QIU Quan
2016-Jan-01 13:38 UTC
[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking
OS platform: FreeBSD 10.1-RELEASE-p25 Filesystem: ZFS Samba version: upgraded from 4.1.17 to 4.1.22 Problem: I have been using the shadow_copy2 and zfsacl VFS modules to enable access control and the Previous Versions feature for Windows clients. With /usr/local/etc/smb4.conf configured this way (excerpt): vfs objects = shadow_copy2 zfsacl shadow:snapdir = .zfs/snapshot shadow:format = GMT-%Y.%m.%d-%H.%M.%S shadow:sort = desc After updating the package to 4.1.22, which fixes several vulnerabilities, I discovered that I could no longer view previous versions of files or folders. Checking out the log with log level at 10, I found some error messages, which indicates access to the snapdir, .zfs/snapshots, is denied. Error messages: ../source3/modules/vfs_zfsacl.c:56(zfs_get_nt_acl_common) acl(ACE_GETACLCNT, /tank/share/.zfs/snapshot): Operation is not supported on the filesystem where the file reside ../source3/smbd/open.c:128(smbd_check_access_rights) smbd_check_access_rights: Could not get acl on /tank/share/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED ../source3/modules/vfs_shadow_copy2.c:1170(check_access_snapdir) user does not have list permission on snapdir /tank/share/.zfs/snapshot ../source3/modules/vfs_shadow_copy2.c:1339(shadow_copy2_get_shadow_copy_data) access denied on listing snapdir /tank/share/.zfs/snapshot Possible fix: Reading the patch at https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch, I see the CVE-2015-5299 fix simply takes the returned status from smbd_check_access_rights() and only checks if it is OK, and if not, then fails, also classifying other error statuses as access denied. Meanwhile, smbd_check_access_rights() in source3/smbd/open.c indeed returns NT_STATUS_ACCESS_DENIED in some way. I wonder if we change the line if (!NT_STATUS_IS_OK(status)) { in check_access_snapdir() in source3/modules/vfs_shadow_copy2.c to if (status == NT_STATUS_ACCESS_DENIED) { would result in more accurate outcomes and avoid other statuses such as NT_STATUS_NOT_SUPPORTED ending up access denied. -- 裘佺 (QIU Quan) <jackqq at gmail.com>
Jeremy Allison
2016-Jan-01 17:19 UTC
[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking
On Fri, Jan 01, 2016 at 09:38:09PM +0800, QIU Quan wrote:> OS platform: FreeBSD 10.1-RELEASE-p25 > Filesystem: ZFS > Samba version: upgraded from 4.1.17 to 4.1.22 > > Problem: > > I have been using the shadow_copy2 and zfsacl VFS modules to enable > access control and the Previous Versions feature for Windows clients. > With /usr/local/etc/smb4.conf configured this way (excerpt): > > vfs objects = shadow_copy2 zfsacl > shadow:snapdir = .zfs/snapshot > shadow:format = GMT-%Y.%m.%d-%H.%M.%S > shadow:sort = desc > > After updating the package to 4.1.22, which fixes several > vulnerabilities, I discovered that I could no longer view previous > versions of files or folders. > > Checking out the log with log level at 10, I found some error > messages, which indicates access to the snapdir, .zfs/snapshots, is > denied. > > Error messages: > > ../source3/modules/vfs_zfsacl.c:56(zfs_get_nt_acl_common) > acl(ACE_GETACLCNT, /tank/share/.zfs/snapshot): Operation is not > supported on the filesystem where the file reside > ../source3/smbd/open.c:128(smbd_check_access_rights) > smbd_check_access_rights: Could not get acl on > /tank/share/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED > ../source3/modules/vfs_shadow_copy2.c:1170(check_access_snapdir) > user does not have list permission on snapdir /tank/share/.zfs/snapshot > ../source3/modules/vfs_shadow_copy2.c:1339(shadow_copy2_get_shadow_copy_data) > access denied on listing snapdir /tank/share/.zfs/snapshot > > Possible fix: > > Reading the patch at > https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch, > I see the CVE-2015-5299 fix simply takes the returned status from > smbd_check_access_rights() and only checks if it is OK, and if not, > then fails, also classifying other error statuses as access denied. > > Meanwhile, smbd_check_access_rights() in source3/smbd/open.c indeed > returns NT_STATUS_ACCESS_DENIED in some way. I wonder if we change the > line > > if (!NT_STATUS_IS_OK(status)) { > > in check_access_snapdir() in source3/modules/vfs_shadow_copy2.c to > > if (status == NT_STATUS_ACCESS_DENIED) { > > would result in more accurate outcomes and avoid other statuses such > as NT_STATUS_NOT_SUPPORTED ending up access denied.Thanks QIU, can you log this as a bug at bugzilla.samba.org so we can track it ? Thanks, Jeremy.
