CVE-2013-1863.html:

===========================================================
== Subject:     World-writeable files may be created in additional shares on a
==		Samba 4.0 AD DC
==
== CVE ID#:     CVE-2013-1863
==
== Versions:    Samba 4.0.0rc6 - 4.0.3 (inclusive)
==
== Summary:	Administrators of the Samba 4.0 Active Directory Domain
==		Controller might unexpectedly find files created world-writeable
==		if additional CIFS file shares are created on the AD DC.
==
===========================================================

===========
Description
===========

Administrators of the Samba 4.0 Active Directory Domain Controller might
unexpectedly find files created world-writeable if additional CIFS file shares
are created on the AD DC.

By default the AD DC is not vulnerable to this issue, as a specific inheritable
ACL is set on the files in the [sysvol] and [netlogon] shares.

However, on other shares, when only configured with simple unix
user/group/other permissions, the forced setting of 'create mask' and
'directory mask' on AD DC installations would apply, resulting in
world-writable file permissions being set.

These permissions are visible with the standard tools, and only the initial
file creation is affected.  As Samba honours the unix permissions, the security
of files where explicit permissions have been set are not affected.

Administrators will need to manually correct the permissions of any
world-writable files and directories.  After upgrading, either recursively set
correct permissions using the Windows ACL editor, or run something like e.g.:

sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R /path/to/share
(Please note that this command might need to be adapted to your needs).

This will remove all the ACLs (a reasonable step as this only impacts on shares
without an ACL set), including a problematic default posix ACL on
subdirectories.

==================
Mitigating factors
==================

By default the AD DC is not vulnerable to this issue, as a specific inheritable
ACL is set on the files in the default [sysvol] and [netlogon] shares.

Users of our file server when configured in any other mode, such as a
standalone server, domain member (including of a Samba 4.0 AD Domain), file
server or classic (NT4-like) domain controller are not impacted.  Many Samba
4.0 AD DC installations have followed the Team's advise to split their
installation in this way, and so are not affected.

Similarly, samba 4.0 AD DC installations based on the 'ntvfs' file server are
not impacted.  This is not the default in upstream Samba, but importantly it is
the only available configuration in samba4 packages of Samba 4.0 in Debian
(including experimental) and Ubuntu supplied packages.

Likewise, packages and installations built --without-ad-dc are not impacted, as
only AD DC installations will set this configuration.  We understand Red Hat
and Fedora installations are built in this mode.

Unless guest access has been explicitly allowed (guest ok = yes), only
authenticated users would be able to read/write any of accidentally
world-writable files.  Similarly, the 'read only = no' default in the smb.conf
still applies.

==========
Workaround
==========

Set a recursive and inherited ACL on the root of the share (for example, using
the ACL editor on a Windows client)

==================
Patch Availability
==================

Patches addressing this defect have been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.0.4, has been issued as security
releases to correct the defect.  Samba administrators running affected versions
are advised to upgrade to 4.0.4 or apply the patch as soon as
possible.

=======
Credits
=======

The vulnerability was noticed by a number of observant administrators,
including Ricky Nance <ricky.nance@weaubleau.k12.mo.us>.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================