From 3e42b69d5e1216b6af570a09d58040d281bbbf17 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Sat, 13 Aug 2016 00:19:33 +0300 Subject: [PATCH] smbd: look only at handle readability for COPYCHUNK dest This commits sets the stage for a change of behavior in a later commit. When checking FILE_READ_DATA on the COPYCHUNK dest handle, only check the handle readability and not the extra right that may have been added due to the FILE_EXECUTE right. The check for FILE_READ_DATA always seemed strange for the dest handle, which is not read. It turns out that in Windows, this check is not done at the SMB layer, but at a lower layer that processes the IOCTL request - the IOCTL code has bits that specify what type of access check needs to be done. Therefore, this lower layer is unaware of the SMB layer's practice of granting READ access based on the FILE_EXECUTE right, and it only checks the handle's readability. This subtle difference has observable behavior - the COPYCHUNK source handle can have FILE_EXECUTE right instead of FILE_READ_DATA, but the dest handle cannot. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12149 Signed-off-by: Uri Simchoni Reviewed-by: David Disseldorp Autobuild-User(master): David Disseldorp Autobuild-Date(master): Tue Aug 16 15:21:03 CEST 2016 on sn-devel-144 --- source3/include/smb_macros.h | 8 ++++++++ source3/smbd/smb2_ioctl_network_fs.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h index 42a97569e25..f8656c73014 100644 --- a/source3/include/smb_macros.h +++ b/source3/include/smb_macros.h @@ -56,6 +56,14 @@ ((req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) && \ (fsp->access_mask & FILE_EXECUTE)))) +/* An IOCTL readability check (validating read access + * when the IOCTL code requires it) + * http://social.technet.microsoft.com/wiki/contents/articles/24653.decoding-io-control-codes-ioctl-fsctl-and-deviceiocodes-with-table-of-known-values.aspx + * ). On Windows servers, this is done by the IO manager, which is unaware of + * the "if execute is granted then also grant read" arrangement. + */ +#define CHECK_READ_IOCTL(fsp, req) (((fsp)->fh->fd != -1) && ((fsp)->can_read)) + #define CHECK_WRITE(fsp) ((fsp)->can_write && ((fsp)->fh->fd != -1)) #define ERROR_WAS_LOCK_DENIED(status) (NT_STATUS_EQUAL((status), NT_STATUS_LOCK_NOT_GRANTED) || \ diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index d8590de3950..c2b889b830d 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -117,8 +117,8 @@ static NTSTATUS copychunk_check_handles(uint32_t ctl_code, * - The Open.GrantedAccess of the destination file does not include * FILE_READ_DATA, and the CtlCode is FSCTL_SRV_COPYCHUNK. */ - if ((ctl_code == FSCTL_SRV_COPYCHUNK) - && !CHECK_READ(dst_fsp, smb1req)) { + if ((ctl_code == FSCTL_SRV_COPYCHUNK) && + !CHECK_READ_IOCTL(dst_fsp, smb1req)) { DEBUG(5, ("copy chunk no read on dest handle (%s).\n", smb_fname_str_dbg(dst_fsp->fsp_name) )); return NT_STATUS_ACCESS_DENIED; -- 2.34.1