Fix bug #8541 - readlink() on Linux clients fails if the symlink target is outside of the share.

The key is to only allow the lookup to succeed if it's a UNIX level lookup or readlink,
but disallow all other operations.
(cherry picked from commit d2ec9d20858b8e5256bf8339395c6f47793e0975)

4 files changed, 43 insertions, 11 deletions

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 3a64af7eeda..549ebb2bbaf 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1714,6 +1714,7 @@ struct smb_file_time {
 #define UCF_ALWAYS_ALLOW_WCARD_LCOMP	0x00000002
 #define UCF_COND_ALLOW_WCARD_LCOMP	0x00000004
 #define UCF_POSIX_PATHNAMES		0x00000008
+#define UCF_UNIX_NAME_LOOKUP		0x00000010
 
 /*
  * smb_filename
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 34bb7f5508f..691a779d8ca 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -977,25 +977,39 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
 }
 
 /****************************************************************************
- Check a filename - possibly calling check_reduced_name.
- This is called by every routine before it allows an operation on a filename.
- It does any final confirmation necessary to ensure that the filename is
- a valid one for the user to access.
+ Ensure a path is not vetod.
 ****************************************************************************/
 
-NTSTATUS check_name(connection_struct *conn, const char *name)
+NTSTATUS check_veto_path(connection_struct *conn, const char *name)
 {
 	if (IS_VETO_PATH(conn, name))  {
 		/* Is it not dot or dot dot. */
 		if (!(ISDOT(name) || ISDOTDOT(name))) {
-			DEBUG(5,("check_name: file path name %s vetoed\n",
+			DEBUG(5,("check_veto_path: file path name %s vetoed\n",
 						name));
 			return map_nt_error_from_unix(ENOENT);
 		}
 	}
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Check a filename - possibly calling check_reduced_name.
+ This is called by every routine before it allows an operation on a filename.
+ It does any final confirmation necessary to ensure that the filename is
+ a valid one for the user to access.
+****************************************************************************/
+
+NTSTATUS check_name(connection_struct *conn, const char *name)
+{
+	NTSTATUS status = check_veto_path(conn, name);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
 
 	if (!lp_widelinks(SNUM(conn)) || !lp_symlinks(SNUM(conn))) {
-		NTSTATUS status = check_reduced_name(conn,name);
+		status = check_reduced_name(conn,name);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(5,("check_name: name %s failed with %s\n",name,
 						nt_errstr(status)));
@@ -1313,6 +1327,12 @@ NTSTATUS filename_convert(TALLOC_CTX *ctx,
 		return status;
 	}
 
+	if ((ucf_flags & UCF_UNIX_NAME_LOOKUP) &&
+			VALID_STAT((*pp_smb_fname)->st) &&
+			S_ISLNK((*pp_smb_fname)->st.st_ex_mode)) {
+		return check_veto_path(conn, (*pp_smb_fname)->base_name);
+	}
+
 	status = check_name(conn, (*pp_smb_fname)->base_name);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(3,("filename_convert: check_name failed "
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index c455ffe36db..1e5d891e9f8 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -336,6 +336,7 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
 		      const char *orig_path,
 		      struct smb_filename **smb_fname,
 		      uint32_t ucf_flags);
+NTSTATUS check_veto_path(connection_struct *conn, const char *name);
 NTSTATUS check_name(connection_struct *conn, const char *name);
 int get_real_filename(connection_struct *conn, const char *path,
 		      const char *name, TALLOC_CTX *mem_ctx,
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 0931fff54aa..284635d85c8 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2271,6 +2271,7 @@ static void call_trans2findfirst(connection_struct *conn,
 	TALLOC_CTX *ctx = talloc_tos();
 	struct dptr_struct *dirptr = NULL;
 	struct smbd_server_connection *sconn = req->sconn;
+	uint32_t ucf_flags = (UCF_SAVE_LCOMP | UCF_ALWAYS_ALLOW_WCARD_LCOMP);
 
 	if (total_params < 13) {
 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -2314,6 +2315,7 @@ close_if_end = %d requires_resume_key = %d level = 0x%x, max_data_bytes = %d\n",
 				reply_nterror(req, NT_STATUS_INVALID_LEVEL);
 				goto out;
 			}
+			ucf_flags |= UCF_UNIX_NAME_LOOKUP;
 			break;
 		default:
 			reply_nterror(req, NT_STATUS_INVALID_LEVEL);
@@ -5103,6 +5105,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
 	} else {
 		uint32_t name_hash;
 		char *fname = NULL;
+		uint32_t ucf_flags = 0;
 
 		/* qpathinfo */
 		if (total_params < 7) {
@@ -5114,9 +5117,16 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
 
 		DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = %d\n", info_level));
 
-		if (INFO_LEVEL_IS_UNIX(info_level) && !lp_unix_extensions()) {
-			reply_nterror(req, NT_STATUS_INVALID_LEVEL);
-			return;
+		if (INFO_LEVEL_IS_UNIX(info_level)) {
+			if (!lp_unix_extensions()) {
+				reply_nterror(req, NT_STATUS_INVALID_LEVEL);
+				return;
+			}
+			if (info_level == SMB_QUERY_FILE_UNIX_BASIC ||
+					info_level == SMB_QUERY_FILE_UNIX_INFO2 ||
+					info_level == SMB_QUERY_FILE_UNIX_LINK) {
+				ucf_flags |= UCF_UNIX_NAME_LOOKUP;
+			}
 		}
 
 		srvstr_get_path(req, params, req->flags2, &fname, &params[6],
@@ -5131,7 +5141,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
 					conn,
 					req->flags2 & FLAGS2_DFS_PATHNAMES,
 					fname,
-					0,
+					ucf_flags,
 					NULL,
 					&smb_fname);
 		if (!NT_STATUS_IS_OK(status)) {