Ubuntu
samba package

can mount a non-shared directory

Bug #10304 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #281345 http://bugs.debian.org/281345

See original description
Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #281345 http://bugs.debian.org/281345

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.1 KiB)

Message-ID: <email address hidden>
Date: Mon, 15 Nov 2004 11:16:06 +0100
From: Uwe Zeisberger <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: can mount a non-shared directory

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: samba
Version: 3.0.7-2
Severity: critical
Tags: security

Hello,

I don't have investigated much (yet), but see the following alarming
transscript:

root@cepheus:~# smbclient -L 127.0.0.1 -U zeisberg
Password:
Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

        Sharename Type Comment
        --------- ---- -------
        IPC$ IPC IPC Service (cepheus)
        ADMIN$ IPC IPC Service (cepheus)
        zeisberg Disk Home Directories
Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

        Server Comment
        --------- -------

        Workgroup Master
        --------- -------
        MALIBU CEPHEUS

root@cepheus:~# mountpoint /mnt
/mnt is not a mountpoint

root@cepheus:~# mount -t cifs //127.0.0.1/man /mnt -o user=3Dzeisberg
Password:

root@cepheus:~# mountpoint /mnt
/mnt is a mountpoint

root@cepheus:~# mount | grep cifs
//127.0.0.1/man on /mnt type cifs (rw,mand)

root@cepheus:~# ls /mnt
X11R6 cat2 cat4 cat6 cat8 fsstnd local
cat1 cat3 cat5 cat7 cat9 index.db opt

root@cepheus:~# touch /var/cache/man/isitthisdir

root@cepheus:~# ls /mnt
X11R6 cat2 cat4 cat6 cat8 fsstnd isitthisdir opt
cat1 cat3 cat5 cat7 cat9 index.db local

root@cepheus:~# rm /mnt/isitthisdir
rm: cannot remove `/mnt/isitthisdir': Permission denied

root@cepheus:~# egrep -v '^ *([#;].*)?$' /etc/samba/smb.conf
[global]
   workgroup =3D malibu
   server string =3D %h
   wins support =3D no
   dns proxy =3D no
   log file =3D /var/log/samba/log.%m
   max log size =3D 1000
   syslog =3D 0
   panic action =3D /usr/share/samba/panic-action %d
   security =3D user
   encrypt passwords =3D true
   passdb backend =3D tdbsam guest
   obey pam restrictions =3D yes
   invalid users =3D root
   passwd program =3D /usr/bin/passwd %u
   passwd chat =3D *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\sp=
assword:* %n\n .
[homes]
   comment =3D Home Directories
   browseable =3D no
   writable =3D yes
   create mask =3D 0700
   directory mask =3D 0700

=66rom the logs:
[2004/11/14 13:55:59, 1] smbd/service.c:make_connection_snum(648)
  127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg (=
uid=3D1000, gid=3D100) (pid 3373)

This attracted my attention while a WinXP-Box showed apart from my
homedir the directory 'man at cepheus'.

This is not too dangerous in my case, because is seems/is read-only,
there is no precious data in this location and there is no internet
connection. But maybe there are other cases and machines, where there
could be done (more) harm.

I don't know what addional information I could add to this report. Until
now I can reproduce this, so let me know, if you ne...

Read more...

Revision history for this message
In , Steve Langasek (vorlon) wrote : Re: Bug#281345: can mount a non-shared directory
Download full text (3.4 KiB)

On Mon, Nov 15, 2004 at 11:16:06AM +0100, Uwe Zeisberger wrote:
> I don't have investigated much (yet), but see the following alarming
> transscript:

> root@cepheus:~# smbclient -L 127.0.0.1 -U zeisberg
> Password:
> Domain=[CEPHEUS] OS=[Unix] Server=[Samba 3.0.7-Debian]

> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (cepheus)
> ADMIN$ IPC IPC Service (cepheus)
> zeisberg Disk Home Directories
> Domain=[CEPHEUS] OS=[Unix] Server=[Samba 3.0.7-Debian]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
> MALIBU CEPHEUS

> root@cepheus:~# mountpoint /mnt
> /mnt is not a mountpoint

> root@cepheus:~# mount -t cifs //127.0.0.1/man /mnt -o user=zeisberg
> Password:

> root@cepheus:~# mountpoint /mnt
> /mnt is a mountpoint

> root@cepheus:~# mount | grep cifs
> //127.0.0.1/man on /mnt type cifs (rw,mand)

> root@cepheus:~# ls /mnt
> X11R6 cat2 cat4 cat6 cat8 fsstnd local
> cat1 cat3 cat5 cat7 cat9 index.db opt