Partha Sarathi
2016-Jan-01 17:42 UTC
[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking
Thanks QUI for pointing this issue. Regards, --Partha On Fri, Jan 1, 2016 at 9:19 AM, Jeremy Allison <jra at samba.org> wrote:> On Fri, Jan 01, 2016 at 09:38:09PM +0800, QIU Quan wrote: > > OS platform: FreeBSD 10.1-RELEASE-p25 > > Filesystem: ZFS > > Samba version: upgraded from 4.1.17 to 4.1.22 > > > > Problem: > > > > I have been using the shadow_copy2 and zfsacl VFS modules to enable > > access control and the Previous Versions feature for Windows clients. > > With /usr/local/etc/smb4.conf configured this way (excerpt): > > > > vfs objects = shadow_copy2 zfsacl > > shadow:snapdir = .zfs/snapshot > > shadow:format = GMT-%Y.%m.%d-%H.%M.%S > > shadow:sort = desc > > > > After updating the package to 4.1.22, which fixes several > > vulnerabilities, I discovered that I could no longer view previous > > versions of files or folders. > > > > Checking out the log with log level at 10, I found some error > > messages, which indicates access to the snapdir, .zfs/snapshots, is > > denied. > > > > Error messages: > > > > ../source3/modules/vfs_zfsacl.c:56(zfs_get_nt_acl_common) > > acl(ACE_GETACLCNT, /tank/share/.zfs/snapshot): Operation is not > > supported on the filesystem where the file reside > > ../source3/smbd/open.c:128(smbd_check_access_rights) > > smbd_check_access_rights: Could not get acl on > > /tank/share/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED > > ../source3/modules/vfs_shadow_copy2.c:1170(check_access_snapdir) > > user does not have list permission on snapdir > /tank/share/.zfs/snapshot > > > ../source3/modules/vfs_shadow_copy2.c:1339(shadow_copy2_get_shadow_copy_data) > > access denied on listing snapdir /tank/share/.zfs/snapshot > > > > Possible fix: > > > > Reading the patch at > > > https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch > , > > I see the CVE-2015-5299 fix simply takes the returned status from > > smbd_check_access_rights() and only checks if it is OK, and if not, > > then fails, also classifying other error statuses as access denied. > > > > Meanwhile, smbd_check_access_rights() in source3/smbd/open.c indeed > > returns NT_STATUS_ACCESS_DENIED in some way. I wonder if we change the > > line > > > > if (!NT_STATUS_IS_OK(status)) { > > > > in check_access_snapdir() in source3/modules/vfs_shadow_copy2.c to > > > > if (status == NT_STATUS_ACCESS_DENIED) { > > > > would result in more accurate outcomes and avoid other statuses such > > as NT_STATUS_NOT_SUPPORTED ending up access denied. > > Thanks QIU, can you log this as a bug at bugzilla.samba.org > so we can track it ? > > Thanks, > > Jeremy. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Thanks & Regards -Partha
QIU Quan
2016-Jan-04 01:41 UTC
[Samba] Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking
On Sat, Jan 2, 2016 at 1:19 AM, Jeremy Allison <jra at samba.org> wrote:> Thanks QIU, can you log this as a bug at bugzilla.samba.org > so we can track it ? >All right. I've filed bug 11658. Thanks! -- 裘佺 (QIU Quan) <jackqq at gmail.com>
Seemingly Similar Threads
- Fix for CVE-2015-5299 denies access to ZFS snapshots due to overly strict condition checking
- "No previous versions" - GPFS 3.5 and shadow_copy2
- vfs_shadow_copy2: permission denied - SMB_VFS_NEXT_OPENDIR() failed for '/snapshots'
- samba
- vfs_shadow_copy2 doesn't seem to work with basedir of /