[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org

I'm surprised there haven't been any mails here about this yet. As far
as I know, this affects any Debian installation that uses Linux 2.6. If
I understand the issue correctly, both Linux 2.6 and Samba 3.0 support
CIFS extensions for Unix, which means that an executable can retain its
suid status when smbmounted -- if it's suid on the server, it's suid on
the client too. Following the instructions on the original report to
gain root on a vulnerable system (the client) is quite easy.


(note that the report involves two systems - one server and one client)

On a temporary basis, this problem can be easily mitigated:
# chmod u-s `which smbmnt`

...but this prevents regular users from smbmounting. There's a patch in
the original advisory, but that hasn't seen any attention yet on the
lkml. So, I'm wondering: what is the proper way to fix this?


Reply to: