diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source3/modules/vfs_widelinks.c | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/modules/vfs_widelinks.c')
-rw-r--r-- | source3/modules/vfs_widelinks.c | 454 |
1 files changed, 454 insertions, 0 deletions
diff --git a/source3/modules/vfs_widelinks.c b/source3/modules/vfs_widelinks.c new file mode 100644 index 0000000..c68468a --- /dev/null +++ b/source3/modules/vfs_widelinks.c @@ -0,0 +1,454 @@ +/* + * Widelinks VFS module. Causes smbd not to see symlinks. + * + * Copyright (C) Jeremy Allison, 2020 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +/* + What does this module do ? It implements the explicitly insecure + "widelinks = yes" functionality that used to be in the core smbd + code. + + Now this is implemented here, the insecure share-escape code that + explicitly allows escape from an exported share path can be removed + from smbd, leaving it a cleaner and more maintainable code base. + + The smbd code can now always return ACCESS_DENIED if a path + leads outside a share. + + How does it do that ? There are 2 features. + + 1). When the upper layer code does a chdir() call to a pathname, + this module stores the requested pathname inside config->cwd. + + When the upper layer code does a getwd() or realpath(), we return + the absolute path of the value stored in config->cwd, *not* the + position on the underlying filesystem. + + This hides symlinks as if the chdir pathname contains a symlink, + normally doing a realpath call on it would return the real + position on the filesystem. For widelinks = yes, this isn't what + you want. You want the position you think is underneath the share + definition - the symlink path you used to go outside the share, + not the contents of the symlink itself. + + That way, the upper layer smbd code can strictly enforce paths + being underneath a share definition without the knowledge that + "widelinks = yes" has moved us outside the share definition. + + 1a). Note that when setting up a share, smbd may make calls such + as realpath and stat/lstat in order to set up the share definition. + These calls are made *before* smbd calls chdir() to move the working + directory below the exported share definition. In order to allow + this, all the vfs_widelinks functions are coded to just pass through + the vfs call to the next module in the chain if (a). The widelinks + module was loaded in error by an administrator and widelinks is + set to "no". This is the: + + if (!config->active) { + Module not active. + SMB_VFS_NEXT_XXXXX(...) + } + + idiom in the vfs functions. + + 1b). If the module was correctly active, but smbd has yet + to call chdir(), then config->cwd == NULL. In that case + the correct action (to match the previous widelinks behavior + in the code inside smbd) is to pass through the vfs call to + the next module in the chain. That way, any symlinks in the + pathname are still exposed to smbd, which will restrict them to + be under the exported share definition. This allows the module + to "fail safe" for any vfs call made when setting up the share + structure definition, rather than fail unsafe by hiding symlinks + before chdir is called. This is the: + + if (config->cwd == NULL) { + XXXXX syscall before chdir - see note 1b above. + return SMB_VFS_NEXT_XXXXX() + } + + idiom in the vfs functions. + + 2). The module hides the existance of symlinks by inside + lstat(), open(), and readdir() so long as it's not a POSIX + pathname request (those requests *must* be aware of symlinks + and the POSIX client has to follow them, it's expected that + a server will always fail to follow symlinks). + + It does this by: + + 2a). lstat -> stat + 2b). open removes any O_NOFOLLOW from flags. + 2c). The optimization in readdir that returns a stat + struct is removed as this could return a symlink mode + bit, causing