linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org

To: debian-user <debian-user@lists.debian.org>
Subject: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
From: Corey Hickey <bugfood-ml@fatooh.org>
Date: Wed, 11 Feb 2004 12:04:33 -0800
Message-id: <[🔎] 402A8AD1.1040804@fatooh.org>

I'm surprised there haven't been any mails here about this yet. As far
as I know, this affects any Debian installation that uses Linux 2.6. If
I understand the issue correctly, both Linux 2.6 and Samba 3.0 support
CIFS extensions for Unix, which means that an executable can retain its
suid status when smbmounted -- if it's suid on the server, it's suid on
the client too. Following the instructions on the original report to
gain root on a vulnerable system (the client) is quite easy.

http://www.securityfocus.com/archive/1/353217/2004-02-07/2004-02-13/1

(note that the report involves two systems - one server and one client)

On a temporary basis, this problem can be easily mitigated:
# chmod u-s `which smbmnt`

...but this prevents regular users from smbmounting. There's a patch in
the original advisory, but that hasn't seen any attention yet on the
lkml. So, I'm wondering: what is the proper way to fix this?

Thanks,
Corey

Reply to:

Follow-Ups:
- Re: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
  - From: Adam Aube <aaube01@baker.edu>

Prev by Date: Re: [XFree86] nvidia and ut2003 - wrong refresh rates
Next by Date: Re: reutilizing downloaded packages
Previous by thread: Re: mapping mouse buttons
Next by thread: Re: linux 2.6 + samba 3.0 + setuid smbmnt = local root vulnerability ---- what to do?@fatooh.org
Index(es):
- Date
- Thread