-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
World-writeable files may be created in additional shares on
a Samba 4.0 AD DC
21 March 2013
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Modify Arbitrary Files -- Existing Account
CVE Names: CVE-2013-1863
Member content until: Saturday, April 20 2013
A vulnerability has been identified in Samba versions 4.0.0rc6 to
4.0.3 (inclusive). 
Samba has released the following information on this vulnerability:
"Administrators of the Samba 4.0 Active Directory Domain Controller
might unexpectedly find files created world-writeable if additional
CIFS file shares are created on the AD DC.
By default the AD DC is not vulnerable to this issue, as a specific
inheritable ACL is set on the files in the [sysvol] and [netlogon]
However, on other shares, when only configured with simple unix
user/group/other permissions, the forced setting of 'create mask'
and 'directory mask' on AD DC installations would apply, resulting
in world-writable file permissions being set.
These permissions are visible with the standard tools, and only the
initial file creation is affected. As Samba honours the unix
permissions, the security of files where explicit permissions have
been set are not affected.
Administrators will need to manually correct the permissions of any
world-writable files and directories. After upgrading, either
recursively set correct permissions using the Windows ACL editor, or
run something like e.g.:
sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R
/path/to/share (Please note that this command might need to be
adapted to your needs).
This will remove all the ACLs (a reasonable step as this only
impacts on shares without an ACL set), including a problematic
default posix ACL on subdirectories." 
Samba has stated that "Samba administrators running affected
versions are advised to upgrade to 4.0.4 or apply the patch as soon
as possible." 
 World-writeable files may be created in additional shares on a
Samba 4.0 AD DC
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----