[Samba] Security leak in map_nt_perms?

Abramo Bagnara abramo.bagnara at gmail.com
Thu Aug 14 22:41:39 GMT 2008 

Jeremy Allison ha scritto:
> On Thu, Aug 14, 2008 at 11:41:14PM +0200, Abramo Bagnara wrote:
>> In map_nt_perms any of FILE_READ_DATA, FILE_READ_EA or
>> FILE_READ_ATTRIBUTES is mapped unconditionally to Unix read permission
>> and similarly for write permission
>>
>> This means that if I put a file on a samba share where I explicitly left
>> *only* FILE_READ_ATTRIBUTES and FILE_READ_EA the file content becomes
>> hiddenly readable also if I decided (for very good reasons) otherwise.
>>
>> I'd say that when a permission model is mapped to another permission
>> model that has less or different granularity the resulting permission
>> should be a subset of the original one.
>>
>> This would guarantee that unwanted data exposure is impossible.
>>
>> IMHO the only inconvenience that a strict/safer mapping would have is
>> that the attempt to grant *only* a subset of read privileges would be a
>> no effect (problem easily diagnosed and afforded without security risks
>> and with access failure as a clear feedback).
>>
>> A possible alternative is to map only FILE_READ_DATA to Unix Read and to
>> map Unix Read to FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES.
>> This lead to a lesser security exposure (that however is unavoidable
>> taken for granted Unix RWX security model)
>>
>> I'm missing something?
> 
> Hmmmm. I'm not sure what we can do here other than store the
> full NT Acl in an xattr (which I'm working on right now) and
> use it as an initial filter for access_denied on open.

This is a perfect approach (at least from the samba client point of
view), but does not solve the problem that a file written by a samba
client with FILE_READ_DATA unset and FILE_READ_ATTRIBUTES set is
readable on server machine (locally, via nfs, via ftp or whatever).

This is IMHO a big problem.

> The underlying problem is that incoming NT -> unix perms
> is a lossy mapping, not much we can do about that.

Yes, it's a lossy mapping, but what's the reason (or the benefits) to
"round up" it (as samba does now) instead to play safe and to "round
down" it (i.e. the permission set is a subset or the same of what it's
requested).

I certainly see the security problems of current approach, but perhaps
I'm missing other problems that one of the two safer approaches
described above would put in the game.

What's your opinion about that?

-- 
Abramo Bagnara

Opera Unica                          Phone: +39.0546.656023
Via Borghesi, 16
48014 Castel Bolognese (RA) - Italy

More information about the samba mailing list