15658 – samba share enumeration lists erroneous homes shares

Bug 15658 - samba share enumeration lists erroneous homes shares

Summary: samba share enumeration lists erroneous homes shares

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.20.1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-06-05 09:40 UTC by Adi Kriegisch
Modified:	2024-06-05 09:41 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adi Kriegisch 2024-06-05 09:40:38 UTC

Product: Samba 4.1+
Component: File services
Version: 4.13.13-4.20.1
OS: Debian Linux x86_64

While enumerating shares by opening smb://[server] sometimes additional homes shares, from users differing from the authenticated user, are listed.
The [homes] section is configured with `browseable = no` and `valid users = %S` and the user homes have permissions 700.
Setting `access based share enum = True` was also tested and made no difference.

The samba version we are running is from the debian repos, this was tested with  4.13.13, 4.17.12 and 4.20.1 (from debian oldstable, stable and testing).
    
# Reproducing the issue:

Trying to open a homes share as user foo (uid 1000) belonging to another user (eg. bar, 1001) from win10, this results in:
> [2024/06/03 16:32:28.474511,  1, pid=16163, effective(0, 0), real(0, 0)] source3/smbd/smb2_service.c:337(create_connection_session_info)
>  create_connection_session_info: user 'foo' (from session setup) not permitted to access this share (bar)
> [2024/06/03 16:32:28.474572,  1, pid=16163, effective(0, 0), real(0, 0)] source3/smbd/smb2_service.c:519(make_connection_snum)
>   make_connection_snum: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

As expected.

Afterwards listing all shares on the samba host from another client (tested with: debian, win10, MacOS) with any user will include the extraneous home dir accessed above (bar).
> foo@client:~$ smbclient -U foo --list //server/
> Password for [WORKGROUP\foo]:
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         IPC$            IPC       IPC Service (Samba 4.20.1-Debian)
>         bar             Disk      Home Directories
>         foo             Disk      Home Directories

