Ubuntu
samba package

Bug #10304
Comment #2

Comment 2 for bug 10304

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-15:

Message-ID: <email address hidden>
Date: Mon, 15 Nov 2004 11:16:06 +0100
From: Uwe Zeisberger <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: can mount a non-shared directory

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: samba
Version: 3.0.7-2
Severity: critical
Tags: security

Hello,

I don't have investigated much (yet), but see the following alarming
transscript:

root@cepheus:~# smbclient -L 127.0.0.1 -U zeisberg
Password:
Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

        Sharename Type Comment
        --------- ---- -------
        IPC$ IPC IPC Service (cepheus)
        ADMIN$ IPC IPC Service (cepheus)
        zeisberg Disk Home Directories
Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

Server Comment
--------- -------

        Workgroup Master
        --------- -------
        MALIBU CEPHEUS

root@cepheus:~# mountpoint /mnt
/mnt is not a mountpoint

root@cepheus:~# mount -t cifs //127.0.0.1/man /mnt -o user=3Dzeisberg
Password:

root@cepheus:~# mountpoint /mnt
/mnt is a mountpoint

root@cepheus:~# mount | grep cifs
//127.0.0.1/man on /mnt type cifs (rw,mand)

root@cepheus:~# ls /mnt
X11R6 cat2 cat4 cat6 cat8 fsstnd local
cat1 cat3 cat5 cat7 cat9 index.db opt

root@cepheus:~# touch /var/cache/man/isitthisdir

root@cepheus:~# ls /mnt
X11R6 cat2 cat4 cat6 cat8 fsstnd isitthisdir opt
cat1 cat3 cat5 cat7 cat9 index.db local

root@cepheus:~# rm /mnt/isitthisdir
rm: cannot remove `/mnt/isitthisdir': Permission denied

root@cepheus:~# egrep -v '^ *([#;].*)?$' /etc/samba/smb.conf
[global]
   workgroup =3D malibu
   server string =3D %h
   wins support =3D no
   dns proxy =3D no
   log file =3D /var/log/samba/log.%m
   max log size =3D 1000
   syslog =3D 0
   panic action =3D /usr/share/samba/panic-action %d
   security =3D user
   encrypt passwords =3D true
   passdb backend =3D tdbsam guest
   obey pam restrictions =3D yes
   invalid users =3D root
   passwd program =3D /usr/bin/passwd %u
   passwd chat =3D *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\sp=
assword:* %n\n .
[homes]
   comment =3D Home Directories
   browseable =3D no
   writable =3D yes
   create mask =3D 0700
   directory mask =3D 0700

=66rom the logs:
[2004/11/14 13:55:59, 1] smbd/service.c:make_connection_snum(648)
127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg (=
uid=3D1000, gid=3D100) (pid 3373)

This attracted my attention while a WinXP-Box showed apart from my
homedir the directory 'man at cepheus'.

This is not too dangerous in my case, because is seems/is read-only,
there is no precious data in this location and there is no internet
connection. But maybe there are other cases and machines, where there
could be done (more) harm.

I don't know what addional information I could add to this report. Until
now I can reproduce this, so let me know, if you need more information.
Tell me please, if I should try upgrading to samba/unstable, too.

Regards
Uwe

--=20
Uwe Zeisberger

Set the I_WANT_A_BROKEN_PS environment variable to force BSD syntax ...
-- manpage of procps

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (900, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANGC, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

Versions of packages samba depends on:
ii debconf [debconf-2.0] 1.4.40 Debian configuration managemen=
t sy
ii libacl1 2.2.23-1 Access control list shared lib=
rary
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libcomerr2 1.35-6 The Common Error Description l=
ibra
ii libcupsys2-gnutls10 1.1.20final+rc1-10 Common UNIX Printing System(tm=
) -
ii libkrb53 1.3.4-4 MIT Kerberos runtime libraries
ii libldap2 2.1.30-3 OpenLDAP libraries
ii libpam-modules 0.76-22 Pluggable Authentication Modul=
es f
ii libpam-runtime 0.76-22 Runtime support for the PAM li=
brar
ii libpam0g 0.76-22 Pluggable Authentication Modul=
es l
ii libpopt0 1.7-5 lib for parsing cmdline parame=
ters
ii logrotate 3.7-2 Log rotation utility
ii netbase 4.19 Basic TCP/IP networking system
ii samba-common 3.0.7-2 Samba common files used by bot=
h th

-- debconf information:
  samba/nmbd_from_inetd:
* samba/run_mode: daemons
  samba/log_files_moved:
  samba/tdbsam: false
* samba/generate_smbpasswd: true

