[Samba] Urgent, Security: Privilege Escalation in 3.0.24?
moe
filter-samba at mbox.bz
Thu Jul 12 16:30:02 GMT 2007
Hi list,
we have spotted a serious problem with our Samba
(Debian version 3.0.24-6) on linux 2.4.31, ext2 with ACLs enabled.
We use "hide unreadable = yes" to reduce clutter for our
users. Today we noticed that with this option enabled any
linux client can access and read *all* directories under the
share, even directories that are owned by root and set to 0700.
No ACLs are set on the directories in question nor on any
parent directory.
We have reproduced the same problem on a separate gentoo box
(Kernel 2.6.18, Samba 3.0.24-r3, ext3 without acl support).
I'd be glad if someone could look at our smb.conf (pasted
at the end of this mail) and comment on whether this is a
configuration problem or if we have hit a bug.
Below a shell transcript to illustrate the problem:
###
### commands executed as root on the samba host
###
##
## 1. create the test directory and file,
## make them accessible only for root
##
root at srv:~# cd /vol0
root at srv:/vol0# mkdir test
root at srv:/vol0# echo "secret" >test/file.txt
root at srv:/vol0# chown -R root:root test
root at srv:/vol0# chmod -R 0700 test
root at srv:/vol0# ls -al
total 12
drwx------ 2 root root 4096 Jul 12 17:02 .
drwxrwx--- 139 root users 4096 Jul 12 15:04 ..
-rwx------ 1 root root 7 Jul 12 17:02 file
##
## 2. create a new samba user
##
root at srv:/vol0# useradd -m -g users testuser
root at srv:/vol0# smbpasswd -a testuser
New SMB password:
Retype new SMB password:
Added user testuser.
root at srv:/vol0# id testuser
uid=1137(testuser) gid=100(users) groups=100(users)
root at srv:/vol0# pdbedit -L -u testuser
Unix username: testuser
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3613053638-1853485231-1729343208-3274
Primary Group SID: S-1-5-21-3613053638-1853485231-1729343208-513
Full Name:
Home Directory: \\srv\testuser
HomeDir Drive:
Logon Script:
Profile Path: \\srv\testuser\profile
Domain: FOO
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Thu, 12 Jul 2007 17:05:54 CEST
Password can change: Thu, 12 Jul 2007 17:05:54 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root at srv:/vol0# su - testuser
testuser at srv:~$ ls /vol0/test
ls: /vol0/test: Permission denied
testuser at srv:~/$ cat /vol0/test/test.txt
cat: /vol0/test/test.txt: Permission denied
###
### commands executed as user (uid 1023) on
### a remote linux client
###
##
## 3. mount the remote share
##
someuser at ws:~$ mkdir fileserver
someuser at ws:~$ smbmount //srv/data fileserver -o username=testuser
Password:
##
## 4. do things that should not be possible
##
someuser at ws:~$ ls -al fileserver
total 8
drwxr-xr-x 1 someuser users 4096 Jul 12 17:02 .
drwxr-xr-x 1 someuser users 4096 Jul 12 17:28 ..
### comment: this is correct, the "test" directory doesn't show
someuser at ws:~$ ls -al fileserver/test
total 8
drwxr-xr-x 1 someuser users 4096 Jul 12 17:02 .
drwxr-xr-x 1 someuser users 4096 Jul 12 17:28 ..
### comment: this should not be possible
someuser at ws:~$ cat fileserver/test/file.txt
secret
###
### end of transcript
###
further observations:
- during one session i can sometimes cd to the "test"-directory,
sometimes i get "Permission denied". also sometimes
the directory listing for the "test" directory shows the
contained files, sometimes it doesn't. intermittent bug?
- when we set "hide unreadable = no" (but leave the rest of
smb.conf as is) the permission checking seems to work properly.
remote clients can then not get into the "test" directory.
i am not quite sure if this really works around the actual
problem or only disguises it (i.e. does it cause the client
to honor the access bits or does it cause the server to
*enforce* them?)
well, and finally our smb.conf...
### smb.conf ###
[global]
workgroup = foo
unix extensions = no
server string = fileserver
dns proxy = no
log file = /var/log/samba/log.%U.%m.log
max log size = 50000
log level = 0 vfs:2
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
socket options = TCP_NODELAY
[data]
path = /vol0
vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = open opendir rmdir unlink rename write chmod chmod_acl mkdir close chown chmod_acl fchmod_acl fset_nt_acl aio_write
full_audit:failure = open opendir unlink
full_audit:facility = LOCAL7
full_audit:priority = ALERT
guest ok = no
writable = yes
share modes = yes
force directory mode = 0770
force create mode = 0660
directory security mask = 0000
enable privileges = no
hide unreadable = yes
### end of smb.conf ###
i'm looking forward to your feedback as this is obviously a
very serious issue. i'm still hoping that we just made a
configuration mistake but the fact that it misbehaves the
same way on the second, vanilla gentoo installation (with a
mostly default config) makes it seem unlikely to me.
i apologize in advance if we're just missing something
obvious here.
regards, moe
More information about the samba
mailing list