[Pkg-samba-maint] About scannedonly packaging

Mathieu Parent math.parent at gmail.com
Wed Mar 20 18:25:18 UTC 2013 

2013/3/20 Bastien ROUCARIES <roucaries.bastien at gmail.com>:
> On Wed, Mar 20, 2013 at 5:52 PM, Mathieu Parent <math.parent at gmail.com> wrote:
>> Hi all,
>>
>> I have setup a basic package for scannedonly, I don't intend to upload
>> it yet as:
>> - I have to test it more carefully (basic function works)
>> - I will only upload it if I use it myself
>>
>> It's here:
>> http://anonscm.debian.org/gitweb/?p=pkg-samba/scannedonly.git
>>
>> Bastien ROUCARIES said:
>>> Ok I understand but it is insecure at least create a random secret
>>> extension. And filter this extension. A malicious user could try to
>>> race with the daemon, creating a .scanned file and an infected file.
>>> sometime it will succeed and the file will be declared sane whereas it
>>> is not sane.
>>
>> I have tested and couldn't do as you said:
>> - the file is prefixed with ".scanned:", as it contains ":", it can't
>> be routed thru cifs (I tested with smbclient)
>
> .file are hidded not vetoed. It work if you vetoed .* file

This is not what I have:

$ touch .scanned:eicar_com.zip
$ smbclient //samba/share -UDOMAIN\\login
Enter DOMAIN\login's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.6.6]
smb: \> cd Everybody\
smb: \Everybody\> put .scanned:eicar_com.zip
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file
\Everybody\.scanned:eicar_com.zip

(and the file is not created remotely)

>> - the".scanned:FILENAME" file is checked for mtime (mtime should be
>> later than mtime of FILENAME)
>
> depending of the mtime granualarity of the file system it could be problematic.

But as former item is not possible...

>> please provide a real exploit.
>
> If you share your directory by both a samba and a nfs server exploit
> are trivial to write. If you only use samba and trust local user it
> could be valuable.

Yes, this should be written in the README. We don't provide local or
NFS access to our Samba servers.

You can't ensure xattr are safe also unless you use trusted or
security namespace. And xattr won't be checked from sftp or NFS
anyway.

> I maintain that using xattr is a better route to this kind of scanner.

This is a better route, but the current route is safe enough (IMO) if
you oly access files thru Samba.
If you propose a xattr patch, I will apply it and test (I may also
write it myself).

Regards
--
Mathieu Parent

More information about the Pkg-samba-maint mailing list