[Samba] Urgent, Security: Privilege Escalation in 3.0.24?

Jeremy Allison jra at samba.org
Thu Jul 12 17:40:44 GMT 2007

On Thu, Jul 12, 2007 at 06:30:02PM +0200, moe wrote:
> Hi list,
> we have spotted a serious problem with our Samba
> (Debian version 3.0.24-6) on linux 2.4.31, ext2 with ACLs enabled.
> We use "hide unreadable = yes" to reduce clutter for our
> users. Today we noticed that with this option enabled any
> linux client can access and read *all* directories under the
> share, even directories that are owned by root and set to 0700.
> No ACLs are set on the directories in question nor on any
> parent directory.
> We have reproduced the same problem on a separate gentoo box
> (Kernel 2.6.18, Samba 3.0.24-r3, ext3 without acl support).

Firstly, please report all security issues to security at samba.org,
not to the samba at samba.org list. That way your problem is private,
and will be handled urgently.

Secondly, did you read the release notes for 3.0.25 ? In them
there is a note :

Security Fixes included in the Samba 3.0.25 release are:

  o CVE-2007-2444
        Versions: Samba 3.0.23d - 3.0.25pre2
        Local SID/Name translation bug can result in
        user privilege elevation

which was widely publicized at the time. This may be the
problem you are reporting. Can you please update to
Samba 3.0.25b, and try and reproduce the problem.

Please send any follow-ups to security at samba.org, and
not to the samba at samba.org list please.



More information about the samba mailing list