ZDNet UK / News and Analysis / Application Development

Samba flaw opens up root access attack

By John McCormick, TechRepublic, 7 April, 2003 09:49

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Flaw, Linux, Samba, Security

As the Samba team clearly states, Samba is configured by default to accept connections from any host. This includes the Internet, and there is no good reason to have Samba installed on these systems in its default configuration. The ZDNet story on this vulnerability quotes Allison as saying, "You would have to be crazy to run this over the Internet." The Samba team pointed out that you can protect servers that can be accessed by untrusted hosts by adjusting the "hosts allow" and "hosts deny" options in the smb.conf file to limit access to specific trusted hosts. For example, "Hosts allow = 192.168.9." would limit SMB connections to systems on the internal network segment with an IP address of 192.168.9.x. The Samba.org notice on this vulnerability also details a way to block unwanted network interfaces so that Samba will not accept connections from them. In addition, the notice reports that Samba uses ports UDP/137 (nmbd), UDP/138 (nmbd), TCP/139 (smbd), and TCP/445 (smbd), which can be blocked at a firewall to protect servers against these vulnerabilities. In particular, TCP/445 may be wide open on older setups that have been upgraded because that port was added to the Samba protocols recently. A Red Hat BugTraq notice carries links to patch locations for Red Hat software. The SuSE BugTraq notice lists the vulnerable SuSE products and has links to patches. Final word This vulnerability was apparently patched quickly once it was discovered, which reflects well on Samba and SuSE. However, the closing quote of the ZDNet story indicated that the great thing about open source is that everyone can see the code and a flaw of this magnitude can be found. That may be true, but if you are going to point that out, it's only fair to remind people that this flaw has apparently lain undiscovered since at least Samba release 2.0. When an open source flaw is discovered within days of a program's release, it's a shiny gold star for open source -- but when a problem lies hidden for a long time, that's no better than when the same thing happens to proprietary software, such as Microsoft products. In this case, SuSE's head of security probably shouldn't have used this particular instance to brag about open source security benefits. In that spirit of fairness, the Samba development team's note on the page describing the problem and patch said, "As always, all bugs are our responsibility." I believe that is something that needs to be part of every bug fix, especially including Microsoft's Security Bulletins. Although all bugs are the responsibility of the individual developers, the captains are responsible for everything that happens on their ships, even things that are beyond their direct control. The fact that the Samba team expressed this sentiment is a good indication that they really care about bugs and have a feeling of personal responsibility for any problems encountered by users. Kudos to the Samba team for that.
For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter. Tell us what you think in the Enterprise Mailroom.

Related stories

Is Linux as vulnerable as Windows?

Flaw threatens source of open source

Join Linux to Active Directory with Samba 3.0

Perens: Linux could learn from Apple

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Freebies202

Duplicate comments are not made intentionally. Its very good to know that now you are keeping check on this problem because sometimes a commenter...

5 hours ago by Freebies202 on Microsoft fixes blog comments, speeds up blogs with open source
kevinmchapman

"the very significant number of users" and "many (most) of us" - you have no evidence for these statements. It is a fact that most users are saying...

13 hours ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
Marg Menzies Harrison

Another grammar faux pas is the improper use of "you". When sitting down down in a restaurant, for example, I get cringe when the waitress...

14 hours ago by Marg Menzies Harrison via Facebook on 10 flagrant grammar mistakes that make you look stupid
zdnetukuser

And NOW, folks, for Canonical's next trick... Kubuntu is late. Here's a pencil. Draw your own conclusions. cf.:...

15 hours ago by zdnetukuser on Linux Minterface
Moley

@kevinmchapman. The discussion here reflects the very significant number of users who really do like the traditional menu system and who wish to...

17 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
kevinmchapman

Er, no... It is an efficient means of finding the application/file/setting you need in one place. The icons are a simply a fallback for when you...

18 hours ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
TerryRK

Isn't the provision of a text based search an admission by the developers that the mass of icons approach does not work? I don't need to use a...

20 hours ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
kevinmchapman

"Unity and GNOME 3 both abandon the old text-based cascading menus in favour of a graphical icon-driven system." Point truly missed. Both use a...

20 hours ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint
TerryRK

whs001 - Thank you, I'm glad you liked the article. I absolutely agree with you on your first point. I should perhaps have made it clearer that...

20 hours ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint
Dennis Nilsson

If we allow corporate interest to dictate the way our government circumvents due process against foreign entities then we should accept the same...

21 hours ago by Dennis Nilsson via Facebook on ACTA stumbles in Germany
GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

23 hours ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

1 day ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

1 day ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

1 day ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

1 day ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

1 day ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

1 day ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

1 day ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

1 day ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

1 day ago by Moley on A tale of two distros: Ubuntu and Linux Mint

Latest in Application Development

Perens: Linux could learn from Apple

Featured white papers

The Relevance of Cloud Infrastructure to Enterprise Challenges

SAVVIS

The Relevance of Cloud Infrastructure to Enterprise Challenges

This white paper reviews the evolution of data center outsourcing, and introduces cloud offerings within this historical... Read more

Use product development for competitive advantage

IBM

Use product development for competitive advantage

Remember when MP3 players just played music? Today, consumers want players that can host music, stream video,... Read more

Open-source software deployments for enterprise IT success

Progress Software

Open-source software deployments for enterprise IT success

Wikipedia identifies open source as "enabling a self-enhancing diversity of production models, communication paths... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

How to handle data replication

How to handle data replication

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault