illumos gate

An issue was recently discovered regarding Inter-Process Communication (IPC) services implemented in smbd. In summary: these services fail to verify that the calling process has the necessary privileges required to perform sensitive operations.

There are four IPC services implemented, which provide functions more suitable for execution in user-space:

1. A general door service, which implements features such as enumerating and locating snapshots for use in the 'Previous Versions' feature, querying and setting of share quotas, client-initiated name lookups, domain membership query and management, and execution of the configured 'share map' script against a share;
2. A door service for share management, including addition, modification, and removal of exported SMB shares;
3. Unix domain sockets for authentication of SMB users;
4. Unix domain sockets for accessing MS-RPC services;

Before this fix, smbd allows any process with access to the representative filesystem objects (which are world-readable) to perform any of these operations.

While some of these operations would be allowable by an ordinary user, many of these operations should require privileges to perform. Additional privileges are typically required to export shares over SMB, change domain membership, etc, but SMBD does not ensure that callers have any special privileges before performing these functions with the privileges of SMBD.

A patch is available to address this issue. Mitigations for this include:

• Disabling the SMB service.
• Setting the smb door files under /var/run/ to mode 600. Note:
  permissions on those files are reset during service start or restart.
• Setting /var/smb/pipe to mode 700.