[PATCH] Hardening for the homes directory
Andreas Schneider
asn at samba.org
Wed Dec 5 19:57:19 UTC 2018
On Wednesday, 5 December 2018 20:51:14 CET Scott Lovenberg wrote:
> That would be a more defensible position were it not for the fact that
> "follow symlinks" and "wide links" both default to "true" (also, we
> implement MS DFS via symlinks) ; while I can't put the missing piece of the
> exploit together at the moment without crawling through the code a bit,
> methinks one should be able to setup a relative symlink in their home
> directory and point it to the root or anywhere else in the file system (and
> perhaps DFS links?)? I'm guessing they'd have to edit their entry in LDAP
> to set their homedir to the location of the link in ~/rootLink and probably
> another workaround or three, but the initial configuration and assumption
> is in place theoretically.
>
> Does anyone have an opinion on, what I will grant is a paranoid security
> knee-jerk reaction, whether it matters if we resolve the link before making
> the security check? All bugs are shallow with enough eyes and whatnot.
Feel free to propose a patch to harden this code path even more. It was
important that we have a test in the first place and that we do not run into
issues a nss module produces.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list