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----

iD8DBQFBmIHm6suMTIUe0hYRApbXAKClDhdISlolJZNx7AcwfLM1ZYb/FQCgupnc
F3hmC1NNGqRveKLDoykff7c=
=v4+d
-----END PGP SIGNATURE-----

--vtzGhvizbBRQ85DL--

Message-ID: <20041115101606.GA5939@informatik.uni-freiburg.de>
Date: Mon, 15 Nov 2004 11:16:06 +0100
From: Uwe Zeisberger <zeisberg@informatik.uni-freiburg.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: can mount a non-shared directory

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: samba
Version: 3.0.7-2
Severity: critical
Tags: security

Hello,

I don't have investigated much (yet), but see the following alarming
transscript:

root@cepheus:~# smbclient -L 127.0.0.1 -U zeisberg
Password:
Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (cepheus)
        ADMIN$          IPC       IPC Service (cepheus)
        zeisberg        Disk      Home Directories
Domain=3D[CEPHEUS] OS=3D[Unix] Server=3D[Samba 3.0.7-Debian]

Server               Comment
        ---------            -------

Workgroup            Master
        ---------            -------
        MALIBU               CEPHEUS

root@cepheus:~# mountpoint /mnt
/mnt is not a mountpoint

root@cepheus:~# mount -t cifs //127.0.0.1/man /mnt -o user=3Dzeisberg
Password:

root@cepheus:~# mountpoint /mnt
/mnt is a mountpoint

root@cepheus:~# mount | grep cifs
//127.0.0.1/man on /mnt type cifs (rw,mand)

root@cepheus:~# ls /mnt
X11R6  cat2  cat4  cat6  cat8  fsstnd    local
cat1   cat3  cat5  cat7  cat9  index.db  opt

root@cepheus:~# touch /var/cache/man/isitthisdir

root@cepheus:~# ls /mnt
X11R6  cat2  cat4  cat6  cat8  fsstnd    isitthisdir  opt
cat1   cat3  cat5  cat7  cat9  index.db  local

root@cepheus:~# rm /mnt/isitthisdir
rm: cannot remove `/mnt/isitthisdir': Permission denied

=66rom the logs:
[2004/11/14 13:55:59, 1] smbd/service.c:make_connection_snum(648)
  127.0.0.1 (127.0.0.1) connect to service man initially as user zeisberg (=
uid=3D1000, gid=3D100) (pid 3373)

This attracted my attention while a WinXP-Box showed apart from my
homedir the directory 'man at cepheus'.

Regards
Uwe

--=20
Uwe Zeisberger

Set the I_WANT_A_BROKEN_PS environment variable to force BSD syntax ...
	-- manpage of procps

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (900, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANGC, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

Versions of packages samba depends on:
ii  debconf [debconf-2.0] 1.4.40             Debian configuration managemen=
t sy
ii  libacl1               2.2.23-1           Access control list shared lib=
rary
ii  libc6                 2.3.2.ds1-18       GNU C Library: Shared librarie=
s an
ii  libcomerr2            1.35-6             The Common Error Description l=
ibra
ii  libcupsys2-gnutls10   1.1.20final+rc1-10 Common UNIX Printing System(tm=
) -
ii  libkrb53              1.3.4-4            MIT Kerberos runtime libraries
ii  libldap2              2.1.30-3           OpenLDAP libraries
ii  libpam-modules        0.76-22            Pluggable Authentication Modul=
es f
ii  libpam-runtime        0.76-22            Runtime support for the PAM li=
brar
ii  libpam0g              0.76-22            Pluggable Authentication Modul=
es l
ii  libpopt0              1.7-5              lib for parsing cmdline parame=
ters
ii  logrotate             3.7-2              Log rotation utility
ii  netbase               4.19               Basic TCP/IP networking system
ii  samba-common          3.0.7-2            Samba common files used by bot=
h th

-- debconf information:
  samba/nmbd_from_inetd:
* samba/run_mode: daemons
  samba/log_files_moved:
  samba/tdbsam: false
* samba/generate_smbpasswd: true

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----

iD8DBQFBmIHm6suMTIUe0hYRApbXAKClDhdISlolJZNx7AcwfLM1ZYb/FQCgupnc
F3hmC1NNGqRveKLDoykff7c=
=v4+d
-----END PGP SIGNATURE-----

--vtzGhvizbBRQ85DL--

Ubuntusamba package

Comment 2 for bug 10304

Ubuntu
samba package