Suid problem in samba as shipped with Caldera

—–BEGIN PGP SIGNED MESSAGE—– Subject: Caldera Security
Advisory SA-1998.35: Suid problem in samba Topic: Suid problem in
samba Advisory issue date: 20 Nov 1998 I. Problem Description The
problem is the installation permissions of the wsmbconf binary. The
RPM installs wsmbconf as a setgid binary owned by group root and
executable by all users. The wsmbconf program was a prototype
application and was never meant to make its way into a Samba
release. It was not designed to be setgid and is vulnerable to
attack by local users when installed setgid. II. Impact
Non-privileged users can use wsmbconf to gain read/write access to
any file which is accessible to the root group. Description:
Vulnerable Systems: OpenLinux 1.0, 1.1, 1.2 & 1.3 systems using
a samba package prior to samba-1.9.18p10-1. III. Solution
Workaround: All systems on which the Samba RPM are installed should
immediately remove the file /usr/sbin/wsmbconf: rm -f
/usr/sbin/wsmbconf removing this file will not in any way adversely
affect your Samba installation as the file is not actually part of
Samba 1.9.18p10. Correction: The proper solution is to upgrade to
the samba-1.9.18p10-1 packages. They can be found on Caldera’s FTP
site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/007/RPMS
The corresponding source code can be found at:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/007/SRPMS The MD5
checksums (from the “md5sum” command) for these packages are:
e3f2fe967ccc19a3bb81979dac13c551 RPMS/samba-1.9.18p10-1.i386.rpm
cba3bd97896ed4099d516750b4c878cf SRPMS/samba-1.9.18p10-1.src.rpm
Upgrade with the following commands: rpm -q samba && rpm -U
samba-1.9.18p10.i386.rpm IV. References This and other Caldera
security resources are located at:
http://www.caldera.com/news/security/index.html This security fix
closes Caldera’s internal Problem Report 4195. —–BEGIN PGP
SIGNATURE—– Version: 2.6.3i Charset: noconv
dg4N71lyP5c= =5upH —–END PGP SIGNATURE—–

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis