** Description changed: [Impact] Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. The samba postinst script has some logic that automatically adds users in the "admin" group to the sambashare group. In Ubuntu >= 12.04, administrator access is granted via the "sudo" group [1], and the "admin" group is not automatically created anymore. However the samba postinst functionality that auto-populates sambashare from "admin" has not been removed. This means that users an "admin" group, which now has no special meaning in Ubuntu, are automatically added to the sambashare group. This is wrong, and can have security implications given that the "admin" group can be a remote group (this is how this bug was first discovered, see the Original Description below). [1] https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuDesktop#PrecisePangolin.2FReleaseNotes.2FCommonInfrastructure.Common_Infrastructure [Test Case] Reproducer: 1. Start with a clean Ubuntu system 2. Created the "admin" group and add some users to it 3. Install samba 4. Verify that such users are added to sambashare Fix verification: 4. Verify that such users are NOT added to sambashare. + + Test PPA: https://launchpad.net/~paride/+archive/ubuntu/samba-lp1942195 [Where problems could occur] Problems may occur if new systems are deployed with the expectation that users in the "admin" group get auto-added to sambashare. This can only happen is the admin group is manually created before installing samba. [Development Fix] The admin -> sambashare auto-add function has been removed from the postinst script. This change was made in Debian. [Stable Fix] Same as the Development Fix. [Original Description] I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file. It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file. This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942195 Title: Installing Samba unexpectedly adds many unknown local users to sambashare group To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1942195/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
