6763 – CVE-2009-2813 - Misconfigured /etc/passwd file may share folders unexpectedly

Bug 6763 - CVE-2009-2813 - Misconfigured /etc/passwd file may share folders unexpectedly

Summary: CVE-2009-2813 - Misconfigured /etc/passwd file may share folders unexpectedly

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	3.4.0
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-09-25 20:12 UTC by Jeremy Allison
Modified:	2012-03-17 00:26 UTC (History)
CC List:	0 users

See Also:

Attachments
Samba 3.0.36 patch (1.60 KB, patch) 2009-09-25 20:12 UTC, Jeremy Allison	no flags	Details
Samba 3.2.14 path (1.41 KB, patch) 2009-09-25 20:13 UTC, Jeremy Allison	no flags	Details
Samba 3.3.7 patch (1.41 KB, patch) 2009-09-25 20:13 UTC, Jeremy Allison	no flags	Details
Samba 3.4.1 patch (1.42 KB, patch) 2009-09-25 20:13 UTC, Jeremy Allison	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Allison 2009-09-25 20:12:28 UTC

===========================================================
== Subject:     Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#:     CVE-CVE-2009-2813
==
== Versions:    All versions of Samba later than 3.0.11
==
== Summary:     If a user in /etc/passwd is misconfigured to have
==		an empty home directory then connecting to the home
==		share of this user will use the root of the filesystem
==		as the home directory.
===========================================================

===========
Description
===========

If a user in /etc/passwd is misconfigured to have an empty home
directory (::) and the automated [homes] share is enabled, or an
explicit share is created with that username, then any client connecting
to that share name will be able to access the whole filesystem from
root (/) on downwards, subject to local file system permissions
applied to the connecting user.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

(Karolin: can you fill in this part?)

==========
Workaround
==========

Do not configure users in /etc/passwd with a blank home
directory field.

=======
Credits
=======

Originally reported by J. David Hester of LCG Systems National
Institutes of Health and forwarded to the Samba Team by Apple
Computer Inc.

Patches provided by Apple and Jeremy Allison of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Comment 1 Jeremy Allison 2009-09-25 20:12:59 UTC

Created attachment 4748 [details]
Samba 3.0.36 patch

Comment 2 Jeremy Allison 2009-09-25 20:13:17 UTC

Created attachment 4749 [details]
Samba 3.2.14 path

Comment 3 Jeremy Allison 2009-09-25 20:13:33 UTC

Created attachment 4750 [details]
Samba 3.3.7 patch

Comment 4 Jeremy Allison 2009-09-25 20:13:53 UTC

Created attachment 4751 [details]
Samba 3.4.1 patch

Comment 5 Jeremy Allison 2009-09-25 20:14:22 UTC

All patches submitted for security fix.

Jeremy.

Comment 6 Karolin Seeger 2009-10-01 07:45:39 UTC

Patch is included in 3.0.37, 3.2.15, 3.3.8 and 3.4.2.
Patch for master/v3-5-test is missing.
Jeremy, please push that one to master and v3-5-test also and close out the bug report after that.

Thanks a lot!

Comment 7 Jeremy Allison 2009-10-01 12:26:26 UTC

Pushed to master and v3-5-test.
Jeremy.