[33612] in bugtraq
Re: Samba 3.x + kernel 2.6.x local root vulnerability
daemon@ATHENA.MIT.EDU (Frank Louwers)
Wed Feb 11 13:52:26 2004
Date: Tue, 10 Feb 2004 08:42:29 +0100
From: Frank Louwers <frank@openminds.be>
To: bugtraq@securityfocus.com
Message-ID: <20040210084229.A7903@openminds.be>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
In-Reply-To: <20040209220347.GH17237@wirex.com>
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Feb 09, 2004 at 02:03:47PM -0800, Seth Arnold wrote:
> On Mon, Feb 09, 2004 at 10:23:03PM +0100, Michal Medvecky wrote:
>=20
> I haven't got a clue what you're trying to accomplish. If you don't want
> a setuid execute, DON'T RUN chmod +s! You don't even need samba to
> accomplish this:
>=20
>=20
> I expect this behaviour out of every Linux, BSD, commercial Unix,
> Windows NT with POSIX emulation, QNX, etc.=20
>=20
> Can you please explain what specifically bothers you?
I think his point is this:
Image you have a user account luser on box foo. You do not have root on
foo. However, you do have root on box bar. If you are allowed to
smbmount stuff on foo as user luser, (which is a BadThing(tm), but
default behaviour on some systems as it seems), and you smbmount a share
on bar, and use that suid shell, you actually have root control on foo!
Kind Regards,
Frank Louwers
--=20
Openminds bvba www.openminds.be
Tweebruggenstraat 16 - 9000 Gent - Belgium
--liOOAslEiF7prFVr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAKItlPTTV5eWScS8RAvFDAKCVwYox2qfNY9H5Qly8/CR5P7M2ngCeJVO0
yWXtUB5XyrUyojNZ5A3Lb+4=
=04e8
-----END PGP SIGNATURE-----
--liOOAslEiF7prFVr--
