samba - May 2007 - prexec change between 3.0.24 to 3.0.25

Hello,

I've been testing out 3.0.25 before putting it into production and came
across an issue.

As a simple example..

in a share definition

root preexec = echo "hey there, hi there, hello" > /tmp/hiya.txt

works fine under 3.0.24

not so under 3.0.25, /tmp/hiya.txt isn't created.

Cranking up the debugging and using some other similiar tests it seems
to me that Samba is in fact issuing the command but anything with a
redirect (> or >>) samba now seems to be passed as an argument to the
command now instead of directly to the shell.  In other words I think
Samba is issuing 

echo "hey there, hi there, hello" \> \/tmp\/hiya.txt

My real world problem comes from simply trying to redirect a grep to
/dev/null

Something like this

        root preexec =  /usr/bin/grep share_name
/loginbats/%U/login.bat > /dev/null
        root preexec close = yes

I can work around it apparently by just leaving off the > /dev/null, I
guess Samba likely sends any output from a preexec to /dev/null anyway.

So anyhow, is this new Samba 3.0.25 preexec behavior expected behavior?
I couldn't find mention of it in the WHATSNEW.txt

Thankyou,
Tom Schaefer

On Thu, May 17, 2007 at 12:27:45PM -0500, Schaefer Jr, Thomas R.
wrote:
> Hello,
> 
> I've been testing out 3.0.25 before putting it into production and came
> across an issue.
> 
> As a simple example..
> 
> in a share definition
> 
> root preexec = echo "hey there, hi there, hello" >
/tmp/hiya.txt
> 
> works fine under 3.0.24
> 
> not so under 3.0.25, /tmp/hiya.txt isn't created.
> 
> Cranking up the debugging and using some other similiar tests it seems
> to me that Samba is in fact issuing the command but anything with a
> redirect (> or >>) samba now seems to be passed as an argument to
the
> command now instead of directly to the shell.  In other words I think
> Samba is issuing 
> 
> echo "hey there, hi there, hello" \> \/tmp\/hiya.txt
> 
> My real world problem comes from simply trying to redirect a grep to
> /dev/null
> 
> Something like this
> 
>         root preexec =  /usr/bin/grep share_name
> /loginbats/%U/login.bat > /dev/null
>         root preexec close = yes
> 
> I can work around it apparently by just leaving off the > /dev/null, I
> guess Samba likely sends any output from a preexec to /dev/null anyway.
> 
> So anyhow, is this new Samba 3.0.25 preexec behavior expected behavior?
> I couldn't find mention of it in the WHATSNEW.txt
Yes it is I'm afraid. We now sanitize completely any
shell meta-characters to avoid any security issues 
with user generated input being passed to a shell.

I was a little worried this might break some existing
setups but this is the first report I've had, and believe
me security problems are worse than breaking setups :-).

Jeremy.