I believe there is a Samba LRP package floating about so this is probably a VERY relevant Security bug from the Samba mailing list ----- Original Message ----- From: "Andrew Tridgell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 22, 2001 5:26 PM Subject: URGENT: Samba security hole > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > IMPORTANT: Security bugfix for Samba > ------------------------------------ > > June 23rd 2001 > > > Summary > - ------- > > A serious security hole has been discovered in all versions of Samba > that allows an attacker to gain root access on the target machine for > certain types of common Samba configuration. > > The immediate fix is to edit your smb.conf configuration file and > remove all occurances of the macro "%m". Replacing occurances of %m > with %I is probably the best solution for most sites. > > Details > - ------- > > A remote attacker can use a netbios name containing unix path > characters which will then be substituted into the %m macro wherever > it occurs in smb.conf. This can be used to cause Samba to create a log > file on top of an important system file, which in turn can be used to > compromise security on the server. > > The most commonly used configuration option that can be vulnerable to > this attack is the "log file" option. The default value for this > option is VARDIR/log.smbd. If the default is used then Samba is not > vulnerable to this attack. > > The security hole occurs when a log file option like the following is > used: > > log file = /var/log/samba/%m.log > > In that case the attacker can use a locally created symbolic link to > overwrite any file on the system. This requires local access to the > server. > > If your Samba configuration has something like the following: > > log file = /var/log/samba/%m > > Then the attacker could successfully compromise your server remotely > as no symbolic link is required. This type of configuration is very > rare. > > The most commonly used log file configuration containing %m is the one > distributed in the sample configuration file that comes with Samba: > > log file = /var/log/samba/log.%m > > in that case your machine is not vulnerable to this attack unless you > happen to have a subdirectory in /var/log/samba/ which starts with the > prefix "log." > > New Release > - ----------- > > While we recommend that vulnerable sites immediately change their > smb.conf configuration file to prevent the attack we will also be > making new releases of Samba within the next 24 hours to properly fix > the problem. Please see http://www.samba.org/ for the new releases. > > Please report any attacks to the appropriate authority. > > The Samba Team > [EMAIL PROTECTED] > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/> > > iD8DBQE7M+Gobf9zMVhTZ5ERAoVvAJ9CX93rSHbEyPD95mS3C5XaQXx5RgCfeOIx > bKPS2xD1L8C0mlr6y5i8uBo= > =M/K7 > -----END PGP SIGNATURE----- > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-devel