smbd to always call stat/lstat itself on + a pathname (which we'll then use to hide symlinks). + +*/ + +#include "includes.h" +#include "smbd/smbd.h" +#include "lib/util_path.h" + +struct widelinks_config { + bool active; + bool is_dfs_share; + char *cwd; +}; + +static int widelinks_connect(struct vfs_handle_struct *handle, + const char *service, + const char *user) +{ + struct widelinks_config *config; + int ret; + + ret = SMB_VFS_NEXT_CONNECT(handle, + service, + user); + if (ret != 0) { + return ret; + } + + config = talloc_zero(handle->conn, + struct widelinks_config); + if (!config) { + SMB_VFS_NEXT_DISCONNECT(handle); + return -1; + } + config->active = lp_widelinks(SNUM(handle->conn)); + if (!config->active) { + DBG_ERR("vfs_widelinks module loaded with " + "widelinks = no\n"); + } + config->is_dfs_share = + (lp_host_msdfs() && lp_msdfs_root(SNUM(handle->conn))); + SMB_VFS_HANDLE_SET_DATA(handle, + config, + NULL, /* free_fn */ + struct widelinks_config, + return -1); + return 0; +} + +static int widelinks_chdir(struct vfs_handle_struct *handle, + const struct smb_filename *smb_fname) +{ + int ret = -1; + struct widelinks_config *config = NULL; + char *new_cwd = NULL; + + SMB_VFS_HANDLE_GET_DATA(handle, + config, + struct widelinks_config, + return -1); + + if (!config->active) { + /* Module not active. */ + return SMB_VFS_NEXT_CHDIR(handle, smb_fname); + } + + /* + * We know we never get a path containing + * DOT or DOTDOT. + */ + + if (smb_fname->base_name[0] == '/') { + /* Absolute path - replace. */ + new_cwd = talloc_strdup(config, + smb_fname->base_name); + } else { + if (config->cwd == NULL) { + /* + * Relative chdir before absolute one - + * see note 1b above. + */ + struct smb_filename *current_dir_fname = + SMB_VFS_NEXT_GETWD(handle, + config); + if (current_dir_fname == NULL) { + return -1; + } + /* Paranoia.. */ + if (current_dir_fname->base_name[0] != '/') { + DBG_ERR("SMB_VFS_NEXT_GETWD returned " + "non-absolute path |%s|\n", + current_dir_fname->base_name); + TALLOC_FREE(current_dir_fname); + return -1; + } + config->cwd = talloc_strdup(config, + current_dir_fname->base_name); + TALLOC_FREE(current_dir_fname); + if (config->cwd == NULL) { + return -1; + } + } + new_cwd = talloc_asprintf(config, + "%s/%s", + config->cwd, + smb_fname->base_name); + } + if (new_cwd == NULL) { + return -1; + } + ret = SMB_VFS_NEXT_CHDIR(handle, smb_fname); + if (ret == -1) { + TALLOC_FREE(new_cwd); + return ret; + } + /* Replace the cache we use for realpath/getwd. */ + TALLOC_FREE(config->cwd); + config->cwd = new_cwd; + DBG_DEBUG("config->cwd now |%s|\n", config->cwd); + return 0; +} + +static struct smb_filename *widelinks_getwd(vfs_handle_struct *handle, + TALLOC_CTX *ctx) +{ + struct widelinks_config *config = NULL; + + SMB_VFS_HANDLE_GET_DATA(handle, + config, + struct widelinks_config, + return NULL); + + if (!config->active) { + /* Module not active. */ + return SMB_VFS_NEXT_GETWD(handle, ctx); + } + if (config->cwd == NULL) { + /* getwd before chdir. See note 1b above. */ + return SMB_VFS_NEXT_GETWD(handle, ctx); + } + return synthetic_smb_fname(ctx, + config->cwd, + NULL, + NULL, + 0, + 0); +} + +static struct smb_filename *widelinks_realpath(vfs_handle_struct *handle, + TALLOC_CTX *ctx, + const struct smb_filename *smb_fname_in) +{ + struct widelinks_config *config = NULL; + char *pathname = NULL; + char *resolved_pathname = NULL; + struct smb_filename *smb_fname; + + SMB_VFS_HANDLE_GET_DATA(handle, + config, + struct widelinks_config, + return NULL); + + if (!config->active) { + /* Module not active. */ + return SMB_VFS_NEXT_REALPATH(handle, + ctx, + smb_fname_in); + } + + if (config->cwd == NULL) { + /* realpath before chdir. See note 1b above. */ + return SMB_VFS_NEXT_REALPATH(handle, + ctx, + smb_fname_in); + } + + if (smb_fname_in->base_name[0] == '/') { + /* Absolute path - process