> root@cepheus:~# touch /var/cache/man/isitthisdir

> root@cepheus:~# ls /mnt
> X11R6 cat2 cat4 cat6 cat8 fsstnd isitthisdir opt
> cat1 cat3 cat5 cat7 cat9 index.db local

> root@cepheus:~# rm /mnt/isitthisdir
> rm: cannot remove `/mnt/isitthisdir': Permission denied

> root@cepheus:~# egrep -v '^ *([#;].*)?$' /etc/samba/smb.conf
> [global]
> workgroup = malibu
> server string = %h
> wins support = no
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> security = user
> encrypt passwords = true
> passdb backend = tdbsam guest
> obey pam restrictions = yes
> invalid users = root
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> create mask = 0700
> directory mask = 0700

> from the logs:
> [2004/11/14 13:55:59, 1] smbd/service.c:make_connection_snum(648)
> 127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg (uid=1000, gid=100) (pid 3373)

> This attracted my attention while a WinXP-Box showed apart from my
> homedir the directory 'man at cepheus'.

> This is not too dangerous in my case, because is seems/is read-only,
> there is no precious data in this location and there is no internet
> connection. But maybe there are other cases and machines, where there
> could be done (more) harm.

This is not a bug. If you don't want user homedirs to be exported, disable
(or change the permissions on) the [homes] share in your smb.conf. There is
no way for samba to guess which users' homes you do or don't want to export.

It remains a reasonable default for Debian to enable the [homes] share by
default, because it approximates the needs of most users for user home
directory exports and there is zero privilege escalation compared with
normal shell...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.2 KiB)

Message-ID: <email address hidden>
Date: Mon, 15 Nov 2004 02:58:47 -0800
From: Steve Langasek <email address hidden>
To: Uwe Zeisberger <email address hidden>,
 <email address hidden>
Subject: Re: Bug#281345: can mount a non-shared directory

--bKyqfOwhbdpXa4YI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 15, 2004 at 11:16:06AM +0100, Uwe Zeisberger wrote:
> I don't have investigated much (yet), but see the following alarming
> transscript:

> root@cepheus:~# smbclient -L 127.0.0.1 -U zeisberg
> Password:
> Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (cepheus)
> ADMIN$ IPC IPC Service (cepheus)
> zeisberg Disk Home Directories
> Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]
>=20
> Server Comment
> --------- -------
>=20
> Workgroup Master
> --------- -------
> MALIBU CEPHEUS

> root@cepheus:~# mountpoint /mnt
> /mnt is not a mountpoint

> root@cepheus:~# mount -t cifs //127.0.0.1/man /mnt -o user=3Dzeisberg
> Password:

> root@cepheus:~# mountpoint /mnt
> /mnt is a mountpoint

> root@cepheus:~# mount | grep cifs
> //127.0.0.1/man on /mnt type cifs (rw,mand)

> root@cepheus:~# ls /mnt
> X11R6 cat2 cat4 cat6 cat8 fsstnd local
> cat1 cat3 cat5 cat7 cat9 index.db opt

> root@cepheus:~# touch /var/cache/man/isitthisdir

> root@cepheus:~# ls /mnt
> X11R6 cat2 cat4 cat6 cat8 fsstnd isitthisdir opt
> cat1 cat3 cat5 cat7 cat9 index.db local

> root@cepheus:~# rm /mnt/isitthisdir
> rm: cannot remove `/mnt/isitthisdir': Permission denied

> root@cepheus:~# egrep -v '^ *([#;].*)?$' /etc/samba/smb.conf
> [global]
> workgroup =3D malibu
> server string =3D %h
> wins support =3D no
> dns proxy =3D no
> log file =3D /var/log/samba/log.%m
> max log size =3D 1000
> syslog =3D 0
> panic action =3D /usr/share/samba/panic-action %d
> security =3D user
> encrypt passwords =3D true
> passdb backend =3D tdbsam guest
> obey pam restrictions =3D yes
> invalid users =3D root
> passwd program =3D /usr/bin/passwd %u
> passwd chat =3D *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\=
spassword:* %n\n .
> [homes]
> comment =3D Home Directories
> browseable =3D no
> writable =3D yes
> create mask =3D 0700
> directory mask =3D 0700

> from the logs:
> [2004/11/14 13:55:59, 1] smbd/service.c:make_connection_snum(648)
> 127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg=
 (uid=3D1000, gid=3D100) (pid 3373)

> This attracted my attention while a WinXP-Box showed apart from my
> homedir the directory 'man at cepheus'.

> This is not too dangerous in my case, because is seems/is read-only,
> there is no precious data in this location and there is no internet
> connection. But maybe there are other cases and machines, where there
> could...

Read more...

Revision history for this message
Matt Zimmerman (mdz) wrote :

Closed as invalid in Debian

Bug Watch Updater (bug-watch-updater)
Changed in samba:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.