[Samba] Security leak in map_nt_perms?

Jeremy Allison jra at samba.org
Thu Aug 14 23:02:49 GMT 2008


On Fri, Aug 15, 2008 at 12:41:39AM +0200, Abramo Bagnara wrote:

> This is a perfect approach (at least from the samba client point of
> view), but does not solve the problem that a file written by a samba
> client with FILE_READ_DATA unset and FILE_READ_ATTRIBUTES set is
> readable on server machine (locally, via nfs, via ftp or whatever).
> 
> This is IMHO a big problem.

It hasn't been seen as such so far.

> Yes, it's a lossy mapping, but what's the reason (or the benefits) to
> "round up" it (as samba does now) instead to play safe and to "round
> down" it (i.e. the permission set is a subset or the same of what it's
> requested).
> 
> I certainly see the security problems of current approach, but perhaps
> I'm missing other problems that one of the two safer approaches
> described above would put in the game.
> 
> What's your opinion about that?

The problem is that a permission set of "---" is currently
returned in Samba as a "DENY" ACL. Your plan of mapping
an ACE of FILE_READ_ATTRIBUTES to "---" then conflicts with
a requested DENY ACE.

Jeremy.


More information about the samba mailing list