Windows SMB: avoid default read share access

By default, when a Windows SMB share is created, 'Everyone' will have read access. This is a problem, since we call 'Set-SMBPathAcl', which will apply the share ACE at the filesystem as well. This means that anyone that can log in to the share server will have read access to the share. We'll avoid this by granting read access to the 'NULL SID' when creating the share, avoiding the default access to 'Everyone'. Closes-Bug: #1612746 Change-Id: I913a887f24db7f1354008aacebcd0f477887aeef
2016-08-12 16:59:44 +03:00 · 2016-08-12 16:59:44 +03:00 · b831976977
parent 8907c93740
commit b831976977
3 changed files with 14 additions and 2 deletions
--- a/manila/share/drivers/windows/windows_smb_helper.py
+++ b/manila/share/drivers/windows/windows_smb_helper.py
@ -35,6 +35,8 @@ class WindowsSMBHelper(helpers.NASHelperBase):
        constants.ACCESS_LEVEL_RW: 'M',
        constants.ACCESS_LEVEL_RO: 'R'}

+    _NULL_SID = "S-1-0-0"
+
    def __init__(self, remote_execute, configuration):
        self._remote_exec = remote_execute
        self.configuration = configuration
@ -51,7 +53,11 @@ class WindowsSMBHelper(helpers.NASHelperBase):
            share_path = self._windows_utils.normalize_path(
                os.path.join(self.configuration.share_mount_path,
                             share_name))
-            cmd = ['New-SmbShare', '-Name', share_name, '-Path', share_path]
+            # If no access rules are requested, 'Everyone' will have read
+            # access, by default. We set read access for the 'NULL SID' in
+            # order to avoid this.
+            cmd = ['New-SmbShare', '-Name', share_name, '-Path', share_path,
+                   '-ReadAccess', "*%s" % self._NULL_SID]
            self._remote_exec(server, cmd)
        else:
            LOG.info(_LI("Skipping creating export %s as it already exists."),
--- a/manila/tests/share/drivers/windows/test_windows_smb_helper.py
+++ b/manila/tests/share/drivers/windows/test_windows_smb_helper.py
@ -67,7 +67,8 @@ class WindowsSMBHelperTestCase(test.TestCase):
        if not share_exists:
            cmd = ['New-SmbShare', '-Name', self._FAKE_SHARE_NAME, '-Path',
                   self._win_smb_helper._windows_utils.normalize_path(
-                       self._FAKE_SHARE_LOCATION)]
+                       self._FAKE_SHARE_LOCATION),
+                   '-ReadAccess', "*%s" % self._win_smb_helper._NULL_SID]
            self._remote_exec.assert_called_once_with(self._FAKE_SERVER, cmd)
        else:
            self.assertFalse(self._remote_exec.called)
--- a/releasenotes/notes/windows-smb-fix-default-access-d4b9eee899e400a0.yaml
+++ b/releasenotes/notes/windows-smb-fix-default-access-d4b9eee899e400a0.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - Ensure we don't grant read access to 'Everyone'
+    by default when creating CIFS shares and the
+    Windows SMB backend is used.