[Samba] Security leak in map_nt_perms?
Abramo Bagnara
abramo.bagnara at gmail.com
Thu Aug 14 21:41:14 GMT 2008
In map_nt_perms any of FILE_READ_DATA, FILE_READ_EA or
FILE_READ_ATTRIBUTES is mapped unconditionally to Unix read permission
and similarly for write permission
This means that if I put a file on a samba share where I explicitly left
*only* FILE_READ_ATTRIBUTES and FILE_READ_EA the file content becomes
hiddenly readable also if I decided (for very good reasons) otherwise.
I'd say that when a permission model is mapped to another permission
model that has less or different granularity the resulting permission
should be a subset of the original one.
This would guarantee that unwanted data exposure is impossible.
IMHO the only inconvenience that a strict/safer mapping would have is
that the attempt to grant *only* a subset of read privileges would be a
no effect (problem easily diagnosed and afforded without security risks
and with access failure as a clear feedback).
A possible alternative is to map only FILE_READ_DATA to Unix Read and to
map Unix Read to FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES.
This lead to a lesser security exposure (that however is unavoidable
taken for granted Unix RWX security model)
I'm missing something?
More information about the samba
mailing list