2021-08-31 11:11:26 |
Richard Earnshaw |
bug |
|
|
added bug |
2021-08-31 13:39:28 |
Richard Earnshaw |
description |
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change. |
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change. |
|
2021-09-01 09:02:26 |
Launchpad Janitor |
samba (Ubuntu): status |
New |
Confirmed |
|
2021-09-02 12:28:17 |
Paride Legovini |
bug |
|
|
added subscriber Paride Legovini |
2021-09-02 12:28:25 |
Paride Legovini |
bug |
|
|
added subscriber Ubuntu Server |
2021-09-02 13:12:52 |
Paride Legovini |
tags |
|
server-triage-discuss |
|
2021-09-23 17:33:19 |
Paride Legovini |
samba (Ubuntu): assignee |
|
Paride Legovini (paride) |
|
2021-09-24 09:21:19 |
Paride Legovini |
tags |
server-triage-discuss |
|
|
2021-10-06 08:54:36 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/samba/+git/samba/+merge/409731 |
|
2021-10-06 11:15:01 |
Paride Legovini |
samba (Ubuntu): status |
Confirmed |
In Progress |
|
2021-10-06 11:15:13 |
Paride Legovini |
nominated for series |
|
Ubuntu Hirsute |
|
2021-10-06 11:15:13 |
Paride Legovini |
bug task added |
|
samba (Ubuntu Hirsute) |
|
2021-10-06 11:15:13 |
Paride Legovini |
nominated for series |
|
Ubuntu Bionic |
|
2021-10-06 11:15:13 |
Paride Legovini |
bug task added |
|
samba (Ubuntu Bionic) |
|
2021-10-06 11:15:13 |
Paride Legovini |
nominated for series |
|
Ubuntu Focal |
|
2021-10-06 11:15:13 |
Paride Legovini |
bug task added |
|
samba (Ubuntu Focal) |
|
2021-10-06 11:15:22 |
Paride Legovini |
samba (Ubuntu Bionic): status |
New |
Triaged |
|
2021-10-06 11:15:24 |
Paride Legovini |
samba (Ubuntu Focal): status |
New |
Triaged |
|
2021-10-06 11:15:27 |
Paride Legovini |
samba (Ubuntu Hirsute): status |
New |
Triaged |
|
2021-10-06 11:15:29 |
Paride Legovini |
samba (Ubuntu Bionic): assignee |
|
Paride Legovini (paride) |
|
2021-10-06 11:15:31 |
Paride Legovini |
samba (Ubuntu Focal): assignee |
|
Paride Legovini (paride) |
|
2021-10-06 11:15:33 |
Paride Legovini |
samba (Ubuntu Hirsute): assignee |
|
Paride Legovini (paride) |
|
2021-10-17 08:38:07 |
Launchpad Janitor |
samba (Ubuntu): status |
In Progress |
Fix Released |
|
2021-10-18 09:59:29 |
Paride Legovini |
nominated for series |
|
Ubuntu Impish |
|
2021-10-18 09:59:29 |
Paride Legovini |
bug task added |
|
samba (Ubuntu Impish) |
|
2021-10-19 09:35:54 |
Paride Legovini |
samba (Ubuntu Impish): status |
New |
Triaged |
|
2021-11-10 14:11:06 |
Paride Legovini |
samba (Ubuntu Impish): assignee |
|
Paride Legovini (paride) |
|
2021-11-10 14:23:59 |
Paride Legovini |
description |
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change. |
[Impact]
Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. The samba postinst script has some logic that automatically adds users in the "admin" group to the sambashare group.
In Ubuntu >= 12.04, administrator access is granted via the "sudo" group [1], and the "admin" group is not automatically created anymore. However the samba postinst functionality that auto-populates sambashare from "admin" has not been removed. This means that users an "admin" group, which now has no special meaning in Ubuntu, are automatically added to the sambashare group. This is wrong, and can have security implications given that the "admin" group can be a remote group (this is how this bug was first discovered, see the Original Description below).
[1] https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuDesktop#PrecisePangolin.2FReleaseNotes.2FCommonInfrastructure.Common_Infrastructure
[Test Case]
Reproducer:
1. Start with a clean Ubuntu system
2. Created the "admin" group and add some users to it
3. Install samba
4. Verify that such users are added to sambashare
Fix verification:
4. Verify that such users are NOT added to sambashare.
[Where problems could occur]
Problems may occur if new systems are deployed with the expectation that users in the "admin" group get auto-added to sambashare. This can only happen is the admin group is manually created before installing samba.
[Development Fix]
The admin -> sambashare auto-add function has been removed from the postinst script. This change was made in Debian.
[Stable Fix]
Same as the Development Fix.
[Original Description]
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change. |
|
2021-11-10 14:36:29 |
Paride Legovini |
description |
[Impact]
Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. The samba postinst script has some logic that automatically adds users in the "admin" group to the sambashare group.
In Ubuntu >= 12.04, administrator access is granted via the "sudo" group [1], and the "admin" group is not automatically created anymore. However the samba postinst functionality that auto-populates sambashare from "admin" has not been removed. This means that users an "admin" group, which now has no special meaning in Ubuntu, are automatically added to the sambashare group. This is wrong, and can have security implications given that the "admin" group can be a remote group (this is how this bug was first discovered, see the Original Description below).
