dos_mkdir(), was: 2.0.7: inherit permissions = yes breaks setting read-only on files
Robert Dahlem
Robert.Dahlem at gmx.net
Fri Aug 25 12:50:32 GMT 2000
Helge,
On Thu, 24 Aug 2000 18:40:16 +0200, Helge Blischke wrote:
>> User joe have a set-uid file that can't be executed by scott.
>> Scott have access to shell and wants to execute that file.
>> Joe at this moment copies a bunch of files (with dirs) from his
>> machine using samba. Scott knows that joe will create directory
>> "sd" in share /tmp. So he (scott) can wait until this directory
>> will be created, and at this moment (very small timeslice) he can
>> remove that directory and replace it with a symlink to that file.
>> So, when samba calls chmod, it will change mode for a joe's file,
>> not for his newly directory. High-bits exists in mode, so file
>> _can_ be made set-uid, and can be executable by scott.
>>
>> Again, chances are very small, but exists. Uhh.
>
>Wouldn't it be a solution for smbd do create the directory with no
>permissions (i.e. mode set to 0000), and set the complete mode bits
>by a following chmod afterwards?
>That should avoid the security hole mentioned above.
No, it does not. Try:
as user joe
$ cd
$ mkdir upper_dir
$ chmod 777 upper_dir
$ cd upper_dir
$ mkdir lower_dir
$ chmod 000 lower_dir
now as user scott
$ rmdir ~joe/upper_dir/lower_dir
No problem to delete the directory. Joe will have to
$ chmod +t ~/upper_dir
to prevent it.
Regards,
Robert
--
---------------------------------------------------------------
Robert.Dahlem at gmx.net Fax +49-69-432647
---------------------------------------------------------------
More information about the samba-technical
mailing list