Bug#424629: security upgrade broke permissions check.

Christian Perrier Sat, 19 May 2007 10:32:15 -0700

> The samba team just sent me the attached patch which supposedly fixes
> #424629 for 3.0.24-6etch1 (in short, it fixes that RC bug in etch's
> samba).



OK, I succeeded building a test case.

On an etch samba server running 3.0.24-6etch1, as this to smb.conf:

[test]
   comment =  Test
   path=/var/tmp/test
   create mode = 0664
   directory mode = 2775
   force group = foo
   valid users = @users

In /var/tmp/test, create a directory named "bar":

[EMAIL PROTECTED]:~/src/debian/samba$ ls -l /var/tmp/test
total 8592
drwxrwx---  2 root    users       4096 2007-05-19 14:07 bar

Notice the directory belongs to "users" and 770 permissions

Connect to this with a user who's member of "users":

[EMAIL PROTECTED]:~/src/debian/samba$ smbclient //kheops/test -U bubulle
Password:
Domain=[MAISON] OS=[Unix] Server=[Samba 3.0.24]
smb: \> cd foo
smb: \foo\> dir
NT_STATUS_ACCESS_DENIED listing \foo\*

                37547 blocks of size 262144. 9849 blocks available


As "bubulle" is member of "users", he should be able to list the
directory.

With 3.0.24-6etch2 I just built with the attached patch:


[EMAIL PROTECTED]:~/src/debian/samba$ smbclient //kheops/www -U bubulle
Password:
Domain=[MAISON] OS=[Unix] Server=[Samba 3.0.24]
smb: \> cd foo
smb: \foo\> dir
  .                                   D        0  Sat May 19 14:07:56 2007
  ..                                  D        0  Sat May 19 14:07:56 2007

                37547 blocks of size 262144. 9849 blocks available


So, in short, we should update the version in etch with this patch.

diff -Nru samba-3.0.24.old/debian/changelog samba-3.0.24/debian/changelog
--- samba-3.0.24.old/debian/changelog	2007-05-19 18:51:55.000000000 +0200
+++ samba-3.0.24/debian/changelog	2007-05-19 18:52:40.000000000 +0200
@@ -1,3 +1,13 @@
+samba (3.0.24-6etch2) stable-security; urgency=high
+
+  * The fix for CVE-2007-2444 broke the behaviour of "force group" when
+    for forced group is a local Unix group for domain member servers
+    Applied an upstream patch (security-CVE-2007-244_fixed-force-group.patch)
+    that is part of samba 3.0.25a.
+    Closes: #424629
+
+ -- Christian Perrier <[EMAIL PROTECTED]>  Sat, 19 May 2007 07:24:19 +0200
+
 samba (3.0.24-6etch1) stable-security; urgency=high
 
   * Security fixes:
diff -Nru samba-3.0.24.old/debian/patches/security-CVE-2007-2444_fixed-force-group.patch samba-3.0.24/debian/patches/security-CVE-2007-2444_fixed-force-group.patch
--- samba-3.0.24.old/debian/patches/security-CVE-2007-2444_fixed-force-group.patch	1970-01-01 01:00:00.000000000 +0100
+++ samba-3.0.24/debian/patches/security-CVE-2007-2444_fixed-force-group.patch	2007-05-19 18:52:40.000000000 +0200
@@ -0,0 +1,58 @@
+=== modified file 'source/smbd/uid.c'
+--- samba-3.0.24.orig/source/smbd/uid.c	2007-05-12 16:45:55 +0000
++++ samba-3.0.24/source/smbd/uid.c	2007-05-18 17:33:11 +0000
+@@ -151,7 +151,9 @@
+ 	char group_c;
+ 	BOOL must_free_token = False;
+ 	NT_USER_TOKEN *token = NULL;
+-
++	int num_groups = 0;
++	gid_t *group_list = NULL;
++	
+ 	if (!conn) {
+ 		DEBUG(2,("change_to_user: Connection not open\n"));
+ 		return(False);
+@@ -190,14 +192,14 @@
+ 	if (conn->force_user) /* security = share sets this too */ {
+ 		uid = conn->uid;
+ 		gid = conn->gid;
+-		current_user.ut.groups = conn->groups;
+-		current_user.ut.ngroups = conn->ngroups;
++	        group_list = conn->groups;
++		num_groups = conn->ngroups;
+ 		token = conn->nt_user_token;
+ 	} else if (vuser) {
+ 		uid = conn->admin_user ? 0 : vuser->uid;
+ 		gid = vuser->gid;
+-		current_user.ut.ngroups = vuser->n_groups;
+-		current_user.ut.groups  = vuser->groups;
++		num_groups = vuser->n_groups;
++		group_list  = vuser->groups;
+ 		token = vuser->nt_user_token;
+ 	} else {
+ 		DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
+@@ -230,8 +232,8 @@
+ 			 */
+ 
+ 			int i;
+-			for (i = 0; i < current_user.ut.ngroups; i++) {
+-				if (current_user.ut.groups[i] == conn->gid) {
++			for (i = 0; i < num_groups; i++) {
++				if (group_list[i] == conn->gid) {
+ 					gid = conn->gid;
+ 					gid_to_sid(&token->user_sids[1], gid);
+ 					break;
+@@ -243,6 +245,12 @@
+ 		}
+ 	}
+ 	
++	/* Now set current_user since we will immediately also call
++	   set_sec_ctx() */
++
++	current_user.ut.ngroups = num_groups;
++	current_user.ut.groups  = group_list;	
++
+ 	set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
+ 		    token);
+ 
+
diff -Nru samba-3.0.24.old/debian/patches/series samba-3.0.24/debian/patches/series
--- samba-3.0.24.old/debian/patches/series	2007-05-19 18:51:55.000000000 +0200
+++ samba-3.0.24/debian/patches/series	2007-05-19 18:52:40.000000000 +0200
@@ -23,3 +23,4 @@
 security-CVE-2007-2444.patch
 security-CVE-2007-2446.patch
 security-CVE-2007-2447.patch
+security-CVE-2007-2444_fixed-force-group.patch

signature.asc
Description: Digital signature

Bug#424629: security upgrade broke permissions check.

Reply via email to