[PATCH] Remove sock_exec code

Andrew Bartlett abartlet at samba.org
Tue Nov 14 11:10:33 UTC 2017


I think you should mention that you are motivated by past exploits of
Samba that used sock_exec as a proxy for system() matching a talloc
destructor prototype. 

See for example
https://gist.github.com/worawit/051e881fc94fe4a49295

and referencing the Red Hat post at:

https://access.redhat.com/blogs/766093/posts/1976553

The same motivation is for the close-on-exec change, making a repeat of
this exploit just a little more miserable by not allowing something
called via system() access to the FD back to the client. 

Thanks,

Andrew Bartlett

On Thu, 2017-11-09 at 15:09 +1300, Gary Lockyer via samba-technical
wrote:
> Updated patch attached, removes the man page entry.
> 
> On 09/11/17 05:11, Andreas Schneider via samba-technical wrote:
> > On Sunday, 5 November 2017 18:54:32 CET Gary Lockyer via samba-technical 
> > wrote:
> > > Patch to remove the sock_exec code, my understanding is that this was
> > > originally test support code and is no longer used.
> > > 
> > > Comments and reviews appreciated
> > 
> > man smbclient -> LIBSMB_PROG
> > 
> > I think you should remove that too if you want to get rid of it :-)
> > 
> > 
> > 	andreas
> > 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list