[Pkg-samba-maint] Bug#425391: [Fwd: Re: Bug#425391: Patch/bug fix for CVE-2007-2447 breaks the use of ; ]

Tue May 22 09:43:16 UTC 2007

On Tue, May 22, 2007 at 08:17:56AM +0200, Christian Perrier wrote:

> Other maintainers, advice? I think that going the way to sanity check
> configuration files is a dangerous slope...

Forward upstream?  I don't think this is high-priority enough of an issue
that it will ever get worked on, but I agree that rejecting the config
option would be nicer than silently rewriting it to do something the user
isn't expecting.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

> -------- Message original --------
> Sujet: Re: Bug#425391: Patch/bug fix for CVE-2007-2447 breaks the use of ;
> Date: Tue, 22 May 2007 08:10:31 +0200
> De: Arno van Amersfoort <a.c.j.van.amersfoort at eld.physics.leidenuniv.nl>
> Pour: Christian Perrier <bubulle at debian.org>
> Références: <465190A7.2060600 at eld.physics.leidenuniv.nl>
> <20070521162600.GB11034 at kheops.homeunix.org>
> 
> Thanks for your reply, one further comment surrounding this issue:
> Shouldn't "/etc/init.d/samba start" or testparm at least generate a
> warning that characters were used that are not allowed, instead of
> silently replacing them with spaces, which in my case caused my whole
> filesystem to be polluted with chmod, chown etc. (because the first
> statement was mkdir)?
> 
> Christian Perrier wrote:
> > tags 425391 wontfix
> > thanks
> >
> >   
> >> After some debugging I discovered that a strange problem I experienced 
> >> was caused by the patched code added in Samba 3.0.14a-3sarge for 
> >> CVE-2007-2447 (Remote Command Injection Vulnerability). It is now no 
> >> longer possible to use the ";" character in options like "preexec = " & 
> >> "postexec =" causing the use of ie. (in my case) "root preexec = mkdir 
> >> -p /home/software/Recycle; chown root:admins /home/software/.Recycle" to 
> >> be executed as "root preexec = mkdir -p /home/software/Recycle chown 
> >> root:admins /home/software/.Recycle" (The semicolon disappears!).
> >>
> >> As far as I can see now, it also breaks the use of (in my case) "passwd 
> >> program = /usr/bin/passwd %u; /usr/local/lib/yp_make.sh"
> >>
> >> This new unexpected behaviour can possibly break a lot of setups! I 
> >> think the easiest solution is to add the ";" (and possibly also & and |) 
> >> to #define INCLUDE_LIST 
> >> "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
> >>     
> >
> >
> > Upstream has admitted that these sanity checks may have consequences
> > on existing setups but that would be the price to pay for increased
> > security.
> >
> > Jeremy Allison on samba at lists.d.o:
> >
> >   
> >> Yes it is I'm afraid. We now sanitize completely any
> >> shell meta-characters to avoid any security issues
> >> with user generated input being passed to a shell.
> >>     
> >
> >   
> >> I was a little worried this might break some existing
> >> setups but this is the first report I've had, and believe
> >> me security problems are worse than breaking setups :-).
> >>     
> >
> >
> > jra again:
> >
> >
> >   
> >> Rather than putting executable shell script in smb.conf,
> >> move this into a file as a shell script and pass %U, %G
> >> as parameters to it from smb.conf - that should be much
> >> safer.