Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Jul 1996 13:38:57 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        jim@starshine.org (Jim Dennis)
Cc:        terry@lambert.org, igor@cs.ibank.ru, questions@freebsd.org
Subject:   Re: Samba FS planned to implement?
Message-ID:  <199607102038.NAA27122@phaeton.artisoft.com>
In-Reply-To: <199607092345.QAA04260@starshine> from "Jim Dennis" at Jul 9, 96 04:45:17 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> > >   smbclient - cool but interactive. :)
> > 
> > I have a proposal on the table (in a news group posting) for session
> > management and a password cache interface.  These are prerequisites
> > for a correct implementation.  The Linux implementation is incorrect,
> > and opens security holes you could drive a truck through.  This
> > would not be so bad if the default configuration was not so badly
> > thought out that you could drive three trucks and a blimp through.
> 
> 	Could you be a bit more specific (perhaps with a message
> 	copied to bugtraq or linux-alert)?

I have discussed the issue with various people in the Linux camp
and on the Samba list -- and in specific, with Andrew, who if you
have followed the list since it's inception, rereleased his smbserver
code at my urging, following about a year of idle time.

> 	In particular my question is this -- the smbfs is an smb client
> 	-- it has nothing to do with exporting your Unix volumes to 
> 	others (which is handled by smbd AFAIK).
> 
> 	So, are you saying that there are problems where a single
> 	user (on a Linux host) mounting an SMB share (on an NT or Win 
> 	'95 system for example) will allow other users (on the Linux side)
> 	access to the shared volume?

Yes.

>	Are you saying that it allows the user in question more access
>	than smbtar/smbclient?

Yes, because both smbtar and smbclient require the user to authenticate
on a per user instead of a per system basis.

> > Remember the CERT advisort for Microsoft SMB servers?
> 
> 	Of course I remember it.  I added additional packet filters
> 	to prevent propagation of those protocols through our routers
> 	(former employer) and recommended that WfW and Win '95 systems
> 	be reconfigured to disable sharing throughout the enterprise
> 	(as I recall NT systems could be configured to avoid the 
> 	problem).
> 
> > Imagine it applying to all of your UNIX systems.
> 	
> 	As I recall the SAMBA server didn't have this problem --
> 	it was the client that exposed the underlying server-side
> 	vulnerability in the MS products.
> 
> 	Please correct me if I'm wrong.  I don't want to carry
> 	around any misinformation on this issue.

The problem with the FS client is that SMB servers institute credentials
(and therefore per-user protections) on a per connection basis.  When
you have only one connection from a multiuser mahine to an SMB server,
you rob the server of its ability to distinguish individual users from
the user who instantiated the mount.

Further protections rely on typical obscurity mechanisms to interpose
a layer of protection to the mount point to enforce user access semantics;
even if this is instituted (which is not an enforced access method),
doing so on a per user basis requires a mount per user -- an unrealistic
administrative burden.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607102038.NAA27122>