[Samba] Great article on Samba symlink fixes at Linux Weekly News !
Jeremy Allison
jra at samba.org
Sun Feb 13 22:08:53 UTC 2022
On Sun, Feb 13, 2022 at 09:00:16PM +0100, Ralph Boehme via samba wrote:
>On 2/13/22 20:00, Patrick Goetz wrote:
>>I also don't quite understand the symlink vulnerability.
>>
>> open("/my/super/important/stuff")
>>
>>The concern is that this creates a race condition where someone could
>>
>> cd /my/super
>> ln -s /your/nefarious/location ./important
>>
>>where /your/nefarious/location/ includes a stuff/ directory before
>>the read or write is executed? How would this be possible given that
>>/my/super/ already includes an important/ directory? Am I
>>completely missing how this works?
>
>the race condition in open() has long been addressed in Samba, this
>was addressed by a CVE fix in iirc 4.6.
>
>The remaining problem was all the other path based syscalls we were
>still uisng all over the place to read and write metadata including
>xattrs -- which may include more then "just" metadata.
This is of course correct :-). But Patrick was missing
the "mv" operation between the 'cd' and 'ln' :-).
Because this is slow, it's a difficult race to win,
and in fact the submitter had to run smbd under debug
level 10 or use trace to step through smbd in order
to reliably win the race.
But as Ralph said, we fixed this a long time ago for open,
but getxattr, setxattr, chmod, chown and friends were
another matter.
More information about the samba
mailing list