https://bugzilla.samba.org/show_bug.cgi?id=15026 --- Comment #2 from Jeffrey Bencteux <jbe@xxxxxxxxxxxx> --- (In reply to David Disseldorp from comment #1) > Please correct me if I'm wrong, but I don't expect that this would be exploitable > on regular systems unless mount.cifs is installed with setuid-root, or an attacker > somehow has access to the "credentails" path fed into a mount.cifs invocation. That is partially correct, note that on a vanilla Debian 10, mount.cifs is setuid-root by default: $ ls -l /usr/sbin/mount.cifs -rwsr-xr-x 1 root root 35600 Jun 17 2018 /usr/sbin/mount.cifs And likely it is the case on other distributions as otherwise the following message is returned: $ ./mount.cifs //127.0.0.1/share /mnt/share -v -o credentials=/etc/sudoers This program is not installed setuid root - "user" CIFS mounts not supported. It however seems needed to either: 1) have privileged user rights to trigger the bug, such as the below line in /etc/sudoers: testuser ALL=NOPASSWD: /usr/sbin/mount.cifs Which is less likely but possible. 2) Have the scenario you depict where a user can tamper a mount with a rogue "credentials" option value. This greatly reduce the risk IMO. I think the explanation is in these lines of mount.cifs.c: 115 * When an unprivileged user runs a setuid mount.cifs, we set certain mount 116 * flags by default. These defaults can be changed here. 117 */ 118 #define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV) I expect some people to use rules such as the above sudo one to circumvent the problem. -- You are receiving this mail because: You are the QA Contact for the bug.
