Re: Samba 3.x + kernel 2.6.x local root vulnerability

["Patrick J. Volkerding" <security () slackware com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Mon, 9 Feb 2004, Seth Arnold wrote:
> On Mon, Feb 09, 2004 at 10:23:03PM +0100, Michal Medvecky wrote:
> > Confirmed to work on all 2.6.x kernels, not confirmed on 2.4.x.
>
> I haven't got a clue what you're trying to accomplish. If you don't want
> a setuid execute, DON'T RUN chmod +s! You don't even need samba to
> accomplish this:

Note that two machines are involved here, the server (sharing the setuid
binary), and the client (the victim, which mounts the share and runs the
binary;  the attacker must have a local account here).

The problem stems from the setuid root smbmnt.  When you install Samba
from source, /usr/bin/smbmnt is not setuid root by default, but several
Linux distributions seem to ship it this way (Slackware does not).  With
smbmnt setuid root, any user with a local account can gain root if they
can set up a Samba server that can be mounted from the victim machine.

At the least, if you're going to run smbmnt setuid root, you should make
an smbmnt group and only allow group members to execute it.  The members
of the group could still exploit this hole, but not other users.

Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAKBK+akRjwEAQIjMRAhl3AJ9xL0tWhZuP7poPVhY1tQ4SmKTi4ACfetQm
g8ktzk0I4h4q2AyJs67sESY=
=49Nk
-----END PGP SIGNATURE-----