Claimed Zero Day exploit in Samba.

Fri Feb 5 15:18:45 MST 2010

On Fri, 2010-02-05 at 16:48 -0500, Michael Gilbert wrote:
> On Fri, 5 Feb 2010 16:26:41 -0500, Michael Gilbert wrote:
> > On Fri, 5 Feb 2010 12:46:06 -0800, Jeremy Allison wrote:
> > > On Fri, Feb 05, 2010 at 03:48:37PM -0500, Michael Gilbert wrote:
> > > > 
> > > > in your original description, you stated that "wide links = no" will
> > > > generate an "access denied" error when a "wide link" is accessed;
> > > > however, you didn't mention that creation of "wide links" is also
> > > > prevented.  if this is true, then that is a very satisfactory
> > > > solution.
> > > 
> > > No, it's actually incorrect. If "wide links = no", then no
> > > one can ever access anything off share, and so UNIX symlinks
> > > should be allowed to point to anywhere they like, as UNIX
> > > clients will follow them locally, not on the server.
> > > 
> > > > however, i think that the prevention code itself already
> > > > solves the root of the issue, and enabling that by default would fully
> > > > solve the problem.
> > > 
> > > Nope - see above :-).
> > > 
> > > > i can understand giving the local administrator this capability.
> > > > however, i don't see the need for remote users to have such authority
> > > > (although any enlightenment would be very much appreciated).
> > > 
> > > Imagine an app running on a Linux client that needs a symlink
> > > to /usr/local/lib inside it's filespace (don't know why, but
> > > it might :-). If that app is run off a CIFSFS share creating
> > > the /usr/local/lib symlink would fail with "wide links = no",
> > > which is not what you want.
> > 
> > thinking about this some more.  
> > 
> > if "wide links = no" is the chosen solution, then for this use case
> > the user needs to set "wide links = yes" to get this to work, and then
> > they are vulnerable to the security issue, which is bad.
> > 
> > on the other hand, if remote "wide link" prevention is the chosen
> > solution, then this use case is supported and the user is concurrently
> > protected from the security issue.  however, it adds the additional
> > tedium of getting authorization from the samba administrator to create
> > the symlink.
> 
> so, i think the ideal solution is to allow "wide links", but to detect
> when a remote user is following a "wide link" into location that is
> not within a share that they have access to.  is this possible?

Look, if you *really* *really* need to show a separate part of the tree
in a share you can always you a bind mount.

That is a privileged operation so it cannot be abused.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>