Can the Samba security setting `wide links` be bypassed using a race condition?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Apache has options FollowSymLinks
and SymLinksIfOwnerMatch
. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:
Samba has an option called wide links
:
Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the
unix extensions
option is on.
See the parameter
allow insecure wide links
if you wish to change this coupling between the two parameters.
Can the Samba option be bypassed via a race condition?
If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?
security samba
add a comment |
Apache has options FollowSymLinks
and SymLinksIfOwnerMatch
. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:
Samba has an option called wide links
:
Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the
unix extensions
option is on.
See the parameter
allow insecure wide links
if you wish to change this coupling between the two parameters.
Can the Samba option be bypassed via a race condition?
If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?
security samba
add a comment |
Apache has options FollowSymLinks
and SymLinksIfOwnerMatch
. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:
Samba has an option called wide links
:
Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the
unix extensions
option is on.
See the parameter
allow insecure wide links
if you wish to change this coupling between the two parameters.
Can the Samba option be bypassed via a race condition?
If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?
security samba
Apache has options FollowSymLinks
and SymLinksIfOwnerMatch
. However, they "should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable." Compare this with Samba:
Samba has an option called wide links
:
Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the
unix extensions
option is on.
See the parameter
allow insecure wide links
if you wish to change this coupling between the two parameters.
Can the Samba option be bypassed via a race condition?
If not, how is Samba able to prevent the race condition? E.g. what sequence of operations can be used to prevent the race condition?
security samba
security samba
edited Mar 8 at 18:35
sourcejedi
asked Mar 8 at 16:50
sourcejedisourcejedi
25.6k445112
25.6k445112
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
It certainly was vulnerable. See CVE-2017-2619.
The patch for this bug includes a new function, called open_dir_safely()
. It uses chdir()
to enter the directory that contains the file to be opened.
I guess this means you can use getcwd()
, to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd()
. I have not confirmed exactly what Samba does after chdir()
.
This is not great if your process has multiple threads, because chdir()
affects the whole process :-). Linux-specific programs could instead use open()
with the O_PATH
flag, and then use readlink()
on the open file descriptor under /proc/self/fd/
.
The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open()
, you can use the O_NOFOLLOW
flag. If it is a symlink, open()
will return ELOOP
. Then you may readlink()
the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).
If you have to repeat the procedure "too many" times, then you can return failure (ELOOP
again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW)
and readlink()
).
On a non-Linux OS, you might not have a very efficient getcwd()
. If you have O_PATH
, then you can avoid getcwd()
by iterating through every segment of the path, using O_PATH
+ O_NOFOLLOW
and manually resolving links.
In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505170%2fcan-the-samba-security-setting-wide-links-be-bypassed-using-a-race-condition%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It certainly was vulnerable. See CVE-2017-2619.
The patch for this bug includes a new function, called open_dir_safely()
. It uses chdir()
to enter the directory that contains the file to be opened.
I guess this means you can use getcwd()
, to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd()
. I have not confirmed exactly what Samba does after chdir()
.
This is not great if your process has multiple threads, because chdir()
affects the whole process :-). Linux-specific programs could instead use open()
with the O_PATH
flag, and then use readlink()
on the open file descriptor under /proc/self/fd/
.
The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open()
, you can use the O_NOFOLLOW
flag. If it is a symlink, open()
will return ELOOP
. Then you may readlink()
the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).
If you have to repeat the procedure "too many" times, then you can return failure (ELOOP
again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW)
and readlink()
).
On a non-Linux OS, you might not have a very efficient getcwd()
. If you have O_PATH
, then you can avoid getcwd()
by iterating through every segment of the path, using O_PATH
+ O_NOFOLLOW
and manually resolving links.
In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.
add a comment |
It certainly was vulnerable. See CVE-2017-2619.
The patch for this bug includes a new function, called open_dir_safely()
. It uses chdir()
to enter the directory that contains the file to be opened.
I guess this means you can use getcwd()
, to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd()
. I have not confirmed exactly what Samba does after chdir()
.
This is not great if your process has multiple threads, because chdir()
affects the whole process :-). Linux-specific programs could instead use open()
with the O_PATH
flag, and then use readlink()
on the open file descriptor under /proc/self/fd/
.
The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open()
, you can use the O_NOFOLLOW
flag. If it is a symlink, open()
will return ELOOP
. Then you may readlink()
the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).
If you have to repeat the procedure "too many" times, then you can return failure (ELOOP
again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW)
and readlink()
).
On a non-Linux OS, you might not have a very efficient getcwd()
. If you have O_PATH
, then you can avoid getcwd()
by iterating through every segment of the path, using O_PATH
+ O_NOFOLLOW
and manually resolving links.
In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.
add a comment |
It certainly was vulnerable. See CVE-2017-2619.
The patch for this bug includes a new function, called open_dir_safely()
. It uses chdir()
to enter the directory that contains the file to be opened.
I guess this means you can use getcwd()
, to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd()
. I have not confirmed exactly what Samba does after chdir()
.
This is not great if your process has multiple threads, because chdir()
affects the whole process :-). Linux-specific programs could instead use open()
with the O_PATH
flag, and then use readlink()
on the open file descriptor under /proc/self/fd/
.
The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open()
, you can use the O_NOFOLLOW
flag. If it is a symlink, open()
will return ELOOP
. Then you may readlink()
the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).
If you have to repeat the procedure "too many" times, then you can return failure (ELOOP
again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW)
and readlink()
).
On a non-Linux OS, you might not have a very efficient getcwd()
. If you have O_PATH
, then you can avoid getcwd()
by iterating through every segment of the path, using O_PATH
+ O_NOFOLLOW
and manually resolving links.
In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.
It certainly was vulnerable. See CVE-2017-2619.
The patch for this bug includes a new function, called open_dir_safely()
. It uses chdir()
to enter the directory that contains the file to be opened.
I guess this means you can use getcwd()
, to check you are still inside the Samba shared directory. At least that could work quite nicely on Linux, because it has an efficient system call for getcwd()
. I have not confirmed exactly what Samba does after chdir()
.
This is not great if your process has multiple threads, because chdir()
affects the whole process :-). Linux-specific programs could instead use open()
with the O_PATH
flag, and then use readlink()
on the open file descriptor under /proc/self/fd/
.
The above can provide assurance about the directory that contains the file. To ensure the file name is not resolved as a link when you pass it to open()
, you can use the O_NOFOLLOW
flag. If it is a symlink, open()
will return ELOOP
. Then you may readlink()
the file and resolve the symlink yourself. This would involve repeating the procedure from the start :-).
If you have to repeat the procedure "too many" times, then you can return failure (ELOOP
again). (And the same if you have to retry too many times because someone is playing silly beggars and repeatedly changing the file between open(... O_NOFOLLOW)
and readlink()
).
On a non-Linux OS, you might not have a very efficient getcwd()
. If you have O_PATH
, then you can avoid getcwd()
by iterating through every segment of the path, using O_PATH
+ O_NOFOLLOW
and manually resolving links.
In future, this problem might be addressed by some specific flag like AT_PATH_BENEATH or O_BENEATH.
edited Mar 8 at 18:34
answered Mar 8 at 18:14
sourcejedisourcejedi
25.6k445112
25.6k445112
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505170%2fcan-the-samba-security-setting-wide-links-be-bypassed-using-a-race-condition%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown