Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11

[Jeremy Allison]

Security problem with Samba on Linux
------------------------------------

In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
was added to fix a problem with Linux asynchronous IO handling.

This code introduced a severe security flaw which was undetected until
now.

We are releasing new binaries and fixed source code as release numbers:
3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only
fix included in these release numbers.

The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.

Please note this security problem does not affect any platform that does
not support capabilities and platforms where binaries were built without
libcap support.

Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x
versions are NOT affected.

How did this happen ?
---------------------

Our testing procedures failed. Errors in code always happen,
and we guard against them by writing tests which we run against
the code continuously.

As Samba runs as a root process, many of our test environments
run under a build farm "shim" that allows people to test Samba
without granting it root privilege. Unfortunately, this means that
some of the tests cannot be run correctly. This is the "make test"
that developers run frequently.

Extra tests are run as root to detect these areas, but are
not run as often as the normal "make test" that the developers
run.

This problem affects only binaries compiled with capabilities support.
The libcap development packages need to be installed at build time for
samba to be vulnerable. Unfortunately, although most developers do have
the package, it was absent on the machines used to do pre-release
validation, causing the flawed code not to be compiled into the tested
binary.

None of our third party testers or partners discovered this
flaw before release.

How are we intending to fix this ?
----------------------------------

We will be fixing "make test" so it can be run as root for
all the developers to regularly test with elevated privilege.

In addition we will be adding extra tests to check for this
specific issue, to ensure we do not ever release with such
a regression again.

As this was such a serious flaw, we will not be doing any
further Samba 3.x releases other than the security fix
until these tests are in place.

Please accept our apologies for such a serious error, and
our assurances that we will do everything within our power
to ensure this will not happen again.



With our most sincere regrets,
The Samba Team