Bug 9668 - Server password management fails since patch for CVE-2013-0214
Summary: Server password management fails since patch for CVE-2013-0214
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: SWAT (show other bugs)
Version: 3.6.6
Hardware: x64 Linux
: P5 major
Target Milestone: ---
Assignee: Kai Blin
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-19 22:28 UTC by Roger Lynn
Modified: 2013-09-02 13:30 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Roger Lynn 2013-02-19 22:28:50 UTC 
This is Debian bug 700729 <http://bugs.debian.org/700729> which I have been asked to report upstream. I am running the Debian packages of Samba (version 2:3.6.6-5) on a Debian Wheezy (testing) installation.

Since installing the latest security update for CVE-2013-0213 and CVE-2013-0214 server password management in SWAT has stopped working. Whatever is entered for the old and new passwords the page just reloads without doing anything. var/log/samba/log. gets lots of lines like this:

[2013/02/16 15:02:30.297508,  0] passdb/secrets.c:76(secrets_init)
  Failed to open /var/lib/samba/secrets.tdb

# ls -l /var/lib/samba/secrets.tdb 
-rw------- 1 root root 430080 Aug 24 23:30 /var/lib/samba/secrets.tdb

24 August is the date I first installed Samba.

SWAT is being run from stunnel as root.

My smb.conf file looks like this:

[global]
        workgroup = FUNDAMENTALS
        server string = %h server
        interfaces = 127.0.0.0/8, bond0
        bind interfaces only = Yes
        obey pam restrictions = Yes
        pam password change = Yes
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        load printers = No
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        invalid users = root
[Service]
        comment = Service files
        path = /srv/smb/service
        read only = No
        create mask = 0775
        force create mode = 0664
        directory mask = 0770
        force directory mode = 0770
        oplocks = No
        level2 oplocks = No

There are several other similar share definitions.

Thanks.
Comment 1 Roger Lynn 2013-02-21 09:38:01 UTC 
As password changing is a major function of SWAT, in my opinion this qualifies as a major severity bug. If you disagree please revert.
Comment 2 Roger Lynn 2013-03-19 10:33:04 UTC 
This regression was definitely introduced with the latest security patches. Reverting to the previous Debian packages (2:3.6.6-4) fixes the problem for both me and someone else posting to the Debian bug.
Comment 3 Kai Blin 2013-03-19 11:57:46 UTC 
As a workaround, if you can live without the extra-paranoid XSRF patches introduced for CVE-2013-0214, just back out that patch again. The XSRF requires the attacker to know the user's password, and in my opinion you're in trouble at that point already.

SWAT is without a real maintainer at the moment, and nobody had the time to issue a real fix for this issue yet.

For the record, the correct fix would be to check for the random nonce from secrets.tdb before dropping root privileges. Patches are welcome.
Comment 4 Björn Jacke 2013-09-02 12:57:18 UTC 
swat is removed with 4.1
Comment 5 Roger Lynn 2013-09-02 13:22:36 UTC 
We're continuing to run the insecure version of Samba in the meantime. Fortunately this server will soon cease to be my responsibility and my nice Linux box will be replaced with something running Windows and Exchange by an external IT support company.
Comment 6 Kai Blin 2013-09-02 13:30:55 UTC 
"Insecure" for values of "being logged into SWAT as root while browsing attacker websites".