Bug #15295


SMB services should check IPC caller privileges

Added by Gordon Ross 5 months ago. Updated 5 months ago.

cifs - CIFS server and client
Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:
External Bug:


An issue was recently discovered regarding Inter-Process Communication (IPC) services implemented in smbd. In summary: these services fail to verify that the calling process has the necessary privileges required to perform sensitive operations.

There are four IPC services implemented, which provide functions more suitable for execution in user-space:
  1. A general door service, which implements features such as enumerating and locating snapshots for use in the 'Previous Versions' feature, querying and setting of share quotas, client-initiated name lookups, domain membership query and management, and execution of the configured 'share map' script against a share;
  2. A door service for share management, including addition, modification, and removal of exported SMB shares;
  3. Unix domain sockets for authentication of SMB users;
  4. Unix domain sockets for accessing MS-RPC services;

Before this fix, smbd allows any process with access to the representative filesystem objects (which are world-readable) to perform any of these operations.

While some of these operations would be allowable by an ordinary user, many of these operations should require privileges to perform. Additional privileges are typically required to export shares over SMB, change domain membership, etc, but SMBD does not ensure that callers have any special privileges before performing these functions with the privileges of SMBD.

A patch is available to address this issue. Mitigations for this include:
  • Disabling the SMB service.
  • Setting the smb door files under /var/run/ to mode 600. Note:
    permissions on those files are reset during service start or restart.
  • Setting /var/smb/pipe to mode 700.
Actions #1

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
  • Status changed from New to In Progress
Actions #2

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
Actions #3

Updated by Gordon Ross 5 months ago

Fix can be found here (already provided to distros)

Actions #4

Updated by Electric Monk 5 months ago

  • Gerrit CR set to 2583
Actions #5

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit b6b7639a9bb27d5b6a4e0ce4ddba01eaefa1b8b1

commit  b6b7639a9bb27d5b6a4e0ce4ddba01eaefa1b8b1
Author: Gordon Ross <>
Date:   2022-12-30T22:30:41.000Z

    15295 SMB services should check IPC caller privileges
    Reviewed by: Matt Barden <>
    Reviewed by: Jerry Jelinek <>
    Reviewed by: Andy Stormont <>
    Approved by: Dan McDonald <>


Also available in: Atom PDF