dos_mkdir(), was: 2.0.7: inherit permissions = yes breaks setting read-only on files

Robert Dahlem Robert.Dahlem at
Fri Aug 25 12:50:32 GMT 2000


On Thu, 24 Aug 2000 18:40:16 +0200, Helge Blischke wrote:

>>   User joe have a set-uid file that can't be executed by scott.
>>   Scott have access to shell and wants to execute that file.
>>   Joe at this moment copies a bunch of files (with dirs) from his
>>   machine using samba.  Scott knows that joe will create directory
>>   "sd" in share /tmp.  So he (scott) can wait until this directory
>>   will be created, and at this moment (very small timeslice) he can
>>   remove that directory and replace it with a symlink to that file.
>>   So, when samba calls chmod, it will change mode for a joe's file,
>>   not for his newly directory.  High-bits exists in mode, so file
>>   _can_ be made set-uid, and can be executable by scott.
>> Again, chances are very small, but exists.  Uhh.
>Wouldn't it be a solution for smbd do create the directory with no
>permissions (i.e. mode set to 0000), and set the complete mode bits 
>by a following chmod afterwards?
>That should avoid the security hole mentioned above.

No, it does not. Try:

    as user joe
    $ cd
    $ mkdir upper_dir
    $ chmod 777 upper_dir
    $ cd upper_dir
    $ mkdir lower_dir
    $ chmod 000 lower_dir
    now as user scott
    $ rmdir ~joe/upper_dir/lower_dir

No problem to delete the directory. Joe will have to

    $ chmod +t ~/upper_dir

to prevent it.


Robert.Dahlem at           Fax +49-69-432647

More information about the samba-technical mailing list