[Samba] User can't access a share that he has full control of

Ephi Dror ephi at agami.com
Mon Aug 21 19:10:47 GMT 2006 

Hi Simo,

Thank you for your reply.

I actually did a little test in which I have two users U1 and U2.
I have a path \\dir1\dir2 in  which I gave access only to administrator
(whom mapped to 0) to dir1 and I gave U1 full control to dir2. Now I
made a share mapping to \\dir1\dir2.

With SAMBA code "as is" not U1 nor U2 can access the share.

With my little patch as I described before U1 can access the share while
U2 can't which is exactly my expectation.
Also this is how my "windows" customers  can be setup for running home
directories.

Our customers are too much "windows" oriented and prefer setting files
securities (Acls) via what they know best which is file properties and
less via smb.conf in which we are the champions...

Also, they told me that they typically creating some kind of an "admin"
share to the root of the file system in which only restricted  users and
group can have access and then they create all their wonderful folders
and stuff in which they use ACLs to manipulate access.
So they create different shares pointing to different paths in the file
system but since the "admin" share that point to the root gave access
only to administrator for example, that's how they run into the problem
with our SAMBA.

So far I can't see it as a problem. 

Cheers,
Ephi

-----Original Message-----
From: simo [mailto:idra at samba.org]
Sent: Monday, August 21, 2006 11:41 AM
To: Jeremy Allison
Cc: Ephi Dror; samba at lists.samba.org
Subject: Re: [Samba] User can't access a share that he has full control
of

On Mon, 2006-08-21 at 11:12 -0700, Jeremy Allison wrote:
> > 3. If I do this change for our customers, is there any security 
> > issue here that I haven't thought about?
> 
> Yes, it's a security hole (IMHO). It completely bypasses security for 
> a path. There might be things an attacker could do with this (don't 
> have time right now to think up evil scenarious but I'm sure there are

> some :-).

An easy example is accessing other users home directories where the user
target has a 700 permission on his home directory specifically set to
keep out other users. It is a common scenario on unix environments.

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba mailing list