Claimed Zero Day exploit in Samba.

simo idra at samba.org
Sat Feb 6 08:33:13 MST 2010


On Fri, 2010-02-05 at 15:06 -0500, Michael Gilbert wrote:
> Jeremy Allison wrote:
> > As an example, given a share definition:
> >
> > [tmp]
> > 	path = /tmp
> >	read only = no
> >	guest ok = yes
> >
> > The administrator could add a symlink:
> >
> > $ ln -s /etc/passwd /tmp/passwd
> > 
> > and SMB/CIFS clients would then see a file called "passwd"
> > within the [tmp] share that could be read and would allow
> > clients to read /etc/passwd.
> [...]
> > All future versions of Samba will have the parameter
> > "wide links" set to "no" by default, and the manual
> > pages will be updated to explain this issue.
> 
> while more secure (hardened) defaults are good, wouldn't it be more
> effective to tackle the root cause of the problem?  i.e. on the server
> side, detect attempts by remote users to create symlinks to targets
> outside of their authorized shares and prevent that.

No, arbitrary symlinks are perfectly valid when unix extensions are
used. Because they are not resolved by the server, but returned as is.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list