add response to symlink attack

git-svn-id: file:///home/svn/samba-web/trunk@1363 44aeb9d7-1cd8-0310-b257-a505e0beeac2

diff --git a/index.html b/index.html
index 29919dc6875566d9ed94730aa86c33e48f7689c5..054a352f77311decfcc7fc5dd5ab9f26b6befe5b 100755 (executable)
--- a/index.html
+++ b/index.html
@@ -24,6 +24,12 @@ winbind daemon.</p>
     <h2>Latest News</h2>
     <!--#include virtual="/samba/news/headlines.html" -->
 
+    <h4>5 February 2010</h4>
+    <p class="headline">Samba response to reported security hole</p>
+
+    <p>The Samba Team has <a href="news/symlink_attack.html">posted a
+    response</a> to the widely reported symlink attack.</p>
+
     <h4>26 January 2010</h4>
     <p class="headline">Samba 3.5.0rc2 Available for Download</p>
 

diff --git a/news/symlink_attack.html b/news/symlink_attack.html
new file mode 100644 (file)
index 0000000..5db3929
--- /dev/null
+++ b/news/symlink_attack.html
@@ -0,0 +1,79 @@
+<!--#include virtual="/samba/header.html" -->
+  <title>Symlink attack</title>
+<!--#include virtual="/samba/header_columns.html" -->
+
+
+<h4>5 February 2010</h4>
+    <p class="headline">Claimed Zero Day exploit in Samba</p>
+
+<p>A user named "kcopedarookie" posted what they claim to be a video
+of a
+zero-day <a href="http://www.youtube.com/watch?v=NN50RtZ2N74&aia=true">exploit
+in Samba</a> on youtube yesterday.</p>
+
+<p>The video shows modifications to smbclient allowing
+/etc/passwd to be downloaded from a remote server.</p>
+
+<p>The issue is actually a default insecure configuration
+in Samba.</p>
+
+<h5>Quick FAQ: What do I do !</h5>
+
+<p>Set:
+<pre>
+  wide links = no
+</pre>
+in the [global] section of your smb.conf and restart
+smbd to eliminate this problem.</p>
+
+<h5>Longer FAQ: The real issue</h5>
+
+<p>The problem comes from a combination of two features in Samba, each
+of which on their own are useful to Administrators, but in combination
+allow users to access any file on the system that their logged in
+username has permissions to read (this is not a privilege escalation
+problem).</p>
+
+<p>By default Samba ships with the parameter "wide links = yes", which
+allows Administrators to locally (on the server) add a symbolic link
+inside an exported share which SMB/CIFS clients will follow.</p>
+
+<p>As an example, given a share definition:
+<pre>
+  [tmp]
+       path = /tmp
+       read only = no
+       guest ok = yes
+</pre></p>
+
+<p>The administrator could add a symlink:
+
+<pre>
+  $ ln -s /etc/passwd /tmp/passwd
+</pre>
+
+and SMB/CIFS clients would then see a file called "passwd" within
+the [tmp] share that could be read and would allow clients to read
+/etc/passwd.</p>
+
+<p>If the "wide links" parameter is set to "no", any attempt
+to read this file will fail with an "access denied" error.</p>
+
+<p>The problem occurs as Samba allows clients using the UNIX
+extensions (which are also turned on by default) to create
+symlinks on remotely mounted shares on which they have write
+access that point to any path on the file system.</p>
+
+<p>This is by design, as applications running on UNIX clients may have
+good reasons to create symlinks anywhere on the filesystem they have
+write access that point to local files (such as /etc/passwd).</p>
+
+<p>UNIX clients will resolve these links locally, but Windows
+clients will resolve them on the server. It is this combination
+that causes the problem.</p>
+
+<p>All future versions of Samba will have the parameter "wide links"
+set to "no" by default, and the manual pages will be updated to
+explain this issue.</p>
+
+<!--#include virtual="/samba/footer.html" -->