From 450d7f134c7c1e6d88f00a58e83d962be0b0bb09 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 5 Oct 2020 07:50:16 +0200 Subject: [PATCH] smbd: use fsp_get_pathref_fd() for fstat() calls If we can access the path to a file, by default we have FILE_READ_ATTRIBUTES from the containing directory. See the section: "Algorithm to Check Access to an Existing File" in MS-FSA.pdf. So it's also safe to use a root opened pathref fd, as the root open is done on the final component after a chdir() to the parent directory was done while still impersonating the use. Qed. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- source3/modules/vfs_afsacl.c | 2 +- source3/modules/vfs_default.c | 2 +- source3/modules/vfs_gpfs.c | 4 ++-- source3/modules/vfs_streams_depot.c | 2 +- source3/smbd/smb2_getinfo.c | 2 +- source3/smbd/smb2_setinfo.c | 2 +- source3/smbd/trans2.c | 4 ++-- source3/smbd/vfs.c | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c index c4aa200cc7e..6024ae103fb 100644 --- a/source3/modules/vfs_afsacl.c +++ b/source3/modules/vfs_afsacl.c @@ -691,7 +691,7 @@ static size_t afs_fto_nt_acl(struct afs_acl *afs_acl, { SMB_STRUCT_STAT sbuf; - if (fsp->fh->fd == -1) { + if (fsp_get_pathref_fd(fsp) == -1) { /* Get the stat struct for the owner info. */ return afs_to_nt_acl(afs_acl, fsp->conn, fsp->fsp_name, security_info, mem_ctx, ppdesc); diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 926ee51475c..a438ae3cca4 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -3032,7 +3032,7 @@ static NTSTATUS vfswrap_streaminfo(vfs_handle_struct *handle, goto done; } - if ((fsp != NULL) && (fsp->fh->fd != -1)) { + if ((fsp != NULL) && (fsp_get_pathref_fd(fsp) != -1)) { ret = SMB_VFS_FSTAT(fsp, &sbuf); } else { diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c index 4f3f8bed0ce..4a8418aa726 100644 --- a/source3/modules/vfs_gpfs.c +++ b/source3/modules/vfs_gpfs.c @@ -1783,7 +1783,7 @@ static NTSTATUS vfs_gpfs_fget_dos_attributes(struct vfs_handle_struct *handle, return SMB_VFS_NEXT_FGET_DOS_ATTRIBUTES(handle, fsp, dosmode); } - ret = gpfswrap_fstat_x(fsp->fh->fd, &litemask, &iattr, sizeof(iattr)); + ret = gpfswrap_fstat_x(fsp_get_pathref_fd(fsp), &litemask, &iattr, sizeof(iattr)); if (ret == -1 && errno == ENOSYS) { return SMB_VFS_NEXT_FGET_DOS_ATTRIBUTES(handle, fsp, dosmode); } @@ -1800,7 +1800,7 @@ static NTSTATUS vfs_gpfs_fget_dos_attributes(struct vfs_handle_struct *handle, set_effective_capability(DAC_OVERRIDE_CAPABILITY); - ret = gpfswrap_fstat_x(fsp->fh->fd, &litemask, + ret = gpfswrap_fstat_x(fsp_get_pathref_fd(fsp), &litemask, &iattr, sizeof(iattr)); if (ret == -1) { saved_errno = errno; diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c index da14a0d98a5..a5e02d5a069 100644 --- a/source3/modules/vfs_streams_depot.c +++ b/source3/modules/vfs_streams_depot.c @@ -1051,7 +1051,7 @@ static NTSTATUS streams_depot_streaminfo(vfs_handle_struct *handle, return NT_STATUS_NO_MEMORY; } - if ((fsp != NULL) && (fsp->fh->fd != -1)) { + if ((fsp != NULL) && (fsp_get_pathref_fd(fsp) != -1)) { ret = SMB_VFS_NEXT_FSTAT(handle, fsp, &smb_fname_base->st); } else { diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index d673709fc67..6df4a37af17 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -334,7 +334,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, /* We know this name is ok, it's already passed the checks. */ - } else if (fsp->fh->fd == -1) { + } else if (fsp_get_pathref_fd(fsp) == -1) { /* * This is actually a QFILEINFO on a directory * handle (returned from an NT SMB). NT5.0 seems diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c index c8071a73498..61770281583 100644 --- a/source3/smbd/smb2_setinfo.c +++ b/source3/smbd/smb2_setinfo.c @@ -415,7 +415,7 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx, file_info_level = SMB2_FILE_RENAME_INFORMATION_INTERNAL; } - if (fsp->fh->fd == -1) { + if (fsp_get_pathref_fd(fsp) == -1) { /* * This is actually a SETFILEINFO on a directory * handle (returned from an NT SMB). NT5.0 seems diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 2469daa3209..fa2255a4d5a 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -6061,7 +6061,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn, /* We know this name is ok, it's already passed the checks. */ - } else if(fsp->fh->fd == -1) { + } else if(fsp_get_pathref_fd(fsp) == -1) { /* * This is actually a QFILEINFO on a directory * handle (returned from an NT SMB). NT5.0 seems @@ -9350,7 +9350,7 @@ static void call_trans2setfilepathinfo(connection_struct *conn, smb_fname = fsp->fsp_name; - if(fsp->fh->fd == -1) { + if (fsp_get_pathref_fd(fsp) == -1) { /* * This is actually a SETFILEINFO on a directory * handle (returned from an NT SMB). NT5.0 seems diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c index cd7212d0e9b..9bc640174b4 100644 --- a/source3/smbd/vfs.c +++ b/source3/smbd/vfs.c @@ -1525,7 +1525,7 @@ NTSTATUS vfs_stat_fsp(files_struct *fsp) int ret; struct stat_ex saved_stat = fsp->fsp_name->st; - if(fsp->fh->fd == -1) { + if (fsp_get_pathref_fd(fsp) == -1) { if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) { ret = SMB_VFS_LSTAT(fsp->conn, fsp->fsp_name); } else { -- 2.34.1