Hi list, we have spotted a serious problem with our Samba (Debian version 3.0.24-6) on linux 2.4.31, ext2 with ACLs enabled. We use "hide unreadable = yes" to reduce clutter for our users. Today we noticed that with this option enabled any linux client can access and read *all* directories under the share, even directories that are owned by root and set to 0700. No ACLs are set on the directories in question nor on any parent directory. We have reproduced the same problem on a separate gentoo box (Kernel 2.6.18, Samba 3.0.24-r3, ext3 without acl support). I'd be glad if someone could look at our smb.conf (pasted at the end of this mail) and comment on whether this is a configuration problem or if we have hit a bug. Below a shell transcript to illustrate the problem: ### ### commands executed as root on the samba host ### ## ## 1. create the test directory and file, ## make them accessible only for root ## root@srv:~# cd /vol0 root@srv:/vol0# mkdir test root@srv:/vol0# echo "secret" >test/file.txt root@srv:/vol0# chown -R root:root test root@srv:/vol0# chmod -R 0700 test root@srv:/vol0# ls -al total 12 drwx------ 2 root root 4096 Jul 12 17:02 . drwxrwx--- 139 root users 4096 Jul 12 15:04 .. -rwx------ 1 root root 7 Jul 12 17:02 file ## ## 2. create a new samba user ## root@srv:/vol0# useradd -m -g users testuser root@srv:/vol0# smbpasswd -a testuser New SMB password: Retype new SMB password: Added user testuser. root@srv:/vol0# id testuser uid=1137(testuser) gid=100(users) groups=100(users) root@srv:/vol0# pdbedit -L -u testuser Unix username: testuser NT username: Account Flags: [U ] User SID: S-1-5-21-3613053638-1853485231-1729343208-3274 Primary Group SID: S-1-5-21-3613053638-1853485231-1729343208-513 Full Name: Home Directory: \\srv\testuser HomeDir Drive: Logon Script: Profile Path: \\srv\testuser\profile Domain: FOO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 04:14:07 CET Kickoff time: Tue, 19 Jan 2038 04:14:07 CET Password last set: Thu, 12 Jul 2007 17:05:54 CEST Password can change: Thu, 12 Jul 2007 17:05:54 CEST Password must change: Tue, 19 Jan 2038 04:14:07 CET Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF root@srv:/vol0# su - testuser testuser@srv:~$ ls /vol0/test ls: /vol0/test: Permission denied testuser@srv:~/$ cat /vol0/test/test.txt cat: /vol0/test/test.txt: Permission denied ### ### commands executed as user (uid 1023) on ### a remote linux client ### ## ## 3. mount the remote share ## someuser@ws:~$ mkdir fileserver someuser@ws:~$ smbmount //srv/data fileserver -o username=testuser Password: ## ## 4. do things that should not be possible ## someuser@ws:~$ ls -al fileserver total 8 drwxr-xr-x 1 someuser users 4096 Jul 12 17:02 . drwxr-xr-x 1 someuser users 4096 Jul 12 17:28 .. ### comment: this is correct, the "test" directory doesn't show someuser@ws:~$ ls -al fileserver/test total 8 drwxr-xr-x 1 someuser users 4096 Jul 12 17:02 . drwxr-xr-x 1 someuser users 4096 Jul 12 17:28 .. ### comment: this should not be possible someuser@ws:~$ cat fileserver/test/file.txt secret ### ### end of transcript ### further observations: - during one session i can sometimes cd to the "test"-directory, sometimes i get "Permission denied". also sometimes the directory listing for the "test" directory shows the contained files, sometimes it doesn't. intermittent bug? - when we set "hide unreadable = no" (but leave the rest of smb.conf as is) the permission checking seems to work properly. remote clients can then not get into the "test" directory. i am not quite sure if this really works around the actual problem or only disguises it (i.e. does it cause the client to honor the access bits or does it cause the server to *enforce* them?) well, and finally our smb.conf... ### smb.conf ### [global] workgroup = foo unix extensions = no server string = fileserver dns proxy = no log file = /var/log/samba/log.%U.%m.log max log size = 50000 log level = 0 vfs:2 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . socket options = TCP_NODELAY [data] path = /vol0 vfs objects = full_audit full_audit:prefix = %u|%I full_audit:success = open opendir rmdir unlink rename write chmod chmod_acl mkdir close chown chmod_acl fchmod_acl fset_nt_acl aio_write full_audit:failure = open opendir unlink full_audit:facility = LOCAL7 full_audit:priority = ALERT guest ok = no writable = yes share modes = yes force directory mode = 0770 force create mode = 0660 directory security mask = 0000 enable privileges = no hide unreadable = yes ### end of smb.conf ### i'm looking forward to your feedback as this is obviously a very serious issue. i'm still hoping that we just made a configuration mistake but the fact that it misbehaves the same way on the second, vanilla gentoo installation (with a mostly default config) makes it seem unlikely to me. i apologize in advance if we're just missing something obvious here. regards, moe
Jeremy Allison
2007-Jul-12 17:41 UTC
[Samba] Urgent, Security: Privilege Escalation in 3.0.24?
On Thu, Jul 12, 2007 at 06:30:02PM +0200, moe wrote:> Hi list, > > we have spotted a serious problem with our Samba > (Debian version 3.0.24-6) on linux 2.4.31, ext2 with ACLs enabled. > > We use "hide unreadable = yes" to reduce clutter for our > users. Today we noticed that with this option enabled any > linux client can access and read *all* directories under the > share, even directories that are owned by root and set to 0700. > No ACLs are set on the directories in question nor on any > parent directory. > > We have reproduced the same problem on a separate gentoo box > (Kernel 2.6.18, Samba 3.0.24-r3, ext3 without acl support).Firstly, please report all security issues to security@samba.org, not to the samba@samba.org list. That way your problem is private, and will be handled urgently. Secondly, did you read the release notes for 3.0.25 ? In them there is a note : Security Fixes included in the Samba 3.0.25 release are: o CVE-2007-2444 Versions: Samba 3.0.23d - 3.0.25pre2 Local SID/Name translation bug can result in user privilege elevation which was widely publicized at the time. This may be the problem you are reporting. Can you please update to Samba 3.0.25b, and try and reproduce the problem. Please send any follow-ups to security@samba.org, and not to the samba@samba.org list please. Thanks, Jeremy.