BugTraq Post: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

Robert Dahlem Robert.Dahlem at gmx.net
Fri Dec 15 08:26:33 GMT 2000


On 15 Dec 2000 00:54:17 -0500, Scott Gifford wrote:

>This was posted to BugTraq earlier today; thought I'd put a copy here
>in case anybody hadn't seen it.
>I don't think that this "attack" is particularly surprising.
>Basically, he is leveraging a Samba "admin user" account into a UNIX
>root account, using a symlink (created from a shell) to get outside 
>of the share.

Too much twits on bugtraq. :-(

man smb.conf reveals (to everyones surprise): 

  admin users (S)

    This is a list of users who will be granted administrative 
    privileges on the share. This means that they
    will do all file operations as the super-user (root). 

    You should use this option very carefully, as any user in this 
    list will be able to do anything they like on
    the share, irrespective of file permissions. 

I stopped reading bugtraq a while ago. Every second script kid thinks 
he were Guninski.


Robert.Dahlem at gmx.net           Fax +49-69-432647

Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email
software; far better than Outlook. Try it sometime.

More information about the samba-technical mailing list