BugTraq Post: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

Andrew Bartlett abartlet at pcug.org.au
Fri Dec 15 09:50:30 GMT 2000

Robert Dahlem wrote:
> Scott,
> On 15 Dec 2000 00:54:17 -0500, Scott Gifford wrote:
> >This was posted to BugTraq earlier today; thought I'd put a copy here
> >in case anybody hadn't seen it.
> >
> >I don't think that this "attack" is particularly surprising.
> >Basically, he is leveraging a Samba "admin user" account into a UNIX
> >root account, using a symlink (created from a shell) to get outside
> >of the share.
> Too much twits on bugtraq. :-(

I agree

> man smb.conf reveals (to everyones surprise):
>   admin users (S)
>     This is a list of users who will be granted administrative
>     privileges on the share. This means that they
>     will do all file operations as the super-user (root).
>     You should use this option very carefully, as any user in this
>     list will be able to do anything they like on
>     the share, irrespective of file permissions.

Maybe a small note should be added here to the effect of 'if you would
like your admin users in any way constrained (despite their root status)
the wide links parameter could be useful'.

> I stopped reading bugtraq a while ago. Every second script kid thinks
> he were Guninski.
> Regards,
>         Robert
> --
> ---------------------------------------------------------------
> Robert.Dahlem at gmx.net           Fax +49-69-432647
> ---------------------------------------------------------------
> Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email
> software; far better than Outlook. Try it sometime.

Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list