Claimed Zero Day exploit in Samba.

Sat Feb 6 12:12:38 MST 2010

On Sat, 2010-02-06 at 19:44 +0200, Eren Türkay wrote:
> On Friday 05 February 2010 10:06:35 pm Michael Gilbert wrote:
> > while more secure (hardened) defaults are good, wouldn't it be more
> > effective to tackle the root cause of the problem?  i.e. on the server
> > side, detect attempts by remote users to create symlinks to targets
> > outside of their authorized shares and prevent that.
> 
> As far as I read, the current situation comes down to 2 options.
> 
> 1- "unix extensions = no", "wide links = yes"
> 
> With these options set, a samba administrator can link a directory (say 
> /usr/lib) on a samba share and users can see it. However, users can not link 
> anything. Even inside a samba share.

With unix extensions = no there is simply no way to create symbolic
links remotely, but remember that a user with shell access to the server
will be able to create whatever link he wants. So wide links must always
be used only if you have trusted users or if you are 100% positive users
cannot be allowed to create links on the underlying filesystem by other
means.

> 2- "unix extensiosn = yes", "wide links = no"
> 
> Symbolic linking is completely disabled. Even if a samba administrator links a 
> directory, users cannot follow symbolic links nor they can create.

No, symbolic links are simply not resolved at the server side and only
if they point out of the share. For links within the share or for
clients that use unix extensions, symbolic links work just fine in this
case.

> It would be feature-complete for users and administrators to control whether a 
> remote user is trying to link outside his share because a user might want to 
> link a directory in his own share, and an administrator might want to link a 
> directory for users inside their shares.

Unfortunately it is not possible to have your cake and eat it too. If
you want unix extensions and you do not want to severely limit what can
be done with it, then you must allow to create any symbolic link.

> I'm sure Samba team is working on it. However, I don't know how Samba 
> developers are treating this issue. In my humble opinion, this issue deserves 
> high priority.

The issue has been addressed. Jeremy committed a patch that makes unix
extensions and wide links mutually exclusive.

> I would be happy if I can learn when Samba team will respond to this issue 
> with a patch. Although setting proper configuration solves the issue, applying 
> proper fix without breaking anything would be appreciative.

Patch is here:
http://gitweb.samba.org/?p=samba.git;a=commit;h=bd269443e311d96ef495a9db47d1b95eb83bb8f4

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>