========================================================== == Subject: Wrong permissions of group_mapping.ldb == == CVE ID#: CVE-2008-3789 == == Versions: Samba 3.2.0 - 3.2.2 (inclusive) == == Summary: The file group_mapping.ldb is created with == the permsissions 0666. That means everyone == is able to edit this file and might map any == SID to root. == ========================================================== =========== Description =========== The file group_mapping.ldb is created with the permissions 0666. That means everyone is able to edit this file and gain additional access rights while connecting remotely to the Samba server. By manipulating the SID mappings contained in this file, it is also possible to establish a connection that runs in the privileged root context. ================== Patch Availability ================== Two patches addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.2.3 has been issued as a security release to correct the defect. Samba administrators are advised to upgrade to 3.2.3 or apply the patch as soon as possible. ========== Workaround ========== As a temporary workaround file permissions of the group_mapping.ldb can be set to 0600 manually. Note that these permissions are discarded by newly created group_mapping.ldb files. ======= Credits ======= This issue was initially reported as a Debian bug #496073. The time line is as follows: * August 22, 2008: Initial report at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496073. * August 23, 2008: Initial report at http://bugzilla.samba.org. * August 25, 2008: First response from Samba developers confirming the bug along with a proposed patch. * August 26, 2008: Samba developers added additional patch. * August 27, 2008: Public security advisory made available. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================