileserver_smb1 environment
This has the lower-case share, used in the next commit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit a9301d8f2956409a6d36e7776d0237d03bfbdbf6)
commit 188d598c1d8cf3067c26ddb50ef13c511e67d6ae
Author: Jeremy Allison <j...@samba.org>
Date: Tue Feb 7 17:51:10 2023 -0800
s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level
0) to DBG_INFO (level 5).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15302
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224
(cherry picked from commit e8abe52df2d3ae533b3f874a885856f26ba5ec7e)
commit d477f6fa70a7db5a13655cb6aab1df4b251a4832
Author: Ralph Boehme <s...@samba.org>
Date: Wed Apr 5 11:03:52 2023 +0200
smbd: Prevent creation of vetoed files
The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation
case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.
In order to correctly distinguish between the cases
1) file doesn't exist, we may be creating it, return
2) a vetoed a file
we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen
NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND
or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was
vetoed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224
(cherry picked from commit 8b23a4a7eca9b8f80cc4113bb8cf9bb7bd5b4807)
commit c3582deb5a01b686ecad7254cb087effbaf062d3
Author: Ralph Boehme <s...@samba.org>
Date: Wed Apr 5 11:32:09 2023 +0200
CI: add a test creating a vetoed file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 2e8954d5be3336f1c4c2cf033209f632ad84e712)
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/libsmb-basic.py | 9 +++++++
selftest/target/Samba3.pm | 1 +
source3/script/tests/test_veto_files.sh | 47 +++++++++++++++++++++++++++++++++
source3/smbd/filename.c | 18 ++++++++++---
source3/smbd/open.c | 2 +-
source4/selftest/tests.py | 2 +-
6 files changed, 74 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/libsmb-basic.py
b/python/samba/tests/libsmb-basic.py
index 61a25a8c682..37b82b26dac 100644
--- a/python/samba/tests/libsmb-basic.py
+++ b/python/samba/tests/libsmb-basic.py
@@ -193,6 +193,15 @@ class LibsmbTestCase(samba.tests.libsmb.LibsmbTests):
finally:
c.deltree(testdir)
+ def test_libsmb_TortureDirCaseSensitive(self):
+ c = libsmb.Conn(self.server_ip, "lowercase", self.lp, self.creds)
+ c.mkdir("subdir")
+ c.mkdir("subdir/b")
+ ret = c.chkpath("SubDir/b")
+ c.rmdir("subdir/b")
+ c.rmdir("subdir")
+ self.assertTrue(ret)
+
if __name__ == "__main__":
import unittest
unittest.main()
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index fec50961617..c8fe925a948 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2106,6 +2106,7 @@ sub setup_fileserver_smb1
[global]
client min protocol = CORE
server min protocol = LANMAN1
+ check parent directory delete on close = yes
[hidenewfiles]
path = $prefix_abs/share
diff --git a/source3/script/tests/test_veto_files.sh
b/source3/script/tests/test_veto_files.sh
index 9f0526bd54c..5ecfb53b8a4 100755
--- a/source3/script/tests/test_veto_files.sh
+++ b/source3/script/tests/test_veto_files.sh
@@ -84,6 +84,42 @@ EOF
fi
}
+smbclient_create_expect_error()
+{
+ filename="$1.$$"
+ expected_error="$2"
+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands
+ cat >"$tmpfile" <<EOF
+put $tmpfile $filename
+quit
+EOF
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD
//$SERVER/veto_files -I$SERVER_IP < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+ rm -f "$tmpfile"
+ rm -f "$SHAREPATH/$filename"
+
+ if [ $ret != 0 ]; then
+ printf "%s\n" "$out"
+ printf "failed accessing veto_files share with error %s\n"
"$ret"
+ return 1
+ fi
+
+ if [ "$expected_error" = "NT_STATUS_OK" ]; then
+ printf "%s" "$out" | grep -c "NT_STATUS_" && false
+ else
+ printf "%s" "$out" | grep "$expected_error"
+ fi
+ ret=$?
+ if [ $ret != 0 ]; then
+ printf "%s\n" "$out"
+ printf "failed - should get %s doing \"put %s\"\n"
"$expected_error" "$filename"
+ return 1
+ fi
+}
+
#
# Using the share "[veto_files]" ensure we
# cannot fetch a veto'd file or file in a veto'd directory.
@@ -133,6 +169,16 @@ test_get_veto_file()
return 0
}
+test_create_veto_file()
+{
+ # Test creating files
+ smbclient_create_expect_error "veto_name_file"
"NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1
+ smbclient_create_expect_error "veto_name_dir/file_inside_dir"
"NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1
+ smbclient_create_expect_error "dir1/veto_name_file"
"NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1
+
+ return 0
+}
+
do_cleanup
# Using hash2, veto_name_file\"mangle == VHXE5P~M
@@ -194,6 +240,7 @@ touch
"$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/file_inside_dir"
mkdir "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir"
touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir/file_inside_dir"
+testit "create_veto_file" test_create_veto_file || failed=$((failed + 1))
testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1))
do_cleanup
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index b7160af0cfd..98506775bce 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -752,7 +752,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) {
DBG_DEBUG("veto files rejecting last component %s\n",
smb_fname_str_dbg(smb_fname_rel));
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return NT_STATUS_NETWORK_OPEN_RESTRICTION;
}
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
@@ -818,7 +818,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
DBG_DEBUG("veto files rejecting last component %s\n",
smb_fname_str_dbg(smb_fname_rel));
TALLOC_FREE(cache_key.data);
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return NT_STATUS_NETWORK_OPEN_RESTRICTION;
}
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
@@ -848,7 +848,7 @@ lookup:
if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) {
DBG_DEBUG("veto files rejecting last component %s\n",
smb_fname_str_dbg(smb_fname_rel));
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ return NT_STATUS_NETWORK_OPEN_RESTRICTION;
}
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
@@ -1123,6 +1123,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
char *substitute = NULL;
size_t unparsed = 0;
+ status = normalize_filename_case(conn, dirname, ucf_flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("normalize_filename_case %s failed: %s\n",
+ dirname,
+ nt_errstr(status));
+ goto fail;
+ }
+
status = openat_pathref_dirfsp_nosymlink(
mem_ctx,
conn,
@@ -1307,6 +1315,10 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
goto done;
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_OPEN_RESTRICTION)) {
+ /* A vetoed file, pretend it's not there */
+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3ad6b205116..da0498f9e7d 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3550,7 +3550,7 @@ NTSTATUS smbd_calculate_access_mask_fsp(struct
files_struct *dirfsp,
rejected_share_access = access_mask & ~(fsp->conn->share_access);
if (rejected_share_access) {
- DBG_ERR("Access denied on file %s: "
+ DBG_INFO("Access denied on file %s: "
"rejected by share access mask[0x%08X] "
"orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n",
fsp_str_dbg(fsp),
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 9f303614613..052058383f7 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -532,7 +532,7 @@ for t in smbtorture4_testsuites("dlz_bind9."):
# The dlz_bind9 tests needs to look at the DNS database
plansmbtorture4testsuite(t, "chgdcpass:local", ["ncalrpc:$SERVER",
'-U$USERNAME%$PASSWORD'])
-planpythontestsuite("nt4_dc_smb1", "samba.tests.libsmb-basic")
+planpythontestsuite("fileserver_smb1", "samba.tests.libsmb-basic")
planpythontestsuite("ad_member", "samba.tests.smb-notify",
environ={'USERNAME':'$DC_USERNAME',
--
Samba Shared Repository