From the logs the call listing the extra home looks like this:
> [2024/06/03 16:32:33.448028,  8, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1524(add_a_service)
>   add_a_service: Creating snum = 1 for IPC$
> [2024/06/03 16:32:33.448063, 10, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1574(hash_a_service)
>   hash_a_service: hashing index 1 for service name IPC$
> [2024/06/03 16:32:33.448098,  3, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1686(lp_add_ipc)
>   adding IPC service
> [2024/06/03 16:32:33.448289,  1, pid=16175, effective(0, 0), real(0, 0)] source3/printing/printer_list.c:244(printer_list_get_last_refresh)
>   Failed to fetch record!
> [2024/06/03 16:32:33.448327,  1, pid=16175, effective(0, 0), real(0, 0)] source3/smbd/server_reload.c:73(delete_and_reload_printers)
>   pcap cache not loaded
> [2024/06/03 16:32:33.448432,  8, pid=16175, effective(0, 0), real(0, 0)] source3/param/service.c:56(load_registry_shares)
>   load_registry_shares()
> [2024/06/03 16:32:33.448474,  7, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:4359(lp_servicenumber)
>   lp_servicenumber: couldn't find foo
> [2024/06/03 16:32:33.448509,  7, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:4359(lp_servicenumber)
>   lp_servicenumber: couldn't find foo
> [2024/06/03 16:32:33.448542,  5, pid=16175, effective(0, 0), real(0, 0)] source3/lib/username.c:182(Get_Pwnam_alloc)
>   Finding user foo
> [2024/06/03 16:32:33.448574,  5, pid=16175, effective(0, 0), real(0, 0)] source3/lib/username.c:121(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is foo
> [2024/06/03 16:32:33.448655,  5, pid=16175, effective(0, 0), real(0, 0)] source3/lib/username.c:159(Get_Pwnam_internals)
>   Get_Pwnam_internals did find user [foo]!
> [2024/06/03 16:32:33.448691,  3, pid=16175, effective(0, 0), real(0, 0)] source3/smbd/password.c:84(register_homes_share)
>   Adding homes service for user 'foo' using home directory: '/home/foo'
> [2024/06/03 16:32:33.448738,  8, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1524(add_a_service)
>   add_a_service: Creating snum = 3 for foo
> [2024/06/03 16:32:33.448773, 10, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1574(hash_a_service)
>   hash_a_service: hashing index 3 for service name foo
> [2024/06/03 16:32:33.448809,  3, pid=16175, effective(0, 0), real(0, 0)] source3/param/loadparm.c:1636(lp_add_home)
>   adding home's share [foo] for user 'foo' at '/home/foo'
> [2024/06/03 16:32:33.448867,  4, pid=16175, effective(1000, 1000), real(1000, 0)] source3/smbd/sec_ctx.c:443(pop_sec_ctx)
>   pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 1
> [2024/06/03 16:32:33.448908, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:683(init_srv_share_info_ctr)
>   NOT counting service homes
> [2024/06/03 16:32:33.450657, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:678(init_srv_share_info_ctr)
>   counting service IPC$
> [2024/06/03 16:32:33.450696, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:678(init_srv_share_info_ctr)
>   counting service bar
> [2024/06/03 16:32:33.450730, 10, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:678(init_srv_share_info_ctr)
>   counting service foo
> [2024/06/03 16:32:33.450775,  5, pid=16175, effective(1000, 1000), real(1000, 0)] source3/param/loadparm.c:1433(free_service)
>   free_service: Freeing service foo
> [2024/06/03 16:32:33.450815,  5, pid=16175, effective(1000, 1000), real(1000, 0), class=rpc_srv] source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1746(_srvsvc_NetShareEnumAll)
>   _srvsvc_NetShareEnumAll: 1746
> [2024/06/03 16:32:33.450893,  4, pid=16175, effective(0, 0), real(0, 0)] source3/smbd/sec_ctx.c:443(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2024/06/03 16:32:33.450933,  1, pid=16175, effective(0, 0), real(0, 0), class=rpc_parse] librpc/ndr/ndr.c:493(ndr_print_function_debug)
>        srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll
>           out: struct srvsvc_NetShareEnumAll
>               info_ctr                 : *
>                   info_ctr: struct srvsvc_NetShareInfoCtr
>                       level                    : 0x00000001 (1)
>                       ctr                      : union srvsvc_NetShareCtr(case 1)
>                       ctr1                     : *
>                           ctr1: struct srvsvc_NetShareCtr1
>                               count                    : 0x00000003 (3)
>                               array                    : *
>                                   array: ARRAY(3)
>                                       array: struct srvsvc_NetShareInfo1
>                                           name                     : *
>                                               name                     : 'IPC$'
>                                           type                     : STYPE_IPC_HIDDEN (0x80000003)
>                                           comment                  : *
>                                               comment                  : 'IPC Service (Samba 4.20.1-Debian)'
>                                       array: struct srvsvc_NetShareInfo1
>                                           name                     : *
>                                               name                     : 'bar'
>                                           type                     : STYPE_DISKTREE (0x0)
>                                           comment                  : *
>                                               comment                  : 'Home Directories'
>                                       array: struct srvsvc_NetShareInfo1
>                                           name                     : *
>                                               name                     : 'foo'
>                                           type                     : STYPE_DISKTREE (0x0)
>                                           comment                  : *
>                                               comment                  : 'Home Directories'
>               totalentries             : *
>                   totalentries             : 0x00000003 (3)
>               resume_handle            : *
>                   resume_handle            : 0x00000000 (0)
>               result                   : WERR_OK

From that seems like the listing is built as expected, "homes" is not listed, the checks are run as user 1000 (foo). But bar (uid 1001) is still added to the list and reported.

We originally noticed this issue because a mac user tried to connect to one of our data servers and found some user shares that were not hers and we would be more than happy if we could avoid this kind of information disclosure in the future...
The above description is a way to reliably reproduce the issue. We'll happily provide more debugging information. Just tell us what we should look for!