[1] https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuDesktop#PrecisePangolin.2FReleaseNotes.2FCommonInfrastructure.Common_Infrastructure
[Test Case]
Reproducer:
1. Start with a clean Ubuntu system
2. Created the "admin" group and add some users to it
3. Install samba
4. Verify that such users are added to sambashare
Fix verification:
4. Verify that such users are NOT added to sambashare.
[Where problems could occur]
Problems may occur if new systems are deployed with the expectation that users in the "admin" group get auto-added to sambashare. This can only happen is the admin group is manually created before installing samba.
[Development Fix]
The admin -> sambashare auto-add function has been removed from the postinst script. This change was made in Debian.
[Stable Fix]
Same as the Development Fix.
[Original Description]
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change. |
[Impact]
Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the "admin" Unix group. The samba postinst script has some logic that automatically adds users in the "admin" group to the sambashare group.
In Ubuntu >= 12.04, administrator access is granted via the "sudo" group [1], and the "admin" group is not automatically created anymore. However the samba postinst functionality that auto-populates sambashare from "admin" has not been removed. This means that users an "admin" group, which now has no special meaning in Ubuntu, are automatically added to the sambashare group. This is wrong, and can have security implications given that the "admin" group can be a remote group (this is how this bug was first discovered, see the Original Description below).
[1] https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuDesktop#PrecisePangolin.2FReleaseNotes.2FCommonInfrastructure.Common_Infrastructure
[Test Case]
Reproducer:
1. Start with a clean Ubuntu system
2. Created the "admin" group and add some users to it
3. Install samba
4. Verify that such users are added to sambashare
Fix verification:
4. Verify that such users are NOT added to sambashare.
Test PPA: https://launchpad.net/~paride/+archive/ubuntu/samba-lp1942195
[Where problems could occur]
Problems may occur if new systems are deployed with the expectation that users in the "admin" group get auto-added to sambashare. This can only happen is the admin group is manually created before installing samba.
[Development Fix]
The admin -> sambashare auto-add function has been removed from the postinst script. This change was made in Debian.
[Stable Fix]
Same as the Development Fix.
[Original Description]
I'm running Ubuntu 20.04 in an enterprise environment. I recently installed the samba package on my machine which is configured to get most account details from a central ldap server. I was very surprised, therefore, to see the install script adding a large number of remote users who have no local account to the samabashare group in my local groups file.
It turns out that this is because the postinstall script creates an initial sambashare group and then tries to populate it from the 'admin' group. However, since that is a group that is defined in the ldap database it ends up copying a large number of remote userids into the local group file.
This is a bad idea in a centrally managed environment as the contents of that centrally managed group could change at any time. Surely the script should only try to do this if the admin group is local to the machine? Perhaps at the very least it should seek confirmation before performing such a change. |
|
2021-11-10 18:13:21 |
Paride Legovini |
samba (Ubuntu Bionic): status |
Triaged |
In Progress |
|
2021-11-10 18:13:23 |
Paride Legovini |
samba (Ubuntu Focal): status |
Triaged |
In Progress |
|
2021-11-10 18:13:24 |
Paride Legovini |
samba (Ubuntu Hirsute): status |
Triaged |
In Progress |
|
2021-11-10 18:13:26 |
Paride Legovini |
samba (Ubuntu Impish): status |
Triaged |
In Progress |
|
2021-11-10 18:16:42 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/samba/+git/samba/+merge/411691 |
|
2021-11-10 18:20:53 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/samba/+git/samba/+merge/411692 |
|
2021-11-10 18:22:09 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/samba/+git/samba/+merge/411693 |
|
2021-11-10 18:41:56 |
Paride Legovini |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/samba/+git/samba/+merge/411694 |
|
2021-11-17 02:43:40 |
Chris Halse Rogers |
samba (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2021-11-17 02:43:42 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-11-17 02:43:45 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2021-11-17 02:43:51 |
Chris Halse Rogers |
tags |
|
verification-needed verification-needed-impish |
|
2021-11-17 02:56:47 |
Chris Halse Rogers |
samba (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
2021-11-17 02:56:56 |
Chris Halse Rogers |
tags |
verification-needed verification-needed-impish |
verification-needed verification-needed-hirsute verification-needed-impish |
|
2021-11-17 03:13:17 |
Chris Halse Rogers |
samba (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-11-17 03:13:26 |
Chris Halse Rogers |
tags |
verification-needed verification-needed-hirsute verification-needed-impish |
verification-needed verification-needed-focal verification-needed-hirsute verification-needed-impish |
|
2021-11-17 04:39:46 |
Chris Halse Rogers |
samba (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2021-11-17 04:39:55 |
Chris Halse Rogers |
tags |
verification-needed verification-needed-focal verification-needed-hirsute verification-needed-impish |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish |
|
2021-11-19 13:58:37 |
Paride Legovini |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish |
verification-done verification-done-bionic verification-done-focal verification-done-hirsute verification-done-impish |
|
2021-11-25 10:40:25 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-11-25 10:40:23 |
Launchpad Janitor |
samba (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2021-11-25 10:45:33 |
Launchpad Janitor |
samba (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
2021-11-25 10:58:14 |
Launchpad Janitor |
samba (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-11-25 11:36:59 |
Launchpad Janitor |
samba (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|