From 1b3ee5e5a336064f324715d46f80661305d93c28 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Aug 2014 13:58:38 +0200 Subject: s3:smbd: mask security_information input values with SMB_SUPPORTED_SECINFO_FLAGS Sometimes Windows clients doesn't filter SECINFO_[UN]PROTECTED_[D|S]ACL flags before sending the security_information to the server. security_information = SECINFO_PROTECTED_DACL| SECINFO_DACL results in a NULL dacl being returned from an GetSecurityDecriptor request. This happens because posix_get_nt_acl_common() has the following logic: if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) { ... create DACL ... } I'm not sure if the logic is correct or wrong in this place (I guess it's wrong...). But what I know is that the SMB server should filter the given security_information flags before passing to the filesystem. [MS-SMB2] 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY ... The server MUST ignore any flag value in the AdditionalInformation field that is not specified in section 2.2.37. Section 2.2.37 lists: OWNER_SECURITY_INFORMATION GROUP_SECURITY_INFORMATION DACL_SECURITY_INFORMATION SACL_SECURITY_INFORMATION LABEL_SECURITY_INFORMATION ATTRIBUTE_SECURITY_INFORMATION SCOPE_SECURITY_INFORMATION BACKUP_SECURITY_INFORMATION Bug: https://bugzilla.samba.org/show_bug.cgi?id=10773 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- source3/smbd/nttrans.c | 7 ++++--- source3/smbd/posix_acls.c | 4 ++++ source3/smbd/smb2_getinfo.c | 3 ++- source3/smbd/smb2_setinfo.c | 3 ++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 0cf1ea32d3..d7705e33bd 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2036,7 +2036,8 @@ static void call_nt_transact_query_security_desc(connection_struct *conn, status = smbd_do_query_security_desc(conn, talloc_tos(), fsp, - security_info_wanted, + security_info_wanted & + SMB_SUPPORTED_SECINFO_FLAGS, max_data_count, &marshalled_sd, &sd_size); @@ -2129,8 +2130,8 @@ static void call_nt_transact_set_security_desc(connection_struct *conn, return; } - status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent); - + status = set_sd_blob(fsp, (uint8 *)data, data_count, + security_info_sent & SMB_SUPPORTED_SECINFO_FLAGS); if (!NT_STATUS_IS_OK(status)) { reply_nterror(req, status); return; diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index b9edf127e0..b71fd89537 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3280,6 +3280,10 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, num_profile_acls = 3; } + /* + * TODO: is this logic with SECINFO_PROTECTED_DACL, correct? + * See bug #10773. + */ if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) { /* diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 3139a32a8a..7f44868bad 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -479,7 +479,8 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, state, fsp, /* Security info wanted. */ - in_additional_information, + in_additional_information & + SMB_SUPPORTED_SECINFO_FLAGS, in_output_buffer_length, &p_marshalled_sd, &sd_size); diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c index 3722697f4d..d95bd3d9b8 100644 --- a/source3/smbd/smb2_setinfo.c +++ b/source3/smbd/smb2_setinfo.c @@ -312,7 +312,8 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx, status = set_sd_blob(fsp, in_input_buffer.data, in_input_buffer.length, - in_additional_information); + in_additional_information & + SMB_SUPPORTED_SECINFO_FLAGS); if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(req, status); return tevent_req_post(req, ev); -- cgit