smbd: implement access checks for SMB2-GETINFO as per MS-SMB2 3.3.5.20.1

The spec lists the following as requiring special access:

- for requiring FILE_READ_ATTRIBUTES:

  FileBasicInformation
  FileAllInformation
  FileNetworkOpenInformation
  FileAttributeTagInformation

- for requiring FILE_READ_EA:

  FileFullEaInformation

All other infolevels are unrestricted.

We ignore the IPC related infolevels:

  FilePipeInformation
  FilePipeLocalInformation
  FilePipeRemoteInformation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
RN: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug 23 12:54:08 UTC 2022 on sn-devel-184

diff --git a/selftest/knownfail b/selftest/knownfail
index e16b5b4694bc54af2fc562b6073a8d3982acd707..82dd7e1e8b4313fefbfeab3fb6799a23e7fe40bb 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -208,10 +208,8 @@
 ^samba3.smb2.oplock.stream1
 ^samba3.smb2.streams.rename
 ^samba3.smb2.streams.rename2
-^samba3.smb2.streams.attributes1\(.*\)
 ^samba3.smb2.streams streams_xattr.rename\(nt4_dc\)
 ^samba3.smb2.streams streams_xattr.rename2\(nt4_dc\)
-^samba3.smb2.streams streams_xattr.attributes1\(nt4_dc\)
 ^samba3.smb2.getinfo.complex
 ^samba3.smb2.getinfo.fsinfo # quotas don't work yet
 ^samba3.smb2.setinfo.setinfo

diff --git a/selftest/knownfail.d/samba3.smb2.getinfo b/selftest/knownfail.d/samba3.smb2.getinfo
deleted file mode 100644 (file)
index dbef40c..0000000
--- a/selftest/knownfail.d/samba3.smb2.getinfo
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.smb2.getinfo.getinfo_access\(nt4_dc\)
-^samba3.smb2.getinfo.getinfo_access\(ad_dc\)

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 0320dcc5fdef65b7a4ffe7e3ad67057d4702e157..23322e7b85f32923fa53c25ea83147f214b1407f 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -303,6 +303,34 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
 
                ZERO_STRUCT(write_time_ts);
 
+               /*
+                * MS-SMB2 3.3.5.20.1 "Handling SMB2_0_INFO_FILE"
+                *
+                * FileBasicInformation, FileAllInformation,
+                * FileNetworkOpenInformation, FileAttributeTagInformation
+                * require FILE_READ_ATTRIBUTES.
+                *
+                * FileFullEaInformation requires FILE_READ_EA.
+                */
+               switch (in_file_info_class) {
+               case FSCC_FILE_BASIC_INFORMATION:
+               case FSCC_FILE_ALL_INFORMATION:
+               case FSCC_FILE_NETWORK_OPEN_INFORMATION:
+               case FSCC_FILE_ATTRIBUTE_TAG_INFORMATION:
+                       if (!(fsp->access_mask & SEC_FILE_READ_ATTRIBUTE)) {
+                               tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+                               return tevent_req_post(req, ev);
+                       }
+                       break;
+
+               case FSCC_FILE_FULL_EA_INFORMATION:
+                       if (!(fsp->access_mask & SEC_FILE_READ_EA)) {
+                               tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+                               return tevent_req_post(req, ev);
+                       }
+                       break;
+               }
+
                switch (in_file_info_class) {
                case FSCC_FILE_FULL_EA_INFORMATION:
                        file_info_level = SMB2_FILE_FULL_EA_INFORMATION;