The branch, v4-18-test has been updated via 31d4b337cb7 smbd: Fix case normalization in for directories via da3531910d7 tests: Show that the case sensitive large dir optimization is broken via 9af15e1737f tests: Move libsmb-basic to fileserver_smb1 environment via 188d598c1d8 s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). via d477f6fa70a smbd: Prevent creation of vetoed files via c3582deb5a0 CI: add a test creating a vetoed file from dea4cb70045 dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log ----------------------------------------------------------------- commit 31d4b337cb70203eac3032838a78c9c6ef48bf6e Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 17 10:02:37 2023 +0100 smbd: Fix case normalization in for directories Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Fri Feb 24 08:46:14 UTC 2023 on atb-devel-224 (cherry picked from commit bf9130d375b6c401bb79fc1a0911975814759e3b) Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-18-test): Tue Apr 11 16:30:25 UTC 2023 on atb-devel-224 commit da3531910d7823bb46fbbb9ea5100d8b093a3cc0 Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 17 15:41:12 2023 +0100 tests: Show that the case sensitive large dir optimization is broken We don't normalize the directories Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 342d8f6a0a8bc2229332783a840c882f85a1dd4e) commit 9af15e1737f2ec4e3096ad8d6aebabe4b3c31a8c Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 17 15:40:30 2023 +0100 tests: Move libsmb-basic to fileserver_smb1 environment This has the lower-case share, used in the next commit Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit a9301d8f2956409a6d36e7776d0237d03bfbdbf6) commit 188d598c1d8cf3067c26ddb50ef13c511e67d6ae Author: Jeremy Allison <j...@samba.org> Date: Tue Feb 7 17:51:10 2023 -0800 s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15302 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224 (cherry picked from commit e8abe52df2d3ae533b3f874a885856f26ba5ec7e) commit d477f6fa70a7db5a13655cb6aab1df4b251a4832 Author: Ralph Boehme <s...@samba.org> Date: Wed Apr 5 11:03:52 2023 +0200 smbd: Prevent creation of vetoed files The problem is when checking for vetoed names on the last path component in openat_pathref_fsp_case_insensitive() we return NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller filename_convert_dirfsp_nosymlink() this is treated as the "file creation case" causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK. In order to correctly distinguish between the cases 1) file doesn't exist, we may be creating it, return 2) a vetoed a file we need 2) to return a more specific error to filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224 (cherry picked from commit 8b23a4a7eca9b8f80cc4113bb8cf9bb7bd5b4807) commit c3582deb5a01b686ecad7254cb087effbaf062d3 Author: Ralph Boehme <s...@samba.org> Date: Wed Apr 5 11:32:09 2023 +0200 CI: add a test creating a vetoed file BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 2e8954d5be3336f1c4c2cf033209f632ad84e712) ----------------------------------------------------------------------- Summary of changes: python/samba/tests/libsmb-basic.py | 9 +++++++ selftest/target/Samba3.pm | 1 + source3/script/tests/test_veto_files.sh | 47 +++++++++++++++++++++++++++++++++ source3/smbd/filename.c | 18 ++++++++++--- source3/smbd/open.c | 2 +- source4/selftest/tests.py | 2 +- 6 files changed, 74 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/libsmb-basic.py b/python/samba/tests/libsmb-basic.py index 61a25a8c682..37b82b26dac 100644 --- a/python/samba/tests/libsmb-basic.py +++ b/python/samba/tests/libsmb-basic.py @@ -193,6 +193,15 @@ class LibsmbTestCase(samba.tests.libsmb.LibsmbTests): finally: c.deltree(testdir) + def test_libsmb_TortureDirCaseSensitive(self): + c = libsmb.Conn(self.server_ip, "lowercase", self.lp, self.creds) + c.mkdir("subdir") + c.mkdir("subdir/b") + ret = c.chkpath("SubDir/b") + c.rmdir("subdir/b") + c.rmdir("subdir") + self.assertTrue(ret) + if __name__ == "__main__": import unittest unittest.main() diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index fec50961617..c8fe925a948 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -2106,6 +2106,7 @@ sub setup_fileserver_smb1 [global] client min protocol = CORE server min protocol = LANMAN1 + check parent directory delete on close = yes [hidenewfiles] path = $prefix_abs/share diff --git a/source3/script/tests/test_veto_files.sh b/source3/script/tests/test_veto_files.sh index 9f0526bd54c..5ecfb53b8a4 100755 --- a/source3/script/tests/test_veto_files.sh +++ b/source3/script/tests/test_veto_files.sh @@ -84,6 +84,42 @@ EOF fi } +smbclient_create_expect_error() +{ + filename="$1.