[PATCH] Hardening for the homes directory

Andreas Schneider asn at samba.org
Wed Dec 5 19:57:19 UTC 2018

On Wednesday, 5 December 2018 20:51:14 CET Scott Lovenberg wrote:
> That would be a more defensible position were it not for the fact that
> "follow symlinks" and "wide links" both default to "true" (also, we
> implement MS DFS via symlinks) ; while I can't put the missing piece of the
> exploit together at the moment without crawling through the code a bit,
> methinks one should be able to setup a relative symlink in their home
> directory and point it to the root or anywhere else in the file system (and
> perhaps DFS links?)?  I'm guessing they'd have to edit their entry in LDAP
> to set their homedir to the location of the link in ~/rootLink and probably
> another workaround or three, but the initial configuration and assumption
> is in place theoretically.
> Does anyone have an opinion on, what I will grant is a paranoid security
> knee-jerk reaction, whether it matters if we resolve the link before making
> the security check?  All bugs are shallow with enough eyes and whatnot.

Feel free to propose a patch to harden this code path even more. It was 
important that we have a test in the first place and that we do not run into 
issues a nss module produces.


Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list