Default smb.conf will give user root access (User Error)

nylonzippytie · n00b Joined: 10 Oct 2013 Posts: 3 Location: Australia

EDIT: I had incorrect folder permissions set and was confused by the Samba client showing everything as belonging to the logged in user with smbd running as root under idle conditions.

Hi All,

I have a gentoo (hardened but grsecurity is not enabled) server running with Samba and NFS.

I'm migrating my NFS shares across to Samba but have stumbled upon some default behaviour which I think is a serious security issue:

When using mount.cifs from my ubuntu computer (client) I was noticing that when the mount is first made, smbd forks off a new process as the session user

When I start browsing the mount from the terminal, that process is suddenly elevated to root

I can happily and easily modify, edit and delete files that the session user does not have access to on the host. In other words, if I set files on the host as root:root with 600, the logged in user can delete, modify and read these files.

I understand that Samba can override filesystem permissions in order to operate friendly with Windows. I didn't realise this is a default behaviour which worries me because I was previously relying on my filesystem permissions as the last line of defence.

It was hard to find anyone else complaining about this (perhaps others aren't as security conscious?), but I did find the following:

http://ubuntuforums.org/showthread.php?t=1034103

Basically, I need to disable lanman authorization and now everything works as I would expect (user is no longer given root access to filesystem). This doesn't bother me because all my clients are up to date GNU/Linux systems and Windows 7 / 8.

In case the above link doesn't work, what is missing from smb.conf is the following:

nylonzippytie · n00b Joined: 10 Oct 2013 Posts: 3 Location: Australia

I've just noticed that when the samba session is idle, the smbd process returns to root until a command is performed where it is set as the session user.

I'm still not confident with this, I thought a good security model was to have everyone possible running as a unprivileged user only to gain privileges by exception.

666threesixes666 · Posted: Thu Oct 10, 2013 2:29 am Post subject:

only security breach i see going on in the config is going on with printers.... everything else is commented, and im pretty sure the default config is not where the running config is located.

http://pastebin.com/B4EEA6P7

i turn my samba on and off by hand, and do not let its traffic leak past the router/firewall.

nylonzippytie · n00b Joined: 10 Oct 2013 Posts: 3 Location: Australia

Well, no wander I couldn't find many complaints about this. The underlying issue was that the user I was logged in on had w permissions on the directory, so even files owned by root could be deleted (just not read or modified). In my testing, I was creating files with root and deleting via samba user, forgetting about the 'w' permission.

I was wrong, although I find it interesting that the smbd forked process runs as root until the user does something, where it is changed to the user and the resets back to root under idle conditions.

666threesixes666 · Posted: Thu Oct 10, 2013 3:21 am Post subject:

my advice, build a generic virtual machine with a backup so you can go back to default install state to test issues before reporting. qcow you can copy paste the virtual machine as a file. i suggest virtual box as it has more networking features than kvm/qemu. (bridging)