Bug 7298 - privillege problem
privillege problem
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: User & Group Accounts
3.4.0
x64 Linux
: P3 critical
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-25 23:59 UTC by Bill Deng
Modified: 2010-03-26 01:52 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bill Deng 2010-03-25 23:59:53 UTC
Hi all, I got a critical problem with privileges.

I run smbd 3.4 on my ubuntu server 9.10. it works fine with linux. But when user logged in from windows systems. it can overwrite files they don't have privillege to change (write).

for example, there is a file with name a.txt. by design, user b can read the file b but cannot change it (write). my situation is when user b opened file a.txt, he cannot save any changes to the file. and he cannot delete the file also. the system will these actions as it should be. the problem is, BUT USER B CAN CHANGE FILE a.txt WITH ANOTHER TOTALLY DIFFERENT FILE BY "PASTE" ACTION! I mean, user b can have some files with totally different contents but have the same file name (a.txt for example here). he can copy the file from some other folder and paste it to the directory which contain file a.txt. Windows system will ask that the folder have already with name "a.txt". should you really want to overwrite it? then user b click "yes" botton, then, THE FILE IS CHANGED!!!
I have tested in windows xp and 2003. something happens no matter the user is an administrator or common user.

any comments?

kind regards,

Bill Deng
Comment 1 Volker Lendecke 2010-03-26 01:33:07 UTC
Very likely you're seeing the security problem we fixed with Samba 3.4.7.

http://www.samba.org/samba/history/samba-3.4.7.html

Please upgrade to that version.

Thanks,

Volker
Comment 2 Bill Deng 2010-03-26 01:52:30 UTC
Thank you volker.

Bill