FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
I wrote a powershell script on a windows computer to write an ADS on a file
on a FreeBSD server with streams_xattr enabled. If it's smaller than 64KB,
it succeeds. If it's larger than 64KB, I get an "access denied message" and
powershell crashes. FreeBSD actually allows creation of large extended
attributes (at least on ZFS volumes). I've personally added ones of up to
3MB in size, but have never actually tested the limits.

For the fun of it I decided to run the following command from the CLI in
FreeBSD "cat <large file> | setextattr -i user
'DosStream.User.SecretStream:$DATA' test.txt" This had the effect of
creating something that samba should recognize as an ADS that is
arbitrarily large.

If I run the following powershell command from a Windows client "Get-Item
-Path .\test.txt -stream *", I do not see the ADS listed unless it is
smaller than 64KB. When it is larger than it, and I have logging ratcheted
up I get logs like below. Out of curiousity, does Samba not support large
ADS? Do you have any pointers on how to maybe coax Samba into letting me
abuse xattrs better?

[2017/08/02 10:55:51.475689, 10, pid=43437, effective(21112, 20513),
real(0, 0), class=vfs]
../source3/modules/vfs_streams_xattr.c:753(walk_xattr_streams)
  Could not get ea user.DosStream.User.SecretStream:$DATA for file
test2.txt: NT_STATUS_ACCESS_DENIED
[2017/08/02 10:55:51.475753, 10, pid=43437, effective(21112, 20513),
real(0, 0)] ../source3/smbd/trans2.c:4685(marshall_stream_info)
  refusing to overflow reply at stream 0
[2017/08/02 10:55:51.475771, 10, pid=43437, effective(21112, 20513),
real(0, 0)] ../source3/smbd/trans2.c:5358(smbd_do_qfilepathinfo)
  marshall_stream_info failed: STATUS_BUFFER_OVERFLOW
[2017/08/02 10:55:51.475789,  3, pid=43437, effective(21112, 20513),
real(0, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[STATUS_BUFFER_OVERFLOW] || at ../source3/smbd/smb2_getinfo.c:154
[2017/08/02 10:55:51.475807, 10, pid=43437, effective(21112, 20513),
real(0, 0)] ../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[5] status[STATUS_BUFFER_OVERFLOW] body[8]
dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
On Wed, Aug 02, 2017 at 11:21:56AM -0500, Andrew Walker via samba wrote:
> I wrote a powershell script on a windows computer to write an ADS on a file
> on a FreeBSD server with streams_xattr enabled. If it's smaller than 64KB,
> it succeeds. If it's larger than 64KB, I get an "access denied message" and
> powershell crashes. FreeBSD actually allows creation of large extended
> attributes (at least on ZFS volumes). I've personally added ones of up to
> 3MB in size, but have never actually tested the limits.

oh, really? Does it these day support the POSIX file IO API on xattrs like
Solaris does? It didn't the last time I checked.

> For the fun of it I decided to run the following command from the CLI in
> FreeBSD "cat <large file> | setextattr -i user
> 'DosStream.User.SecretStream:$DATA' test.txt" This had the effect of
> creating something that samba should recognize as an ADS that is
> arbitrarily large.
>
> If I run the following powershell command from a Windows client "Get-Item
> -Path .\test.txt -stream *", I do not see the ADS listed unless it is
> smaller than 64KB. When it is larger than it, and I have logging ratcheted
> up I get logs like below. Out of curiousity, does Samba not support large
> ADS? Do you have any pointers on how to maybe coax Samba into letting me
> abuse xattrs better?

Yeah, iirc a built in buffer-size limit. We don't expect xattrs to be much
larger, as no fs on Linux supports xattrs larger then iirc 64 KB.

If you feel like it, you could write a VFS module that adds better support for
this on FreeBSD, but what is the use case?

-slow

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
>
> If you feel like it, you could write a VFS module that adds better support
> for
> this on FreeBSD, but what is the use case?
>

I've noticed in online forums that occasionally home NAS users will for
various reasons have streams_xattr enabled and receive 'access denied'
errors when trying to write files with large alternate datastreams. These
are typically on media files (most commonly I've seen them on .avi files),
but I haven't looked closely at them. I'd say the large ADS is either
metadata or malware :-)

The issue doesn't come up frequently because most people don't enable
streams_xattr (though this may change as more home users or NAS vendors
start enabling vfs_fruit + streams_xattr).

I was just curious about whether the behavior is configurable, and now the
curiosity is satisfied. :-)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
It's also interesting to note that ReFS in windows has a 128KB limit on the
size of alternate data streams.

When you try to write an overly large stream, the ReFS-backed server
replies with "NT_STATUS_FILE_SYSTEM_LIMITATION" (0xc0000427) rather than
"access denied". The windows client handles this more gracefully than a
simple access denied message. It allows users to skip the file / doesn't
pop up a password prompt.

