> I haven't looked very closely at what's going on, but I bet the problem > is related to the fix for CVE-2007-2444, which changes the way in which > samba gets root access when it needs it. It switches from > become_root_uid_only() to become_root(). The names of those functions > suggest that previously the group membership would not change, but now > it might. > > The issue sounds like it must be upstream, not Debian-specific. Have > you heard anything from them? > > I'm not sure what you should do for testing users (or stable, or anybody > else), since there currently is no security-fixed version that doesn't > break functionality. Figuring out how we can fix this problem in stable > is my priority. If we can figure out a way to fix the vulnerabilities > without breaking functionality, the secure-testing team ought to be able > to help by uploading to testing-security.
The Samba Team just agreed in http://lists.samba.org/archive/samba/2007-May/132056.html that this is a bug in 3.0.25 *and probably in the security patches*, which will be fixed in 3.0.25a. I just asked jerry Carter for the bug's patch so that we can apply it to 3.0.24-6etch1 and reupload a fixed version to etch. I think that this bug deserves it. breaking shares with "force group" will break a lot of servers. And we need to fix this quickly, imho.
signature.asc
Description: Digital signature
