https://bugzilla.samba.org/show_bug.cgi?id=15026 --- Comment #3 from David Disseldorp <ddiss@xxxxxxxxx> --- (In reply to Jeffrey Bencteux from comment #2) > (In reply to David Disseldorp from comment #1) > > > Please correct me if I'm wrong, but I don't expect that this would be exploitable > > on regular systems unless mount.cifs is installed with setuid-root, or an attacker > > somehow has access to the "credentails" path fed into a mount.cifs invocation. > > That is partially correct, note that on a vanilla Debian 10, mount.cifs is > setuid-root by default: > > $ ls -l /usr/sbin/mount.cifs > -rwsr-xr-x 1 root root 35600 Jun 17 2018 /usr/sbin/mount.cifs Ouch. I assume Ubuntu inherits this default setting. > And likely it is the case on other distributions as otherwise the following > message is returned: > > $ ./mount.cifs //127.0.0.1/share /mnt/share -v -o credentials=/etc/sudoers > This program is not installed setuid root - "user" CIFS mounts not > supported. > > It however seems needed to either: > > 1) have privileged user rights to trigger the bug, such as the below line in > /etc/sudoers: > > testuser ALL=NOPASSWD: /usr/sbin/mount.cifs > > Which is less likely but possible. > > 2) Have the scenario you depict where a user can tamper a mount with a rogue > "credentials" option value. > > This greatly reduce the risk IMO. > > I think the explanation is in these lines of mount.cifs.c: > > 115 * When an unprivileged user runs a setuid mount.cifs, we set certain > mount > 116 * flags by default. These defaults can be changed here. > 117 */ > 118 #define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV) > > I expect some people to use rules such as the above sudo one to circumvent > the problem. I don't completely follow - so for the setuid-root case, can root-readable files be dumped by regular users (ignoring apparmor/selinux) using credentials=<root-only-path>, or do the dropped privileges mean that a different approach (sudo) is needed? -- You are receiving this mail because: You are the QA Contact for the bug.