On Mon, Aug 7, 2017 at 6:15 AM, Andrew Walker <[hidden email]>
wrote:

> If you feel like it, you could write a VFS module that adds better support
>> for
>> this on FreeBSD, but what is the use case?
>>
>
> I've noticed in online forums that occasionally home NAS users will for
> various reasons have streams_xattr enabled and receive 'access denied'
> errors when trying to write files with large alternate datastreams. These
> are typically on media files (most commonly I've seen them on .avi files),
> but I haven't looked closely at them. I'd say the large ADS is either
> metadata or malware :-)
>
> The issue doesn't come up frequently because most people don't enable
> streams_xattr (though this may change as more home users or NAS vendors
> start enabling vfs_fruit + streams_xattr).
>
> I was just curious about whether the behavior is configurable, and now the
> curiosity is satisfied. :-)
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
On Mon, Aug 07, 2017 at 08:26:22PM -0500, Andrew Walker via samba wrote:
> It's also interesting to note that ReFS in windows has a 128KB limit on the
> size of alternate data streams.
>
> When you try to write an overly large stream, the ReFS-backed server
> replies with "NT_STATUS_FILE_SYSTEM_LIMITATION" (0xc0000427) rather than
> "access denied". The windows client handles this more gracefully than a
> simple access denied message. It allows users to skip the file / doesn't
> pop up a password prompt.

oh, that's interesting. Can you please file a bugreport and assign it to me so
we can keep track of this? Thanks!

Cheerio!
-slow

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, Aug 7, 2017 at 1:15 PM, Andrew Walker via samba <
[hidden email]> wrote:

> >
> > If you feel like it, you could write a VFS module that adds better
> support
> > for
> > this on FreeBSD, but what is the use case?
> >
>
> I was just curious about whether the behavior is configurable, and now the
> curiosity is satisfied. :-)
>

It's not configurable at the moment and there is a hard limit of 64K set in
the get_ea_value() function:

NTSTATUS get_ea_value(TALLOC_CTX *mem_ctx, connection_struct *conn,
                      files_struct *fsp, const char *fname,
                      const char *ea_name, struct ea_struct *pea)
{
        /* Get the value of this xattr. Max size is 64k. */
        size_t attr_size = 256;
        char *val = NULL;
        ssize_t sizeret;

 again:

        val = talloc_realloc(mem_ctx, val, char, attr_size);
        if (!val) {
                return NT_STATUS_NO_MEMORY;
        }

        if (fsp && fsp->fh->fd != -1) {
                sizeret = SMB_VFS_FGETXATTR(fsp, ea_name, val, attr_size);
        } else {
                sizeret = SMB_VFS_GETXATTR(conn, fname, ea_name, val,
attr_size);
        }

        if (sizeret == -1 && errno == ERANGE && attr_size != 65536) {
                attr_size = 65536;
                goto again;
        }

        if (sizeret == -1) {
                return map_nt_error_from_unix(errno);
        }

So, the size of the returned buffer could be either 256 byte or 64K :) Nice
selection! I'm not certain, why this choice was made, possibly for the
speed, as at least native implementation of the SMB_VFS_GETXATTR() supports
semantics where if NULL/0 passed as attribute value and size a required
buffer size is returned, which then can be used to allocate memory for it.

Another nastiness of the SET/GET/LIST/RMXATTR API is that you have to
allocate full size buffer in memory to place the XATTR on disk, so if it's
a large chunk of data you can easily run out of memory...

With best regards,
Timur Bakeyev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, Aug 07, 2017 at 06:15:09AM -0500, Andrew Walker via samba wrote:

> >
> > If you feel like it, you could write a VFS module that adds better support
> > for
> > this on FreeBSD, but what is the use case?
> >
>
> I've noticed in online forums that occasionally home NAS users will for
> various reasons have streams_xattr enabled and receive 'access denied'
> errors when trying to write files with large alternate datastreams. These
> are typically on media files (most commonly I've seen them on .avi files),
> but I haven't looked closely at them. I'd say the large ADS is either
> metadata or malware :-)

Almost certainly malware. The primary use case for streams is
malware or CIA-exfiltration of your company data (I'm not joking,
the Wikileaks documents have the details).

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeBSD samba server returns nt_status_acces_denied when DosStream xattr larger than 64KB

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, Aug 9, 2017 at 7:37 AM, Ralph Böhme <[hidden email]> wrote:

> On Mon, Aug 07, 2017 at 08:26:22PM -0500, Andrew Walker via samba wrote:
> > It's also interesting to note that ReFS in windows has a 128KB limit on
> the
> > size of alternate data streams.
> >
> > When you try to write an overly large stream, the ReFS-backed server
> > replies with "NT_STATUS_FILE_SYSTEM_LIMITATION" (0xc0000427) rather than
> > "access denied". The windows client handles this more gracefully than a
> > simple access denied message. It allows users to skip the file / doesn't
> > pop up a password prompt.
>
> oh, that's interesting. Can you please file a bugreport and assign it to
> me so
> we can keep track of this? Thanks!
>
> Cheerio!
> -slow
>

Sorry for the late reply. I submitted a request for permission to submit a
bug report about this. It was rather meta.

Would you like me to use wireshark to get packet captures of Windows and
Mac clients trying to write large streams to a ReFS-backed Windows share? I
might not be able to set up a test environment to do this for a couple of
weeks.

Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...