Re: updated ksmbd (cifsd)

[Sergey Senozhatsky <sergey.senozhatsky@gmail.com>]

On (20/12/16 12:24), Sergey Senozhatsky wrote:
> On (20/12/15 15:29), Stefan Metzmacher wrote:
> > >> 6. Why is SMB_SERVER_CHECK_CAP_NET_ADMIN an compile time option and why is it off by default?
> > >>    I think the behavior should be enforced without a switch.
> > > I can make it default yes. Can you explain more why it should be enforced ?
> > 
> > Why should an unprivileged user ever be able to start the server?
> > Wouldn't that be a massive security problem as that user would provide
> > the share definitions and users and controls what ksmbd_override_fsids() will use?
> 
> The idea was that user-space needs to have its own user:group
> (e.g. CIFSD:CIFSD). And smb.conf and password file should not
> be readable by anyone who's not from CIFSD:CIFSD - similar to
> how .ssh/config is 0700 on any reasonably configured system.
> 
> The massive security problem here is that the server runs in
> the kernel. So I don't always see why people want to also run
> user-space (which serves RPC calls, and technically can be
> tricked to do something that it was not intended to do) under
> root - wouldn't this just increases the attack surface?

So SMB_SERVER_CHECK_CAP_NET_ADMIN enforces the "user-space must
be a privileged process" policy. Even CAP_NET_ADMIN is too huge,
not to mention that _probably_ this CAP requirement means that
people will just "sudo cifsd". One way or another a malformed
RPC request can do quite a bit of damage to the system, because
user-space runs with the CAPs it doesn't really need.

It would be better to enforce a different policy, IMHO.
Something like:

	groupadd ... CIFSD_GROUP
	useradd -g CIFSD_GID -p CIFSD_PASSWORD CIFSD_LOGIN
	chmod 0700 smb.conf and password db
	chown CIFSD_LOGIN:CIFSD_GROUP smb.conf and password db

And perhaps we need to add some checks to the user-space cifsd:
make sure that smb.conf and password db are 0700 + some more.

	-ss