> You all still don't understand the problem.
>
> I have setuid smbmnt on the client side and one remote with smb share, I own.
>
> I create setuid binary on the share, and MOUNT THE SHARE under regular user
> with uid!=0. Then run that binary and gain root privileges.
>
> Is it clear? This is not the issue with the remote server. It's just the
> 'tool' to misuse.
Ok. I understand now :) (And I'm able to reproduce it).
It works only on kernel 2.6.
Doing the same in a 2.4 kernel results in the share mounted with the
correct uid,gid and masks:
>
> I have setuid smbmnt on the client side and one remote with smb share, I own.
>
> I create setuid binary on the share, and MOUNT THE SHARE under regular user
> with uid!=0. Then run that binary and gain root privileges.
>
> Is it clear? This is not the issue with the remote server. It's just the
> 'tool' to misuse.
Ok. I understand now :) (And I'm able to reproduce it).
It works only on kernel 2.6.
Doing the same in a 2.4 kernel results in the share mounted with the
correct uid,gid and masks:
smbmount //machine/share /tmp/foo -o
username=test,fmask=1755,dmask=755,uid=0,gid=0,debug=0,workgroup=test
Even trying to set uid=0 and gid=0 and the fmask to 1755 the share is
mounted in a safe way, without setuids bins and set with the user uid.
The kernel 2.6 does not honour the uid/gid and mounts the share with the
original uids and permisions, whatever the masks is set at mounting.
--
_ Guillermo Pérez -=] 10/02/2004 [=-
<·) - bisho@ ( onirica.com | eurielec.etsit.upm.es )
( \>
bisho! ""\\ :: Software Patents will kill Open Source ::
..........:: EuropeSwPatentFree: ::
:: http://europeswpatentfree.hispalinux.es/ ::
[ reply ]