Patrick Goetz
2022-Feb-13 19:00 UTC
[Samba] Great article on Samba symlink fixes at Linux Weekly News !
I also don't quite understand the symlink vulnerability.
open("/my/super/important/stuff")
The concern is that this creates a race condition where someone could
cd /my/super
ln -s /your/nefarious/location ./important
where /your/nefarious/location/ includes a stuff/ directory before the
read or write is executed? How would this be possible given that
/my/super/ already includes an important/ directory? Am I completely
missing how this works?
On 2/13/22 12:36, Ralph Boehme wrote:> On 2/13/22 17:55, Patrick Goetz via samba wrote:
>> OK, so my question is if all the internal functions have been switched
>> to use file handles rather than paths, how is it possible to re-enable
>> SMB1?
>
> just
>
> ? handle = open(path)
>
> and from then on use the handle. Of course the problem is doing the
> "open" symlink race safe, so in real Samba code we don't use
open(2)
> directly, but the complex Samba function non_widelink_open().
>
> -slow
>
>
>
> This message is from an external sender. Learn more about why this
> matters.
<https://ut.service-now.com/sp?id=kb_article&number=KB0011401>
>
>
Ralph Boehme
2022-Feb-13 20:00 UTC
[Samba] Great article on Samba symlink fixes at Linux Weekly News !
On 2/13/22 20:00, Patrick Goetz wrote:> I also don't quite understand the symlink vulnerability. > > ? open("/my/super/important/stuff") > > The concern is that this creates a race condition where someone could > > ? cd /my/super > ? ln -s /your/nefarious/location ./important > > where /your/nefarious/location/ includes a stuff/ directory before the > read or write is executed? How would this be possible given that > /my/super/ already includes an important/ directory?? Am I completely > missing how this works?the race condition in open() has long been addressed in Samba, this was addressed by a CVE fix in iirc 4.6. The remaining problem was all the other path based syscalls we were still uisng all over the place to read and write metadata including xattrs -- which may include more then "just" metadata. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220213/5f41c860/OpenPGP_signature.sig>
Jeremy Allison
2022-Feb-13 22:05 UTC
[Samba] Great article on Samba symlink fixes at Linux Weekly News !
On Sun, Feb 13, 2022 at 01:00:17PM -0600, Patrick Goetz via samba wrote:>I also don't quite understand the symlink vulnerability. > > open("/my/super/important/stuff") > >The concern is that this creates a race condition where someone could > > cd /my/super > ln -s /your/nefarious/location ./important > >where /your/nefarious/location/ includes a stuff/ directory before the >read or write is executed? How would this be possible given that >/my/super/ already includes an important/ directory? Am I completely >missing how this works?cd /my/super mv ./important ./important-orig ln -s /your/nefarious/location ./important