A vulnerability was found in Samba 3.4.x through to and including 3.6.4 that could allow arbitrary users to modify privileges on a Samba file server. This is due to security checks being incorrectly applied to the Local Security Authority (LSA) remote procedure calls (RPC): CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights.
This could allow any authenticated user to modify the privileges database. As a result, this could allow an attacker to grant themselves the "take ownership" privilege, which would allow the attacker to take ownership of files or directories that they do not own.
To work-around this flaw, set the "enable privileges = no" parameter in the "[global]" section of smb.conf. In the event that unauthorized changes have already been made, remove the account_policy.tdb file, and when the patch/update is applied, re-grant the specific privileges using the "net rpc rights" command.
Acknowledgements:
Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Ivano Cristofolini as the original reporter of this issue.
Comment 16Jonathan Peatfield
2012-05-01 16:14:46 UTC
I know that the report says it affects samba 3.4.x - 3.6.x but it would be nice to have an explicit confirmation that this does not affect the el5 samba 3.0.x ...
-- Jon