|
|
Subscribe / Log in / New account

The long road to a fix for CVE-2021-20316

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 17:47 UTC (Fri) by jra (subscriber, #55261)
In reply to: The long road to a fix for CVE-2021-20316 by ldearquer
Parent article: The long road to a fix for CVE-2021-20316

Samba (smbd) is just an application running on Linux. By default it can access anywhere on the filesystem the logged on user has access to. The point of Samba is to designate a small area of the filesystem (e.g. /data/exported/for/group) and ensure that *no* access outside oe the path "/data/exported/for/group" or sub-directories below it is ever possible.

to post comments

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 18:00 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (2 responses)

Can you at least stick the Samba process in a container (or maybe a chroot) so that it can't get to random other paths?

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 18:43 UTC (Fri) by jra (subscriber, #55261) [Link] (1 responses)

We did explore a chroot solution. Problem is there are many restrictions on that which make it impossible to use with Samba without a complete rewrite. Rewriting the VFS was an easier task, believe me :-).

The long road to a fix for CVE-2021-20316

Posted Feb 12, 2022 0:20 UTC (Sat) by gerdesj (subscriber, #5446) [Link]

Samba is an amazing piece of kit. Your user base is *cough* technically varied in its skill set. It is expected to dance on a shitty old NAS with wheezing discs to the latest bleeding edge SAN as a side trick and all things in between. The expectations of those users is broader than the smile on a croc that has discovered a zebra nursery ... must work on that analogy - a bit brutal.

I can remember testing out Ben Greer's smart new VLAN code in the kernel to get a set of smbd and nmbds running on a fairly large network to get a browse list together. This is me a few years back: https://lwn.net/Articles/75489/ whittering on about it.

Samba makes CIFS/SMB work in ways that MS has never even imagined. That's the thing - imagination. Samba is imaginative where the MS option is rather staid and boring.

Now if it was possible to get ACLs to work like NetWare nwfs/nss ie dynamically calculated on the fly, that would be quite handy.

Anyway, cheers Jez. That was a lot of work fixing things up. Thank you.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds