linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to email@example.com
I'm surprised there haven't been any mails here about this yet. As far
as I know, this affects any Debian installation that uses Linux 2.6. If
I understand the issue correctly, both Linux 2.6 and Samba 3.0 support
CIFS extensions for Unix, which means that an executable can retain its
suid status when smbmounted -- if it's suid on the server, it's suid on
the client too. Following the instructions on the original report to
gain root on a vulnerable system (the client) is quite easy.
(note that the report involves two systems - one server and one client)
On a temporary basis, this problem can be easily mitigated:
# chmod u-s `which smbmnt`
...but this prevents regular users from smbmounting. There's a patch in
the original advisory, but that hasn't seen any attention yet on the
lkml. So, I'm wondering: what is the proper way to fix this?