Re: [Samba] [Announce] Samba 4.0.4 Security Release Available for Download

2013-04-29 Thread a5mmdc96rb 
-008uzu...@intern.sernet.de
Organization:
X-Mailer: Evolution 3.4.4 (3.4.4-2.fc17)
X-Beenthere: samba-techni...@lists.samba.org
X-Mailman-Version: 2.1.13
List-Unsubscribe: https://lists.samba.org/mailman/options/samba-technical,
 mailto:samba-technical-requ...@lists.samba.org?subject=unsubscribe
List-Archive: http://lists.samba.org/pipermail/samba-technical
List-Post: mailto:samba-techni...@lists.samba.org
List-Help: mailto:samba-technical-requ...@lists.samba.org?subject=help
List-Subscribe: https://lists.samba.org/mailman/listinfo/samba-technical,
mailto:samba-technical-requ...@lists.samba.org?subject=subscribe
Errors-To: samba-technical-boun...@lists.samba.org
X-Sneakemail-Label: Jay Stevens
X-Sneakemail-Address: a5mmdc9...@snkmail.com
X-Sneakemail-Tag:
X-Sneakemail-From: Andrew Bartlett abart...@samba.org
X-Sneakemail-Is-Sneakemail: yes
X-Sneakemail-Folder-Path: /Desktop
X-Originating-IP: 38.113.6.65
X-eGroups-Msg-Info: 1:12:0:0:0
X-eGroups-From: Andrew Bartlett abartlet-at-samba.org |Jay Stevens| 
zntnjyv...@sneakemail.com
From: Andrew Bartlett abartlet-at-samba.org |Jay Stevens| 
1yp5ydf...@sneakemail.com
Sender: **
MIME-Version: 1.0
Mailing-List: list **; contact 
spammers-elite-ow...@yahoogroups.com
Delivered-To: mailing list **
List-Id: spammers-elite.yahoogroups.com
Precedence: bulk
List-Unsubscribe: mailto:spammers-elite-unsubscr...@yahoogroups.com
Date: Thu, 21 Mar 2013 10:17:42 +1100
Subject: Re: [Announce] Samba 4.0.4 Security Release Available for Download
Reply-To: **
X-Yahoo-Newman-Property: groups-email-ff-u
Content-Type: multipart/alternative;
 boundary=WqBg0zxwcrXLkgAH8qWX7XSsCMM5Kh2ZLTqgOBT
X-Spam-Status: No, score=
X-Spam-Score: 
X-Spam-Bar: 
X-Ham-Report: 
X-Spam-Flag: NO

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Announce] Samba 4.0.4 Security Release Available for Download

2013-03-20 Thread Andrew Bartlett 
As our announcement of 4.0.4 has confused some of our administrators as
to who is affected, and because there are IMPORTANT STEPS included that
affected administrators need to follow, I'm posting the whole advisory
text below:

On Tue, 2013-03-19 at 11:04 +0100, Karolin Seeger wrote:
 Release Announcements
 -
 
 This is a security release in order to address CVE-2013-1863
 (World-writeable files may be created in additional shares on a
 Samba 4.0 AD DC).
 
 o  CVE-2013-1863:
Administrators of the Samba 4.0 Active Directory Domain
Controller might unexpectedly find files created world-writeable
if additional CIFS file shares are created on the AD DC.
Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
defect.
 
 
 Changes since 4.0.3:
 
 
 o   Andrew Bartlett abart...@samba.org
 * BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.


===
== Subject: World-writeable files may be created in additional shares on a
==  Samba 4.0 AD DC
==
== CVE ID#: CVE-2013-1863
==
== Versions:Samba 4.0.0rc6 - 4.0.3 (inclusive)
==
== Summary: Administrators of the Samba 4.0 Active Directory Domain
==  Controller might unexpectedly find files created world-writeable
==  if additional CIFS file shares are created on the AD DC.
==
===

===
Description
===

Administrators of the Samba 4.0 Active Directory Domain Controller might
unexpectedly find files created world-writeable if additional CIFS file shares
are created on the AD DC.

By default the AD DC is not vulnerable to this issue, as a specific inheritable
ACL is set on the files in the [sysvol] and [netlogon] shares.

However, on other shares, when only configured with simple unix
user/group/other permissions, the forced setting of 'create mask' and
'directory mask' on AD DC installations would apply, resulting in
world-writable file permissions being set.

These permissions are visible with the standard tools, and only the initial
file creation is affected.  As Samba honours the unix permissions, the security
of files where explicit permissions have been set are not affected.

Administrators will need to manually correct the permissions of any
world-writable files and directories.  After upgrading, either recursively set
correct permissions using the Windows ACL editor, or run something like e.g.:

sudo setfacl -b -R /path/to/share  sudo chmod o-w,g-w -R /path/to/share
(Please note that this command might need to be adapted to your needs).

This will remove all the ACLs (a reasonable step as this only impacts on shares
without an ACL set), including a problematic default posix ACL on
subdirectories.

==
Mitigating factors
==

By default the AD DC is not vulnerable to this issue, as a specific inheritable
ACL is set on the files in the default [sysvol] and [netlogon] shares.

Users of our file server when configured in any other mode, such as a
standalone server, domain member (including of a Samba 4.0 AD Domain), file
server or classic (NT4-like) domain controller are not impacted.  Many Samba
4.0 AD DC installations have followed the Team's advise to split their
installation in this way, and so are not affected.

Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file server are
not impacted.  This is not the default in upstream Samba, but importantly it is
the only available configuration in samba4 packages of Samba 4.0 in Debian
(including experimental) and Ubuntu supplied packages.

Likewise, packages and installations built --without-ad-dc are not impacted, as
only AD DC installations will set this configuration.  We understand Red Hat
and Fedora installations are built in this mode.

Unless guest access has been explicitly allowed (guest ok = yes), only
authenticated users would be able to read/write any of accidentally
world-writable files.  Similarly, the 'read only = no' default in the smb.conf
still applies.

==
Workaround
==

Set a recursive and inherited ACL on the root of the share (for example, using
the ACL editor on a Windows client)

==
Patch Availability
==

Patches addressing this defect have been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.0.4, has been issued as security
releases to correct the defect.  Samba administrators running affected versions
are advised to upgrade to 4.0.4 or apply the patch as soon as
possible.

===
Credits
===

The vulnerability was noticed by a number of observant administrators,
including Ricky Nance ricky.na...@weaubleau.k12.mo.us.

==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==
-- 
Andrew Bartlett

[Samba] [Announce] Samba 4.0.4 Security Release Available for Download

2013-03-19 Thread Karolin Seeger 
Release Announcements
-

This is a security release in order to address CVE-2013-1863
(World-writeable files may be created in additional shares on a
Samba 4.0 AD DC).

o  CVE-2013-1863:
   Administrators of the Samba 4.0 Active Directory Domain
   Controller might unexpectedly find files created world-writeable
   if additional CIFS file shares are created on the AD DC.
   Samba versions 4.0.0rc6 - 4.0.3 (inclusive) are affected by this
   defect.


Changes since 4.0.3:


o   Andrew Bartlett abart...@samba.org
* BUG 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.

###
Reporting bugs  Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.0 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==


Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

http://download.samba.org/samba/ftp/stable/

The release notes are available online at:

http://www.samba.org/samba/history/samba-4.0.4.html

Binary packages will be made available on a volunteer basis from

http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba