[SMB3POSIX] File attributes
Tom Talpey
tom at talpey.com
Tue Nov 14 17:34:26 UTC 2023
On 11/14/2023 11:44 AM, Ralph Boehme wrote:
> On 11/14/23 17:22, Tom Talpey wrote:
>> But, does it need to be exposed to remote access? It would seem to be an
>> admin function, most appropriate to apply via the server-local API.
>>
>> So to flip the question, does "chattr -i" (or any of the zillion others)
>> expose any new vulnerability if remote? Some of them look fairly juicy
>> targets for ransomware infiltration.
>
> there seems to be a working local privilege system associated with the
> attributes. If this was flawed there'd already be a serious problem with
> local access, so I don't think remote access changes the big picture,
> does it?
Agreed that the privilege needs to be correctly managed! But exposing
it remotely increases the attack surface significantly, so in my view
it needs a good reason, and careful security analysis. That's all.
Tom.
More information about the samba-technical
mailing list