smbd tries to read ~root/* files
Michael Tokarev
mjt at tls.msk.ru
Thu Apr 13 19:56:18 UTC 2023
13.04.2023 22:37, Ralph Boehme via samba-technical wrote:
> On 4/13/23 20:56, Michael Tokarev via samba-technical wrote:
>> This might be, at the very least, quite unexpected, - once
>> there's something in root's configs, samba will do stuff not
>> configured in smb.conf?
>
> ECANTREPRODUCE
>
> I start Samba, connect with smbclient, get the pid of the smbd session process with smbstatus and then run strace -v -p PID on that pid for a few
> seconds.
I'm sorry for not providing the details initially. I was busy
with another prob, all these observations (and many more) come
by the way there.
It is samba 4.17.7 (4.17.7-1~bpo11-1 debian package), configured
as a domain member (with the same version of samba acting as a
domain controller). The client is a windows10 machine. I don't
know if kerberos-related stuff is used without the domain part
(and this looks like kerberos stuff).
I can't say *when* exactly this file access happens, - since I
traced something else, and this was just background noise. Here's
an example of the command received from the client:
recvmsg(33, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\0\7*", iov_len=4}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4
recvmsg(33, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="\376SMB@\0\1\0\1\0\0\0\1\0\0\0\20\0\0\0\0\0\0\0N\224\2\0\0\0\0\0\377\376\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\31\0\0\1\1\0\0\0\0\0\0\0X\0\322\6\0\0\0\0\0\0\0\0`\202\6\316\6\6+\6\1\5\5\2\240\202\6\3020\202\6\276\24000.\6\t*\206H\202\367\22\1\2\2\6\t*\206H\206\367\2
2\1\2\2\6\n+\6\1\4\1\2027\2\2\36\6\n+\6\1\4\1\2027\2\2\n\242\202\6\210\4\202\6\204`\202\6\200\6\t*\206H\206\367\22\1\2\2\1\0n\202\6o0\202\6k\240\3\2\1\5\241\3\2\1\16\242\7\3\5
\0 \0\0\0\243\202\4\306a\202\4\3020\202\4\276\240\3\2\1\5\241\f\33\nTLS.MSK.RU\242\0270\25\240\3\2\1\2\241\0160\f\33\4"..., iov_len=1834}],
msg_iovlen=1, msg_controllen=0, msg
_flags=0}, 0) = 1834
after which it becomes root and tries to open /root/.foo files.
There are other similar cases, always starting with similar
recvmsg. I can provide more complete traces if needed.
> Please post your smb.conf and explain in a bit more detail how you're connecting and what your tracing.
Here's the smb.conf (as-is):
[global]
server string = %h samba server %v
netbios name = TSRV
realm = TLS.MSK.RU
workgroup = TLS
server role = member server
security = ADS
idmap config TLS : backend = ad
idmap config TLS : range = 1000-4999
idmap config TLS : schema_mode = rfc2307
idmap config TLS : unix_primary_group = yes
template homedir = /home/%U
template shell = /bin/bash
idmap config * : backend = tdb
idmap config * : range = 5000-5099
winbind use default domain = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
allow hosts = 192.168.177.0/26 192.168.19.16/30 127.0.0.0/8
log file = /var/log/samba/log.%m
max log size = 1000
log level = 1
logging = file
# disable user shares (fix debian defaults idiocy)
usershare max shares = 0
load printers = no
printing = bsd
disable spoolss = yes
map hidden = yes
create mask = 0775
directory mask = 0775
acl allow execute always = true
# unix ext and wide links are incompatible. we need wide links.
unix extensions = no
wide links = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[ws]
comment = TLS Workspace
path = /ws/ws
writable = yes
> Btw, there's also security at samba.org the next time you run into such a nice one... :)
I thought about using security@, but discarded this idea in this case,
it haven't looked like a security issue. But now after thinking a bit
more, it well might be, and needs at least some investigation.
Thanks,
/mjt
More information about the samba-technical
mailing list