[Samba] Urgent, Security: Privilege Escalation in 3.0.24?

moe filter-samba at mbox.bz
Thu Jul 12 19:42:55 GMT 2007

On Thu, Jul 12, 2007 at 10:40:44AM -0700, Jeremy Allison wrote:
> On Thu, Jul 12, 2007 at 06:30:02PM +0200, moe wrote:
> > Hi list,
> > 
> > we have spotted a serious problem with our Samba
> > (Debian version 3.0.24-6) on linux 2.4.31, ext2 with ACLs enabled.
> > 
> > We use "hide unreadable = yes" to reduce clutter for our
> > users. Today we noticed that with this option enabled any
> > linux client can access and read *all* directories under the
> > share, even directories that are owned by root and set to 0700.
> > No ACLs are set on the directories in question nor on any
> > parent directory.
> > 
> > We have reproduced the same problem on a separate gentoo box
> > (Kernel 2.6.18, Samba 3.0.24-r3, ext3 without acl support).
> Firstly, please report all security issues to security at samba.org,
> not to the samba at samba.org list. That way your problem is private,
> and will be handled urgently.

Sorry, I was not aware that a security-list exists.
Maybe put a hint about that somewhere on the website?

Didn't see anything on the mailing list pages or the
netiquette page and not in my search for "security".

Well, I'll know better next time.

> Secondly, did you read the release notes for 3.0.25 ? In them
> there is a note :
> Security Fixes included in the Samba 3.0.25 release are:
>   o CVE-2007-2444
>         Versions: Samba 3.0.23d - 3.0.25pre2
>         Local SID/Name translation bug can result in
>         user privilege elevation
> which was widely publicized at the time. This may be the
> problem you are reporting. Can you please update to
> Samba 3.0.25b, and try and reproduce the problem.

I have seen that in the release notes but didn't
relate to my particular problem. My bad after all,

regards, moe

More information about the samba mailing list