The Samba-Bugzilla – Bug 4643
Patch for CVE-2007-2447 broke the use of ;
Last modified: 2007-05-22 06:58:34 UTC
After some debugging I discovered that a strange problem I experienced was caused by the patched code added in Samba 3.0.25 for CVE-2007-2447 (Remote Command Injection Vulnerability). It is now no longer possible to use the ";" character in options like "preexec = " & "postexec =" causing the use of ie. (in my case) "root preexec = mkdir -p /home/software/Recycle; chown root:admins /home/software/.Recycle" to be executed as "root preexec = mkdir -p /home/software/Recycle chown root:admins /home/software/.Recycle" (The semicolon disappears!).
As far as I can see now, it also breaks the use of (in my case) "passwd program = /usr/bin/passwd %u; /usr/local/lib/yp_make.sh"
This new unexpected behaviour can possibly break a lot of setups (that's why I've set the priority to major)! I think the easiest solution is to add the ";" to #define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
Sorry. We cannot add ';' to the list as this was part of the exploit.
You will have to wrap the commands in a single script and refer to that
But shouldn't "/etc/init.d/samba start" or testparm at least generate a warning that characters were used that are not allowed, instead of silently replacing them with spaces, which in my case caused my whole filesystem to be polluted with chmod, chown etc. (because the first statement was mkdir)?
(In reply to comment #2)
> But shouldn't "/etc/init.d/samba start" or testparm at least
> generate a warning that characters were used that are not allowed,
Sure. I would love to have this patch. Historically, testparm
makes no judgment on string values in smb.conf. Please send any
patches you may have in diff -u format to firstname.lastname@example.org
as an attachment. Thanks.