2.0.7: inherit permissions = yes breaks setting read-only on files
Helge Blischke
H.Blischke at srz-berlin.de
Thu Aug 24 16:40:16 GMT 2000
Michael Ju. Tokarev wrote:
>
> [...]
> But note note note note. All that tricks with chmod() have tiny
> security hole. This is very small hole, as chances to break it is
> very limited in time, but it _is_ exists. Especially if high bits in
> mode involved. If intruder can substitute (using just symlink) that
> newly created directory _before samba will call_ chmod with his file,
> it will be able to use samba's permissions. Consider:
>
> User joe have a set-uid file that can't be executed by scott.
> Scott have access to shell and wants to execute that file.
> Joe at this moment copies a bunch of files (with dirs) from his
> machine using samba. Scott knows that joe will create directory
> "sd" in share /tmp. So he (scott) can wait until this directory
> will be created, and at this moment (very small timeslice) he can
> remove that directory and replace it with a symlink to that file.
> So, when samba calls chmod, it will change mode for a joe's file,
> not for his newly directory. High-bits exists in mode, so file
> _can_ be made set-uid, and can be executable by scott.
>
> Again, chances are very small, but exists. Uhh.
Wouldn't it be a solution for smbd do create the directory with no
permissions
(i.e. mode set to 0000), and set the complete mode bits by a following
chmod
afterwards?
That should avoid the security hole mentioned above.
And BTW, I just tested mkdir(2) on a UnixWare 7.1 box - it ignores the
high bits
of the mode parameter as well.
Helge
--
H.Blischke at srz-berlin.de
H.Blischke at srz-berlin.com
H.Blischke at acm.org
More information about the samba-technical
mailing list