CVE-2008-3789: Wrong permissions of group_mapping.ldb

==========================================================
== Subject:     Wrong permissions of group_mapping.ldb
==
== CVE ID#:     CVE-2008-3789
==
== Versions:    Samba 3.2.0 - 3.2.2 (inclusive)
==
== Summary:     The file group_mapping.ldb is created with
==              the permsissions 0666. That means everyone
==		is able to edit this file and might map any
==		SID to root.
==
==========================================================

===========
Description
===========

The file group_mapping.ldb is created with the permissions 0666. That means
everyone is able to edit this file and gain additional access rights while
connecting remotely to the Samba server. By manipulating the SID mappings
contained in this file, it is also possible to establish a connection that runs
in the privileged root context.


==================
Patch Availability
==================

Two patches addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.2.3 has been issued as a security
release to correct the defect.  Samba administrators are
advised to upgrade to 3.2.3 or apply the patch as soon
as possible.


==========
Workaround
==========

As a temporary workaround file permissions of the group_mapping.ldb can be set
to 0600 manually.  Note that these permissions are discarded by newly created
group_mapping.ldb files.


=======
Credits
=======

This issue was initially reported as a Debian bug #496073.

The time line is as follows:

* August 22, 2008: Initial report at
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496073.
* August 23, 2008: Initial report at http://bugzilla.samba.org.
* August 25, 2008: First response from Samba developers confirming
  the bug along with a proposed patch.
* August 26, 2008: Samba developers added additional patch.
* August 27, 2008: Public security advisory made available.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================