| blob | a86f62572acc62f90f9492356efdb2b48ddb03fe |
1 /*
2 * Widelinks VFS module. Causes smbd not to see symlinks.
3 *
4 * Copyright (C) Jeremy Allison, 2020
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
20 /*
21 What does this module do ? It implements the explicitly insecure
22 "widelinks = yes" functionality that used to be in the core smbd
23 code.
25 Now this is implemented here, the insecure share-escape code that
26 explicitly allows escape from an exported share path can be removed
27 from smbd, leaving it a cleaner and more maintainable code base.
29 The smbd code can now always return ACCESS_DENIED if a path
30 leads outside a share.
32 How does it do that ? There are 2 features.
34 1). When the upper layer code does a chdir() call to a pathname,
35 this module stores the requested pathname inside config->cwd.
37 When the upper layer code does a getwd() or realpath(), we return
38 the absolute path of the value stored in config->cwd, *not* the
39 position on the underlying filesystem.
41 This hides symlinks as if the chdir pathname contains a symlink,
42 normally doing a realpath call on it would return the real
43 position on the filesystem. For widelinks = yes, this isn't what
44 you want. You want the position you think is underneath the share
45 definition - the symlink path you used to go outside the share,
46 not the contents of the symlink itself.
48 That way, the upper layer smbd code can strictly enforce paths
49 being underneath a share definition without the knowledge that
50 "widelinks = yes" has moved us outside the share definition.
52 1a). Note that when setting up a share, smbd may make calls such
53 as realpath and stat/lstat in order to set up the share definition.
54 These calls are made *before* smbd calls chdir() to move the working
55 directory below the exported share definition. In order to allow
56 this, all the vfs_widelinks functions are coded to just pass through
57 the vfs call to the next module in the chain if (a). The widelinks
58 module was loaded in error by an administrator and widelinks is
59 set to "no". This is the:
61 if (!config->active) {
62 Module not active.
63 SMB_VFS_NEXT_XXXXX(...)
64 }
66 idiom in the vfs functions.
68 1b). If the module was correctly active, but smbd has yet
69 to call chdir(), then config->cwd == NULL. In that case
70 the correct action (to match the previous widelinks behavior
71 in the code inside smbd) is to pass through the vfs call to
72 the next module in the chain. That way, any symlinks in the
73 pathname are still exposed to smbd, which will restrict them to
74 be under the exported share definition. This allows the module
75 to "fail safe" for any vfs call made when setting up the share
76 structure definition, rather than fail unsafe by hiding symlinks
77 before chdir is called. This is the:
79 if (config->cwd == NULL) {
80 XXXXX syscall before chdir - see note 1b above.
81 return SMB_VFS_NEXT_XXXXX()
82 }
84 idiom in the vfs functions.
86 2). The module hides the existance of symlinks by inside
87 lstat(), open(), and readdir() so long as it's not a POSIX
88 pathname request (those requests *must* be aware of symlinks
89 and the POSIX client has to follow them, it's expected that
90 a server will always fail to follow symlinks).
92 It does this by:
94 2a). lstat -> stat
95 2b). open removes any O_NOFOLLOW from flags.
96 2c). The optimization in readdir that returns a stat
97 struct is removed as this could return a symlink mode
98 bit, causing smbd to always call stat/lstat itself on
99 a pathname (which we'll then use to hide symlinks).
101 */
111 };
116 {
121 service,
122 user);
125 }
132 }
137 }
141 config,
146 }
150 {
156 config,
161 /* Module not active. */
163 }
165 /*
166 * We know we never get a path containing
167 * DOT or DOTDOT.
168 */
171 /* Absolute path - replace. */
176 /*
177 * Relative chdir before absolute one -
178 * see note 1b above.
179 */
182 config);
185 }
186 /* Paranoia.. */
193 }
199 }
200 }
205 }
208 }
213 }
214 /* Replace the cache we use for realpath/getwd. */
219 }
223 {
227 config,
232 /* Module not active. */
234 }
236 /* getwd before chdir. See note 1b above. */
238 }
241 NULL,
242 NULL,
245 }
250 {
257 config,
262 /* Module not active. */
264 ctx,
265 smb_fname_in);
266 }
269 /* realpath before chdir. See note 1b above. */
271 ctx,
272 smb_fname_in);
273 }
276 /* Absolute path - process as-is. */
280 /* Relative path - most commonly "." */
285 }
293 }
297 pathname,
298 resolved_pathname);
301 resolved_pathname,
302 NULL,
303 NULL,
309 }
313 {
317 config,
322 /* Module not active. */
324 smb_fname);
325 }
328 /* lstat before chdir. See note 1b above. */
330 smb_fname);
331 }
334 /* POSIX sees symlinks. */
336 smb_fname);
337 }
339 /* Replace with STAT. */
341 }
348 {
353 config,
360 {
361 /*
362 * Module active, openat after chdir (see note 1b above) and not
363 * a POSIX open (POSIX sees symlinks), so remove O_NOFOLLOW.
364 */
366 }
369 dirfsp,
370 smb_fname,
371 fsp,
373 }
379 {
384 config,
389 dirfsp,
390 dirp,
391 sbuf);
394 /* Module not active. */
396 }
398 /*
399 * Prevent optimization of returning
400 * the stat info. Force caller to go
401 * through our LSTAT that hides symlinks.
402 */
406 }
408 }
415 /*
416 * NB. We don't need an lchown function as this
417 * is only called (a) on directory create and
418 * (b) on POSIX extensions names.
419 */
424 };
426 static_decl_vfs;
428 {
432 }