Installing Samba unexpectedly adds many unknown local users to sambashare group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Fix Released
|
Undecided
|
Paride Legovini | ||
Bionic |
Fix Released
|
Undecided
|
Paride Legovini | ||
Focal |
Fix Released
|
Undecided
|
Paride Legovini | ||
Hirsute |
Fix Released
|
Undecided
|
Paride Legovini | ||
Impish |
Fix Released
|
Undecided
|
Paride Legovini |
Bug Description
[Impact]
Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. The samba postinst script has some logic that automatically adds users in the "admin" group to the sambashare group.
In Ubuntu >= 12.04, administrator access is granted via the "sudo" group [1], and the "admin" group is not automatically created anymore. However the samba postinst functionality that auto-populates sambashare from "admin" has not been removed. This means that users an "admin" group, which now has no special meaning in Ubuntu, are automatically added to the sambashare group. This is wrong, and can have security implications given that the "admin" group can be a remote group (this is how this bug was first discovered, see the Original Description below).
[Test Case]
Reproducer:
1. Start with a clean Ubuntu system
2. Created the "admin" group and add some users to it
3. Install samba
4. Verify that such users are added to sambashare
Fix verification:
4. Verify that such users are NOT added to sambashare.
Test PPA: https:/
[Where problems could occur]
Problems may occur if new systems are deployed with the expectation that users in the "admin" group get auto-added to sambashare. This can only happen is the admin group is manually created before installing samba.
[Development Fix]
The admin -> sambashare auto-add function has been removed from the postinst script. This change was made in Debian.
[Stable Fix]
Same as the Development Fix.
[Original Description]
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change.
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 40 lines (+7/-14)2 files modifieddebian/changelog (+7/-0)
debian/samba.postinst (+0/-14)
- Sergio Durigan Junior (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 40 lines (+7/-14)2 files modifieddebian/changelog (+7/-0)
debian/samba.postinst (+0/-14)
- Sergio Durigan Junior (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 40 lines (+7/-14)2 files modifieddebian/changelog (+7/-0)
debian/samba.postinst (+0/-14)
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
-
Diff: 40 lines (+7/-14)2 files modifieddebian/changelog (+7/-0)
debian/samba.postinst (+0/-14)
- Utkarsh Gupta (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 40 lines (+7/-14)2 files modifieddebian/changelog (+7/-0)
debian/samba.postinst (+0/-14)
description: | updated |
tags: | added: server-triage-discuss |
Changed in samba (Ubuntu): | |
assignee: | nobody → Paride Legovini (paride) |
tags: | removed: server-triage-discuss |
Changed in samba (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in samba (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in samba (Ubuntu Focal): | |
status: | New → Triaged |
Changed in samba (Ubuntu Hirsute): | |
status: | New → Triaged |
Changed in samba (Ubuntu Bionic): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in samba (Ubuntu Focal): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in samba (Ubuntu Hirsute): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in samba (Ubuntu Impish): | |
status: | New → Triaged |
Changed in samba (Ubuntu Impish): | |
assignee: | nobody → Paride Legovini (paride) |
description: | updated |
description: | updated |
Changed in samba (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in samba (Ubuntu Focal): | |
status: | Triaged → In Progress |
Changed in samba (Ubuntu Hirsute): | |
status: | Triaged → In Progress |
Changed in samba (Ubuntu Impish): | |
status: | Triaged → In Progress |
tags: |
added: verification-done verification-done-bionic verification-done-focal verification-done-hirsute verification-done-impish removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish |
Status changed to 'Confirmed' because the bug affects multiple users.