Re: Symlink attack in (all?) Samba. - Local root walkthrough by Tozz

["Jeffrey W. Baker" <jwbaker () ACM ORG>]

On Thu, 14 Dec 2000, Tozz wrote:

> Symlink attack in (all?) Samba. - Local root walkthrough by Tozz
> =================================================================
>
> Requirements:
>
> * Shell access or any other way to create symlinks
> * A running samba deamon
> * The username and/or password of a user named in the
>   admin lists in one or more shares.
> * Brains are not required.

This is really well documented, and comes as no surprise to an educated
Samba user.  In order for your "exploit" to actually work, the
administrator must have granted a person "admin user" privileges, after
having read this in the documentation:

              This  is a list of users who will be granted admin-
              istrative privileges on the share. This means  that
              they  will do all file operations as the super-user
              (root).

              You should use this option very carefully,  as  any
              user  in this list will be able to do anything they
              like on the share,  irrespective  of  file  permis-
              sions.

and this:

              This parameter allows the  Samba  administrator  to
              stop  smbd  from following symbolic links in a par-
              ticular share. Setting this parameter to "No"  pre-
              vents any file or directory that is a symbolic link
              from being followed (the user will get  an  error).
              This  option  is  very  useful  to  stop users from
              adding a symbolic link to /etc/passwd in their home
              directory for instance.  However it will slow file-
              name lookups down slightly.

Well shit, Wally, I guess we had better not give admin privs to untrusted
people.

The bottom line is that to execute this exploit, you must be trusted by
the administrator, and thus you could probably get blanket sudo if you
wanted it anyway.

-jwb