Bug 7222 - All users have full rigths on all shares; CVE-2010-0728
All users have full rigths on all shares; CVE-2010-0728
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: File services
3.4.6
x86 Linux
: P3 regression
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-08 06:16 UTC by Andreas Matthus
Modified: 2012-03-16 23:58 UTC (History)
0 users

See Also:


Attachments
smb.conf (1005 bytes, text/plain)
2010-03-08 06:54 UTC, Andreas Matthus
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Matthus 2010-03-08 06:16:01 UTC
Sunday I update two production-servers from 3.4.3 to 3.4.6 (debian-packages) and got a shock: all users have full rights on all shares.
By linux login the rights O.K., but samba disobeys system-rights. 

I experimented some thinks on a test-server. Using other lines in smb.conf and upgrade to 3.5.0 plays no better. Not only shares with xfs-system-acl, also with normal linux-rights on ext3 have the same problem.
Only downgrade to 3.4.3 solve my problem. So I hope I can downgrade the production-servers in the late evening to come back to a secure system (in time many open files exist :-(( )

This is a very hard error.

With regards 
Andreas Matthus
Comment 1 Andreas Matthus 2010-03-08 06:17:51 UTC
I don't know, if ntlm_auth Tool is source of this error.
Comment 2 Volker Lendecke 2010-03-08 06:24:56 UTC
Please upload your smb.conf file so that we can reproduce this bug ASAP!

Volker
Comment 3 Andreas Matthus 2010-03-08 06:54:56 UTC
Created attachment 5469 [details]
smb.conf

Hallo Volker,
the smb.conf on the test-system is very simple. I expriemented also with 
inherit permission ... and so on

with regards 
Andreas
Comment 4 Volker Lendecke 2010-03-08 06:58:00 UTC
And the symptom is exactly what? You connect to share [test] as a non-privileged user and although your unix permissions would prevent this normally, you can still write?

Volker
Comment 5 Andreas Matthus 2010-03-08 07:06:29 UTC
> And the symptom is exactly what? You connect to share [test] as a
> non-privileged user and although your unix permissions would prevent this
> normally, you can still write?

i. e. if permissions on a directory and its files is 770 and owner root.root evrybody with a samba-account can change in and also read, write and create files.
 
Andreas 
Comment 6 Volker Lendecke 2010-03-08 07:26:05 UTC
Weird. Can't reproduce this here. Günther Deschner has some strange results
though, still investigating.

Volker
Comment 7 Simo Sorce 2010-03-08 07:28:50 UTC
Andreas, can you do a write and then post an ls -al of the /test directory ?
Comment 8 Andreas Matthus 2010-03-08 07:31:58 UTC
(In reply to comment #6)
> Weird. Can't reproduce this here. Günther Deschner has some strange results
> though, still investigating.

It is possible the error comes with system enviroment 
LANG=de_DE.UTF-8
?

Andreas
Comment 9 Andreas Matthus 2010-03-08 07:35:28 UTC
(In reply to comment #7)
> Andreas, can you do a write and then post an ls -al of the /test directory ?
> 
ls -alR test/
test/:
insgesamt 8
drwxrwx---+  4 root root   29  8. Mär 12:20 .
drwxr-xr-x  23 root root 4096  8. Mär 12:23 ..
drwxrwx---+  4 root root   79  8. Mär 14:56 darf
drwxrwx---   2 root root   17  8. Mär 12:37 nicht

test/darf:
insgesamt 36
drwxrwx---+ 4 root    root    79  8. Mär 14:56 .
drwxrwx---+ 4 root    root    29  8. Mär 12:20 ..
-rwxrwx---+ 1 root    root     2  8. Mär 12:37 eins

test/nicht:
insgesamt 4
drwxrwx---  2 root root 17  8. Mär 12:37 .
drwxrwx---+ 4 root root 29  8. Mär 12:20 ..
-rwxrwx---  1 root root  2  8. Mär 12:37 eins

------

By using ACLs also importend: 

getfacl /test/*
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: test/darf
# owner: root
# group: root
user::rwx
user:andreas:rwx
group::rwx
mask::rwx
other::---
default:user:andreas:rwx
default:mask::rwx
default:other::---

# file: test/nicht
# owner: root
# group: root
user::rwx
group::rwx
other::---
------------------------

Andreas
Comment 10 Simo Sorce 2010-03-08 07:43:00 UTC
Is your user "andreas" in some special group ?
Like Administrators or such ?
Comment 11 Andreas Matthus 2010-03-08 07:46:58 UTC
(In reply to comment #10)
> Is your user "andreas" in some special group ?
> Like Administrators or such ?
> 
No. 
id andreas
uid=1000(andreas) gid=1000(andreas) Gruppen=1000(andreas),20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev)

With samba 3.4.3 it works fine, so this way to search is wrong.

with regards
Andreas
Comment 12 Volker Lendecke 2010-03-08 08:37:19 UTC
Ok, sorry to come back again: I don't get this reproduced right now. You seem to be running debian linux, right? Which version of it? Where do you have the samba packages from, or did you compile yourself?

Volker
Comment 13 Andreas Matthus 2010-03-08 08:49:34 UTC
> Ok, sorry to come back again: I don't get this reproduced right now. You seem
> to be running debian linux, right? Which version of it? Where do you have the
> samba packages from, or did you compile yourself?
Yes, it is debian lenny/sid. All packages from ftp.de.debian.org. 
Running version 3.4.3 from a older backup.

apt-cache policy samba
samba:
  Installiert: 2:3.4.3-2
  Kandidat: 2:3.4.6~dfsg-1
  Versions-Tabelle:
     2:3.5.0dfsg-1 0
          1 http://ftp.de.debian.org experimental/main Packages
     2:3.4.6~dfsg-1 0
        500 http://ftp.de.debian.org sid/main Packages
        500 http://ftp.de.debian.org unstable/main Packages
 *** 2:3.4.3-2 0
        100 /var/lib/dpkg/status
     2:3.2.5-4lenny9 0
        500 http://security.debian.org lenny/updates/main Packages
     2:3.2.5-4lenny8 0
        500 http://ftp.tu-chemnitz.de lenny/main Packages

with regards 
Andreas
Comment 14 Guenther Deschner 2010-03-08 09:34:56 UTC
Ok, just for the record, with 2764612487697e2e35bede3dbf4f41c1fea0e9c7 *reverted* I was no longer able to reproduce it on fedora12 x86_64. master (and most probably 3.5) have the same issue.
Comment 15 Volker Lendecke 2010-03-08 09:54:58 UTC
Ok, got it reproduced. Don't know what to say, this is really the worst that could ever happen....

Expect an official announcement VERY soon

Thanks for keeping quiet ... 

Volker
Comment 16 Guenther Deschner 2010-03-08 10:38:15 UTC
(In reply to comment #14)
> Ok, just for the record, with 2764612487697e2e35bede3dbf4f41c1fea0e9c7
> *reverted* I was no longer able to reproduce it on fedora12 x86_64. master (and
> most probably 3.5) have the same issue.

Arg, pasted wrong hash, sorry Bo :)

246eba3b807e5ce50ee838c51823a9eb44f6b690 is the right one.
Comment 17 Volker Lendecke 2010-03-08 16:06:52 UTC
Fixed with 3.5.1, 3.4.7 and 3.3.12.

Thanks!

Volker