Bug 56501 - Normal users can access /var/univention-backup/samba [4.4]
Summary: Normal users can access /var/univention-backup/samba [4.4]
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Samba4
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 4.4-9-errata
Assignee: Arvid Requate
QA Contact: Juan Pedro Torres
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on: 56499
Blocks:
  Show dependency treegraph
 
Reported: 2023-08-29 11:43 CEST by Arvid Requate
Modified: 2023-08-30 13:43 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Customer ID:
Max CVSS v3 score: 8.2 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2023-08-29 11:43:02 CEST 
We should backport the fix to UCS 4.4-9

+++ This bug was initially created as a clone of Bug #56499 +++

The permissions for /var/univention-backup/samba are not strict enough. By default that is not a problem, because UCS Samba/AD DCs are only accessible via ssh for "Domain Admins" but not for "Domain Users" by default. Yet, it's too easy for Administrators to shoot themselves in the foot this way.
Comment 1 Arvid Requate univentionstaff 2023-08-29 13:21:09 CEST 
d701af6fb4 | Tighten access to /var/univention-backup/samba
6f2fa7746f | Merge branch 'arequate/56501-samba-backup-permissions' into 4.4-9

Package: univention-samba4
Version: 8.0.0-39
Branch: ucs_4.4-0
Scope: errata4.4-9
Comment 2 Arvid Requate univentionstaff 2023-08-29 15:10:30 CEST 
Package rebuilt with timestamped version:

Package: univention-samba4
Version: 8.0.0-39A~202308291503
Branch: ucs_4.4-0
Scope: errata4.4-9

Now also for amd64.
Comment 3 Juan Pedro Torres univentionstaff 2023-08-29 15:25:06 CEST 
OK:
root@master:~# ls -la /var/univention-backup/
total 12
drwxr-xr-x  3 root root 4096 ago 29 12:42 .
drwxr-xr-x 14 root root 4096 ago 29 12:42 ..
drwx------  2 root root 4096 oct 21  2022 samba
Comment 4 Philipp Hahn univentionstaff 2023-08-30 08:50:33 CEST 
[univention-samba4.yaml#fix](https://git.knut.univention.de/univention/ucs/-/blob/4.4-9/doc/errata/staging/univention-samba4.yaml#L6) is invalid:

> [FAIL] changes.valid: Mismatching binary package version: 8.0.0-39 != univention-samba4-dbgsym 8.0.0-39A~202308291503 from univention-samba4 8.0.0-39A~202308291503
Comment 5 Arvid Requate univentionstaff 2023-08-30 11:05:54 CEST 
c4bf77129d | Advisory update