as-is. */ + pathname = talloc_strdup(config, + smb_fname_in->base_name); + } else { + /* Relative path - most commonly "." */ + pathname = talloc_asprintf(config, + "%s/%s", + config->cwd, + smb_fname_in->base_name); + } + + SMB_ASSERT(pathname[0] == '/'); + + resolved_pathname = canonicalize_absolute_path(config, pathname); + if (resolved_pathname == NULL) { + TALLOC_FREE(pathname); + return NULL; + } + + DBG_DEBUG("realpath |%s| -> |%s| -> |%s|\n", + smb_fname_in->base_name, + pathname, + resolved_pathname); + + smb_fname = synthetic_smb_fname(ctx, + resolved_pathname, + NULL, + NULL, + 0, + 0); + TALLOC_FREE(pathname); + TALLOC_FREE(resolved_pathname); + return smb_fname; +} + +static int widelinks_lstat(vfs_handle_struct *handle, + struct smb_filename *smb_fname) +{ + struct widelinks_config *config = NULL; + + SMB_VFS_HANDLE_GET_DATA(handle, + config, + struct widelinks_config, + return -1); + + if (!config->active) { + /* Module not active. */ + return SMB_VFS_NEXT_LSTAT(handle, + smb_fname); + } + + if (config->cwd == NULL) { + /* lstat before chdir. See note 1b above. */ + return SMB_VFS_NEXT_LSTAT(handle, + smb_fname); + } + + if (smb_fname->flags & SMB_FILENAME_POSIX_PATH) { + /* POSIX sees symlinks. */ + return SMB_VFS_NEXT_LSTAT(handle, + smb_fname); + } + + /* Replace with STAT. */ + return SMB_VFS_NEXT_STAT(handle, smb_fname); +} + +static int widelinks_openat(vfs_handle_struct *handle, + const struct files_struct *dirfsp, + const struct smb_filename *smb_fname, + files_struct *fsp, + const struct vfs_open_how *_how) +{ + struct vfs_open_how how = *_how; + struct widelinks_config *config = NULL; + int ret; + SMB_VFS_HANDLE_GET_DATA(handle, + config, + struct widelinks_config, + return -1); + + if (config->active && + (config->cwd != NULL) && + !(smb_fname->flags & SMB_FILENAME_POSIX_PATH)) + { + /* + * Module active, openat after chdir (see note 1b above) and not + * a POSIX open (POSIX sees symlinks), so remove O_NOFOLLOW. + */ + how.flags = (how.flags & ~O_NOFOLLOW); + } + + ret = SMB_VFS_NEXT_OPENAT(handle, + dirfsp, + smb_fname, + fsp, + &how); + if (config->is_dfs_share && ret == -1 && errno == ENOENT) { + struct smb_filename *full_fname = NULL; + int lstat_ret; + + full_fname = full_path_from_dirfsp_atname(talloc_tos(), + dirfsp, + smb_fname); + if (full_fname == NULL) { + errno = ENOMEM; + return -1; + } + lstat_ret = SMB_VFS_NEXT_LSTAT(handle, + full_fname); + if (lstat_ret != -1 && + VALID_STAT(full_fname->st) && + S_ISLNK(full_fname->st.st_ex_mode)) { + fsp->fsp_name->st = full_fname->st; + } + TALLOC_FREE(full_fname); + errno = ENOENT; + } + return ret; +} + +static struct dirent *widelinks_readdir(vfs_handle_struct *handle, + struct files_struct *dirfsp, + DIR *dirp, + SMB_STRUCT_STAT *sbuf) +{ + struct widelinks_config *config = NULL; + struct dirent *result; + + SMB_VFS_HANDLE_GET_DATA(handle, + config, + struct widelinks_config, + return NULL); + + result = SMB_VFS_NEXT_READDIR(handle, + dirfsp, + dirp, + sbuf); + + if (!config->active) { + /* Module not active. */ + return result; + } + + /* + * Prevent optimization of returning + * the stat info. Force caller to go + * through our LSTAT that hides symlinks. + */ + + if (sbuf) { + SET_STAT_INVALID(*sbuf); + } + return result; +} + +static struct vfs_fn_pointers vfs_widelinks_fns = { + .connect_fn = widelinks_connect, + + .openat_fn = widelinks_openat, + .lstat_fn = widelinks_lstat, + /* + * NB. We don't need an lchown function as this + * is only called (a) on directory create and + * (b) on POSIX extensions names. + */ + .chdir_fn = widelinks_chdir, + .getwd_fn = widelinks_getwd, + .realpath_fn = widelinks_realpath, + .readdir_fn = widelinks_readdir +}; + +static_decl_vfs; +NTSTATUS vfs_widelinks_init(TALLOC_CTX *ctx) +{ + return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, + "widelinks", + &vfs_widelinks_fns); +} |