A Debian user has reported that group_mappings.ldb is created world-writeable by default in samba 3.2. I can confirm this on my system; it appears that all ldb files (of which group_mapping may be the only one, currently?) are created by default with permissions of 0666. source/lib/ldb/common/ldb.c: struct ldb_context *ldb_init(void *mem_ctx) { [...] ldb_set_create_perms(ldb, 0666); } I'm pretty sure that it shouldn't be allowed for all local users to modify the group mapping database, as this lets users assume any group privileges that they want to... I think the correct fix is to use 0644 instead of 0666 as the default permissions.
Thanks for the report! Very likely, we will see a security release soon.
The default should 600, ldb relies on locking and leaving the file readable can be exploted as a DoS by read-locking the whole file.
Thanks for catching this Steve, I think the correct fix is to force this to 600. Jeremy.
Created attachment 3506 [details] proposed patch
CVE-2008-3789 has been assigned for this issue.
Comment on attachment 3506 [details] proposed patch This patch does only affect the creation of new ldb files.
Created attachment 3509 [details] better patch This patch does also fix the permissions of existing ldb files.
Comment on attachment 3506 [details] proposed patch Both patches are needed to fix the issue properly.
Fixed with 3.2.3. Closing out bug report. Thanks for the report!