$$" + expected_error="$2" + tmpfile=$PREFIX/smbclient_interactive_prompt_commands + cat >"$tmpfile" <<EOF +put $tmpfile $filename +quit +EOF + + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/veto_files -I$SERVER_IP < $tmpfile 2>&1' + eval echo "$cmd" + out=$(eval "$cmd") + ret=$? + rm -f "$tmpfile" + rm -f "$SHAREPATH/$filename" + + if [ $ret != 0 ]; then + printf "%s\n" "$out" + printf "failed accessing veto_files share with error %s\n" "$ret" + return 1 + fi + + if [ "$expected_error" = "NT_STATUS_OK" ]; then + printf "%s" "$out" | grep -c "NT_STATUS_" && false + else + printf "%s" "$out" | grep "$expected_error" + fi + ret=$? + if [ $ret != 0 ]; then + printf "%s\n" "$out" + printf "failed - should get %s doing \"put %s\"\n" "$expected_error" "$filename" + return 1 + fi +} + # # Using the share "[veto_files]" ensure we # cannot fetch a veto'd file or file in a veto'd directory. @@ -133,6 +169,16 @@ test_get_veto_file() return 0 } +test_create_veto_file() +{ + # Test creating files + smbclient_create_expect_error "veto_name_file" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + smbclient_create_expect_error "veto_name_dir/file_inside_dir" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 + smbclient_create_expect_error "dir1/veto_name_file" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 + + return 0 +} + do_cleanup # Using hash2, veto_name_file\"mangle == VHXE5P~M @@ -194,6 +240,7 @@ touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/file_inside_dir" mkdir "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir" touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir/file_inside_dir" +testit "create_veto_file" test_create_veto_file || failed=$((failed + 1)) testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1)) do_cleanup diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index b7160af0cfd..98506775bce 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -752,7 +752,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { DBG_DEBUG("veto files rejecting last component %s\n", smb_fname_str_dbg(smb_fname_rel)); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + return NT_STATUS_NETWORK_OPEN_RESTRICTION; } status = openat_pathref_fsp(dirfsp, smb_fname_rel); @@ -818,7 +818,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( DBG_DEBUG("veto files rejecting last component %s\n", smb_fname_str_dbg(smb_fname_rel)); TALLOC_FREE(cache_key.data); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + return NT_STATUS_NETWORK_OPEN_RESTRICTION; } status = openat_pathref_fsp(dirfsp, smb_fname_rel); @@ -848,7 +848,7 @@ lookup: if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { DBG_DEBUG("veto files rejecting last component %s\n", smb_fname_str_dbg(smb_fname_rel)); - return NT_STATUS_OBJECT_NAME_NOT_FOUND; + return NT_STATUS_NETWORK_OPEN_RESTRICTION; } status = openat_pathref_fsp(dirfsp, smb_fname_rel); @@ -1123,6 +1123,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( char *substitute = NULL; size_t unparsed = 0; + status = normalize_filename_case(conn, dirname, ucf_flags); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("normalize_filename_case %s failed: %s\n", + dirname, + nt_errstr(status)); + goto fail; + } + status = openat_pathref_dirfsp_nosymlink( mem_ctx, conn, @@ -1307,6 +1315,10 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( goto done; } + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_OPEN_RESTRICTION)) { + /* A vetoed file, pretend it's not there */ + status = NT_STATUS_OBJECT_NAME_NOT_FOUND; + } if (!NT_STATUS_IS_OK(status)) { goto fail; } diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 3ad6b205116..da0498f9e7d 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -3550,7 +3550,7 @@ NTSTATUS smbd_calculate_access_mask_fsp(struct files_struct *dirfsp, rejected_share_access = access_mask & ~(fsp->conn->share_access); if (rejected_share_access) { - DBG_ERR("Access denied on file %s: " + DBG_INFO("Access denied on file %s: " "rejected by share access mask[0x%08X] " "orig[0x%08X] mapped[0x%08X] reject[0x%08X]\n", fsp_str_dbg(fsp), diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 9f303614613..052058383f7 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -532,7 +532,7 @@ for t in smbtorture4_testsuites("dlz_bind9."): # The dlz_bind9 tests needs to look at the DNS database plansmbtorture4testsuite(t, "chgdcpass:local", ["ncalrpc:$SERVER", '-U$USERNAME%$PASSWORD']) -planpythontestsuite("nt4_dc_smb1", "samba.tests.libsmb-basic") +planpythontestsuite("fileserver_smb1", "samba.tests.libsmb-basic") planpythontestsuite("ad_member", "samba.tests.smb-notify", environ={'USERNAME':'$DC_USERNAME', -- Samba Shared Repository