[SMB3POSIX] File attributes

Tom Talpey tom at talpey.com
Tue Nov 14 17:34:26 UTC 2023

On 11/14/2023 11:44 AM, Ralph Boehme wrote:
> On 11/14/23 17:22, Tom Talpey wrote:
>> But, does it need to be exposed to remote access? It would seem to be an
>> admin function, most appropriate to apply via the server-local API.
>> So to flip the question, does "chattr -i" (or any of the zillion others)
>> expose any new vulnerability if remote? Some of them look fairly juicy
>> targets for ransomware infiltration.
> there seems to be a working local privilege system associated with the 
> attributes. If this was flawed there'd already be a serious problem with 
> local access, so I don't think remote access changes the big picture, 
> does it?

Agreed that the privilege needs to be correctly managed! But exposing
it remotely increases the attack surface significantly, so in my view
it needs a good reason, and careful security analysis. That's all.


More information about the samba-technical mailing list