2.0.7: inherit permissions = yes breaks setting read-only on files

Helge Blischke H.Blischke at srz-berlin.de
Thu Aug 24 16:40:16 GMT 2000

Michael Ju. Tokarev wrote:
> [...]
> But note note note note.  All that tricks with chmod() have tiny
> security hole.  This is very small hole, as chances to break it is
> very limited in time, but it _is_ exists.  Especially if high bits in
> mode involved.  If intruder can substitute (using just symlink) that
> newly created directory _before samba will call_ chmod with his file,
> it will be able to use samba's permissions.  Consider:
>   User joe have a set-uid file that can't be executed by scott.
>   Scott have access to shell and wants to execute that file.
>   Joe at this moment copies a bunch of files (with dirs) from his
>   machine using samba.  Scott knows that joe will create directory
>   "sd" in share /tmp.  So he (scott) can wait until this directory
>   will be created, and at this moment (very small timeslice) he can
>   remove that directory and replace it with a symlink to that file.
>   So, when samba calls chmod, it will change mode for a joe's file,
>   not for his newly directory.  High-bits exists in mode, so file
>   _can_ be made set-uid, and can be executable by scott.
> Again, chances are very small, but exists.  Uhh.

Wouldn't it be a solution for smbd do create the directory with no
(i.e. mode set to 0000), and set the complete mode bits by a following
That should avoid the security hole mentioned above.

And BTW, I just tested mkdir(2) on a UnixWare 7.1 box - it ignores the
high bits
of the mode parameter as well.


H.Blischke at srz-berlin.de
H.Blischke at srz-berlin.com
H.Blischke at acm.org

More information about the samba-technical mailing list