| blob | b2bb4efdd3eac629f301c49367682597bd0b8192 |
1 WHATS NEW IN Samba 2.2.0a: 23rd June 2001
2 ==========================================
4 SECURITY FIX
5 ============
7 This is a security bugfix release for Samba 2.2.0. This release provides the
8 following two changes *ONLY* from the 2.2.0 release.
10 1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com)
11 and described in the security advisory below.
12 2). Fix for the hosts allow/hosts deny parameters not being honoured.
14 No other changes are being made for this release to ensure a security fix only.
15 For new functionality (including these security fixes) download Samba 2.2.1
16 when it is available.
18 The security advisory follows :
21 IMPORTANT: Security bugfix for Samba
22 ------------------------------------
24 June 23rd 2001
27 Summary
28 -------
30 A serious security hole has been discovered in all versions of Samba
31 that allows an attacker to gain root access on the target machine for
32 certain types of common Samba configuration.
34 The immediate fix is to edit your smb.conf configuration file and
35 remove all occurances of the macro "%m". Replacing occurances of %m
36 with %I is probably the best solution for most sites.
38 Details
39 -------
41 A remote attacker can use a netbios name containing unix path
42 characters which will then be substituted into the %m macro wherever
43 it occurs in smb.conf. This can be used to cause Samba to create a log
44 file on top of an important system file, which in turn can be used to
45 compromise security on the server.
47 The most commonly used configuration option that can be vulnerable to
48 this attack is the "log file" option. The default value for this
49 option is VARDIR/log.smbd. If the default is used then Samba is not
50 vulnerable to this attack.
52 The security hole occurs when a log file option like the following is
53 used:
55 log file = /var/log/samba/%m.log
57 In that case the attacker can use a locally created symbolic link to
58 overwrite any file on the system. This requires local access to the
59 server.
61 If your Samba configuration has something like the following:
63 log file = /var/log/samba/%m
65 Then the attacker could successfully compromise your server remotely
66 as no symbolic link is required. This type of configuration is very
67 rare.
69 The most commonly used log file configuration containing %m is the
70 distributed in the sample configuration file that comes with Samba:
72 log file = /var/log/samba/log.%m
74 in that case your machine is not vulnerable to this attack unless you
75 happen to have a subdirectory in /var/log/samba/ which starts with the
76 prefix "log."
78 Credit
79 ------
81 Thanks to Michal Zalewski (lcamtuf@bos.bindview.com) for finding this
82 vulnerability.
85 New Release
86 -----------
88 While we recommend that vulnerable sites immediately change their
89 smb.conf configuration file to prevent the attack we will also be
90 making new releases of Samba within the next 24 hours to properly fix
91 the problem. Please see http://www.samba.org/ for the new releases.
93 Please report any attacks to the appropriate authority.
95 The Samba Team
96 security@samba.org
98 ---------------------------------------------------------------------------
100 The release notes for 2.2.0 follow :
102 This is the official Samba 2.2.0 release. This version of Samba provides
103 the following new features and enhancements.
105 Integration between Windows oplocks and NFS file opens (IRIX and Linux
106 2.4 kernel only). This gives complete data and locking integrity between
107 Windows and UNIX file access to the same data files.
109 Ability to act as an authentication source for Windows 2000 clients as
110 well as for NT4.x clients.
112 Integration with the winbind daemon that provides a single
113 sign on facility for UNIX servers in Windows 2000/NT4 networks
114 driven by a Windows 2000/NT4 PDC. winbind is not included in
115 this release, it currently must be obtained separately. We are
116 committed to including winbind in a future Samba 2.2.x release.
118 Support for native Windows 2000/NT4 printing RPCs. This includes
119 support for automatic printer driver download.
121 Support for server supported Access Control Lists (ACLs).
122 This release contains support for the following filesystems:
124 Solaris 2.6+
125 SGI Irix
126 Linux Kernel with ACL patch from http://acl.bestbits.at
127 Linux Kernel with XFS ACL support.
128 Caldera/SCO UnixWare
129 IBM AIX
130 FreeBSD (with external patch)
132 Other platforms will be supported as resources are
133 available to test and implement the encessary modules. If
134 you are interested in writing the support for a particular
135 ACL filesystem, please join the samba-technical mailing
136 list and coordinate your efforts.
138 On PAM (Pluggable Authentication Module) based systems - better debugging
139 messages and encrypted password users now have access control verified via
140 PAM - Note: Authentication still uses the encrypted password database.
142 Rewritten internal locking semantics for more robustness.
143 This release supports full 64 bit locking semantics on all
144 (even 32 bit) platforms. SMB locks are mapped onto POSIX
145 locks (32 bit or 64 bit) as the underlying system allows.
147 Conversion of various internal flat data structures to use
148 database records for increased performance and
149 flexibility.
151 Support for acting as a MS-DFS (Distributed File System) server.
153 Support for manipulating Samba shares using Windows client tools
154 (server manager). Per share security can be set using these tools
155 and Samba will obey the access restrictions applied.
157 Samba profiling support (see below).
159 Compile time option for enabling a (Virtual file system) VFS layer
160 to allow non-disk resources to be exported as Windows filesystems
161 (such as databases etc.).
163 The documentation in this release has been updated and converted
164 from Yodl to DocBook 4.1. There are many new parameters since 2.0.7
165 and some defaults have changed.
167 Profiling support.
168 ------------------
169 Support for collection of profile information. A shared
170 memory area has been created which contains counters for
171 the number of calls to and the amount of time spent in
172 various system calls and smb transactions. See the file
173 profile.h for a complete listing of the information
174 collected. Sample code for a samba pmda (collection agent
175 for Performance Co-Pilot) has been included in the pcp
176 directory.
178 To enable the profile data collection code in samba, you
179 must compile samba with profile support (run configure with
180 the --with-profile option). On startup, collection of data
181 is disabled. To begin collecting data use the smbcontrol
182 program to turn on profiling (see the smbcontrol man page).
183 Profile information collection can be enabled for all smbd
184 processes or one or more selected processes. The profiling
185 data collected is the aggragate for all processes that have
186 profiling enabled.
188 With samba compiled for profile data collection, you may see
189 a very slight degradation in performance even with profiling
190 collection turned off. On initial tests with NetBench on an
191 SGI Origin 200 server, this degradation was not measureable
192 with profile collection off compared to no profile collection
193 compiled into samba.
195 With count profile collection enabled on all clients, the
196 degradation was less than 2%. With full profile collection
197 enabled on all clients, the degradation was about 8.5%.
199 =====================================================================
201 If you think you have found a bug please email a report to :
203 samba@samba.org
205 As always, all bugs are our responsibility.
207 Regards,
209 The Samba Team.