=========================================================== == Subject: smbcacls will remove the ACL on a file == or directory when changing owner or group == owner. == == CVE ID#: CVE-2013-6442 == == Versions: All versions of Samba later than 4.0.0 == == Summary: smbcacls can remove a file or directory == ACL by mistake. == =========================================================== =========== Description =========== Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Samba versions 4.0.16 and 4.1.6 have been released to address this issue. ========== Workaround ========== Use server based tools (chown) to modify owners on files and directories. ======= Credits ======= This problem was found by an internal audit of the Samba code by Noel Power of SuSE. Patch provided by Jeremy Allison of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================