11024 SMB should bypass ACL traverse checking

Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Approved by: Garrett D'Amore <garrett@damore.org>

3 files changed, 13 insertions, 0 deletions

diff --git a/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c
index 3902e58a46..ea9aca4733 100644
--- a/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c
+++ b/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c
@@ -328,6 +328,16 @@ smb_token_create_privs(smb_token_t *token)
 		smb_privset_enable(privs, SE_SECURITY_LUID);
 	}
 
+	/*
+	 * Members of "Authenticated Users" (!anon) should normally get
+	 * "Bypass traverse checking" privilege, though we allow this
+	 * to be disabled (see smb.4).  For historical reasons, the
+	 * internal privilege name is "SeChangeNotifyPrivilege".
+	 */
+	if ((token->tkn_flags & SMB_ATF_ANON) == 0 &&
+	    smb_config_getbool(SMB_CI_BYPASS_TRAVERSE_CHECKING))
+		smb_privset_enable(privs, SE_CHANGE_NOTIFY_LUID);
+
 	return (privs);
 }
 
diff --git a/usr/src/lib/smbsrv/libsmb/common/libsmb.h b/usr/src/lib/smbsrv/libsmb/common/libsmb.h
index 56cab5ca8a..8d6eb04683 100644
--- a/usr/src/lib/smbsrv/libsmb/common/libsmb.h
+++ b/usr/src/lib/smbsrv/libsmb/common/libsmb.h
@@ -159,6 +159,7 @@ typedef enum {
 	SMB_CI_MAX_PROTOCOL,
 	SMB_CI_ENCRYPT,
 	SMB_CI_MIN_PROTOCOL,
+	SMB_CI_BYPASS_TRAVERSE_CHECKING,
 
 	SMB_CI_MAX
 } smb_cfg_id_t;
diff --git a/usr/src/lib/smbsrv/libsmb/common/smb_cfg.c b/usr/src/lib/smbsrv/libsmb/common/smb_cfg.c
index cfecd0e944..45b0e79c44 100644
--- a/usr/src/lib/smbsrv/libsmb/common/smb_cfg.c
+++ b/usr/src/lib/smbsrv/libsmb/common/smb_cfg.c
@@ -148,6 +148,8 @@ static smb_cfg_param_t smb_cfg_table[] =
 	{SMB_CI_MAX_PROTOCOL, "max_protocol", SCF_TYPE_ASTRING, 0},
 	{SMB_CI_ENCRYPT, "encrypt", SCF_TYPE_ASTRING, 0},
 	{SMB_CI_MIN_PROTOCOL, "min_protocol", SCF_TYPE_ASTRING, 0},
+	{SMB_CI_BYPASS_TRAVERSE_CHECKING,
+	    "bypass_traverse_checking", SCF_TYPE_BOOLEAN, 0},
 
 	/* SMB_CI_MAX */
 };