[PATCH] Hardening for the homes directory

Wed Dec 5 19:51:14 UTC 2018

On Wed, Dec 5, 2018, 04:39 Andreas Schneider <asn at samba.org wrote:

> On Wednesday, 5 December 2018 11:22:17 CET Scott Lovenberg wrote:
> > > On Dec 5, 2018, at 01:16, Andreas Schneider via samba-technical
> > > <samba-technical at lists.samba.org> wrote:
> > >
> > > On Tuesday, 4 December 2018 22:41:00 CET Jeremy Allison via
> > > samba-technical
> > >
> > > wrote:
> > >> On Mon, Dec 03, 2018 at 12:54:14PM +0100, Ralph Böhme via
> samba-technical
> > >
> > > wrote:
> > >>>> On Mon, Dec 03, 2018 at 12:31:46PM +0100, Andreas Schneider wrote:
> > >>>> I don't have that in the patchset. At which patch are you looking.
> > >>>
> > >>> The one from your previous mail.
> > >>>
> > >>>> Attaching again ...
> > >>>
> > >>> This is a different version, but this one looks good. +1, please
> push.
> > >>
> > >> Tests were buggy. Here's a fixed version I've pushed.
> > >
> > > Thanks Jeremy!
> >
> > Certainly I’m missing something, but if we’re following symlinks (server
> > side config), the resolved path is never verified to not be ‘/‘ or
> > something equally silly, is it?
>
> But that would be a stupid admin using a symlink and not a software doing
> stupid things ...
>
>
>         Andreas
>
> --
> Andreas Schneider                      asn at samba.org
> Samba Team                             www.samba.org
> GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
>
>
That would be a more defensible position were it not for the fact that
"follow symlinks" and "wide links" both default to "true" (also, we
implement MS DFS via symlinks) ; while I can't put the missing piece of the
exploit together at the moment without crawling through the code a bit,
methinks one should be able to setup a relative symlink in their home
directory and point it to the root or anywhere else in the file system (and
perhaps DFS links?)?  I'm guessing they'd have to edit their entry in LDAP
to set their homedir to the location of the link in ~/rootLink and probably
another workaround or three, but the initial configuration and assumption
is in place theoretically.

Does anyone have an opinion on, what I will grant is a paranoid security
knee-jerk reaction, whether it matters if we resolve the link before making
the security check?  All bugs are shallow with enough eyes and whatnot.