diff options
| author | Jeremy Allison <jra@samba.org> | 2015-06-17 10:23:30 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2015-06-25 22:14:58 +0200 |
| commit | e2c4b8967d33b610f9f076c614352e4b8fc7c558 (patch) | |
| tree | f7d3c3231f7901f95ad572f29e09fe71dd8e52b5 /source3 | |
| parent | c0364fa07599f0b20dec53958f498308067c368b (diff) | |
| download | samba-e2c4b8967d33b610f9f076c614352e4b8fc7c558.tar.gz | |
s3: smbd: Use separate flag to track become_root()/unbecome_root() state.
Early function exit can mean backup_priv is set but we haven't called
become_root(). *Lots* of work by the reviewers went in to checking this
isn't a security issue.
Found by Codenomicon at the Redmond plugfest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11339
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 25 22:14:58 CEST 2015 on sn-devel-104
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/smbd/trans2.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index e518c7b48ef..88c69a9b757 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -2474,6 +2474,7 @@ static void call_trans2findfirst(connection_struct *conn, struct smbd_server_connection *sconn = req->sconn; uint32_t ucf_flags = (UCF_SAVE_LCOMP | UCF_ALWAYS_ALLOW_WCARD_LCOMP); bool backup_priv = false; + bool as_root = false; if (total_params < 13) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); @@ -2539,6 +2540,7 @@ close_if_end = %d requires_resume_key = %d backup_priv = %d level = 0x%x, max_da if (backup_priv) { become_root(); + as_root = true; ntstatus = filename_convert_with_privilege(ctx, conn, req, @@ -2809,7 +2811,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd } out: - if (backup_priv) { + if (as_root) { unbecome_root(); } @@ -2863,6 +2865,7 @@ static void call_trans2findnext(connection_struct *conn, struct dptr_struct *dirptr; struct smbd_server_connection *sconn = req->sconn; bool backup_priv = false; + bool as_root = false; if (total_params < 13) { reply_nterror(req, NT_STATUS_INVALID_PARAMETER); @@ -3036,6 +3039,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd if (backup_priv) { become_root(); + as_root = true; } /* @@ -3137,7 +3141,7 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd dptr_close(sconn, &dptr_num); /* This frees up the saved mask */ } - if (backup_priv) { + if (as_root) { unbecome_root(); } |