Issuing a "rm -r" command on a samba mounted share deletes files on the router's /

[David Ludovino <david.ludovino@…>]

I have an USB disk attached to Fonera 2.0n. One of it's partitions is used to backup my home folder. Here is it's entry on /etc/fstab

//192.168.10.1/Media/configurations /media/configurations cifs iocharset=utf8,credentials=/home/david/.fonera_credentials,uid=1000,gid=1000,noauto 0 0

In the directory /media/configurations I ran the command "rm -r .*". Besides the hidden directories this also deleted files on the router's filesystem. The router still allowed me to browse the web but when I tried to access the dashboard ( http://fonera) I got an error saying some file in /etc was missing.

After restarting the router it became nonfunctional and the only way to revive it was to  restore the firmware.

I've got a hint that I might have some link under my preferences folders that points to somewhere in / and then the router recursively deletes files on it's /. Such would imply that the router is running the "rm -r" command with root privileges which is a severe security flaw.

[matthijs]

Somehow we missed this ticket when it was reported. Since the issue is significant, I'll make sure we'll include a fix in the final 2.3.7.0 release.

It seems this issue can be fixed by disabling the "wide links" option in Samba, which prevents dereferencing links outside the root of the share. I'm currently testing a firmware with this option disabled, which seems to work so far.

Note that the Fonera is not a multi-user system, so the security impact of this bug is limited: Anyone with the router password needed to access Samba shares can also access SSH (in DEV mode) or the WebUI to flash in a new firmware, so there is not really privilege escalation here.

[matthijs]

(In [2236]) samba: Don't let Samba dereference symbolic links.

Doing could allow users to access parts of the root filesystem through Samba, which is not desirable. Additionally, when mounted on a Linux system, using rm -rf could delete files from outside the shared USB disk, potentially breaking parts of the Fonera firmware and requiring a factory reset to fix.

Closes: #1049

[matthijs]

Hmm, I just noticed I slightly misformulated that commit message. Samba still dereferences symbolic links, but only when they point to within the share root directory (e.g., within the same USB disk partition).

[matthijs]

(In [2238]) samba3: Don't pass NULL to the realpath function.

The uClibc version or realpath doesn't handle NULL very well, but crashes with a segfault instead.

Normally, the samba configure process handles details like these, but our build process uses a fixed configuration instead of autodetecting things. In this fixed configuration, it was specified that realpath could handle NULL, while it really could not.

This commit updates the Samba configuration to not pass NULL into realpath.

When wide links was disabled in r2236, samba would start doing a realpath call on every share root when starting a connection. Effectively, this meant that samba worker processes would segfault as soon as a samba mount was attempted.

Looking at the code, it seems that realpath was also used during some file copy operations, so perhaps this commit also improves Samba stability.

References: #1049