|
|
Subscribe / Log in / New account

The long road to a fix for CVE-2021-20316

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 16:39 UTC (Fri) by ldearquer (guest, #137451)
Parent article: The long road to a fix for CVE-2021-20316

>> the server makes sure that the requested directory actually lies within the exported SMB share rather than being at some arbitrary location elsewhere in the server's filesystem

But why do Samba servers have write access to any locations other than the SMB share in the first place? Or is this for cases where SMB share == the whole filesystem?

to post comments

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 17:47 UTC (Fri) by jra (subscriber, #55261) [Link] (3 responses)

Samba (smbd) is just an application running on Linux. By default it can access anywhere on the filesystem the logged on user has access to. The point of Samba is to designate a small area of the filesystem (e.g. /data/exported/for/group) and ensure that *no* access outside oe the path "/data/exported/for/group" or sub-directories below it is ever possible.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 18:00 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (2 responses)

Can you at least stick the Samba process in a container (or maybe a chroot) so that it can't get to random other paths?

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 18:43 UTC (Fri) by jra (subscriber, #55261) [Link] (1 responses)

We did explore a chroot solution. Problem is there are many restrictions on that which make it impossible to use with Samba without a complete rewrite. Rewriting the VFS was an easier task, believe me :-).

The long road to a fix for CVE-2021-20316

Posted Feb 12, 2022 0:20 UTC (Sat) by gerdesj (subscriber, #5446) [Link]

Samba is an amazing piece of kit. Your user base is *cough* technically varied in its skill set. It is expected to dance on a shitty old NAS with wheezing discs to the latest bleeding edge SAN as a side trick and all things in between. The expectations of those users is broader than the smile on a croc that has discovered a zebra nursery ... must work on that analogy - a bit brutal.

I can remember testing out Ben Greer's smart new VLAN code in the kernel to get a set of smbd and nmbds running on a fairly large network to get a browse list together. This is me a few years back: https://lwn.net/Articles/75489/ whittering on about it.

Samba makes CIFS/SMB work in ways that MS has never even imagined. That's the thing - imagination. Samba is imaginative where the MS option is rather staid and boring.

Now if it was possible to get ACLs to work like NetWare nwfs/nss ie dynamically calculated on the fly, that would be quite handy.

Anyway, cheers Jez. That was a lot of work fixing things up. Thank you.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds