s3:smbd: mask security_information input values with SMB_SUPPORTED_SECINFO_FLAGS

Sometimes Windows clients doesn't filter SECINFO_[UN]PROTECTED_[D|S]ACL flags
before sending the security_information to the server.

security_information = SECINFO_PROTECTED_DACL| SECINFO_DACL
results in a NULL dacl being returned from an GetSecurityDecriptor
request. This happens because posix_get_nt_acl_common()
has the following logic:

if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
    ... create DACL ...
}

I'm not sure if the logic is correct or wrong in this place (I guess it's
wrong...).

But what I know is that the SMB server should filter the given
security_information flags before passing to the filesystem.

[MS-SMB2] 3.3.5.20.3 Handling SMB2_0_INFO_SECURITY
...
The server MUST ignore any flag value in the AdditionalInformation field that
is not specified in section 2.2.37.

Section 2.2.37 lists:
OWNER_SECURITY_INFORMATION
GROUP_SECURITY_INFORMATION
DACL_SECURITY_INFORMATION
SACL_SECURITY_INFORMATION
LABEL_SECURITY_INFORMATION
ATTRIBUTE_SECURITY_INFORMATION
SCOPE_SECURITY_INFORMATION
BACKUP_SECURITY_INFORMATION

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10773

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 0cf1ea32d3ba50a855ae2cbe2840f20afc6297bd..d7705e33bd3507f4b40d9323a466f76b0d6a85bb 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2036,7 +2036,8 @@ static void call_nt_transact_query_security_desc(connection_struct *conn,
        status = smbd_do_query_security_desc(conn,
                                        talloc_tos(),
                                        fsp,
-                                       security_info_wanted,
+                                       security_info_wanted &
+                                       SMB_SUPPORTED_SECINFO_FLAGS,
                                        max_data_count,
                                        &marshalled_sd,
                                        &sd_size);
@@ -2129,8 +2130,8 @@ static void call_nt_transact_set_security_desc(connection_struct *conn,
                return;
        }
 
-       status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent);
-
+       status = set_sd_blob(fsp, (uint8 *)data, data_count,
+                            security_info_sent & SMB_SUPPORTED_SECINFO_FLAGS);
        if (!NT_STATUS_IS_OK(status)) {
                reply_nterror(req, status);
                return;

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index b9edf127e0900469343c1842f8ae9c0b1bfd092b..b71fd895374d875627d5facdf8cefbcf2cc04141 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3280,6 +3280,10 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
                num_profile_acls = 3;
        }
 
+       /*
+        * TODO: is this logic with SECINFO_PROTECTED_DACL, correct?
+        * See bug #10773.
+        */
        if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
 
                /*

diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 3139a32a8af43e7be6cfde5ce9a35650ee046aed..7f44868bade163e302910134d3f326a0df8ae949 100644 (file)
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -479,7 +479,8 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx,
                                state,
                                fsp,
                                /* Security info wanted. */
-                               in_additional_information,
+                               in_additional_information &
+                               SMB_SUPPORTED_SECINFO_FLAGS,
                                in_output_buffer_length,
                                &p_marshalled_sd,
                                &sd_size);

diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 3722697f4dfc703ced3eeccea173de86da59f531..d95bd3d9b819665a0b42868b5029d470dfb581dc 100644 (file)
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -312,7 +312,8 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx,
                status = set_sd_blob(fsp,
                                in_input_buffer.data,
                                in_input_buffer.length,
-                               in_additional_information);
+                               in_additional_information &
+                               SMB_SUPPORTED_SECINFO_FLAGS);
                if (!NT_STATUS_IS_OK(status)) {
                        tevent_req_nterror(req, status);
                        return tevent_req_post(req, ev);