Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SECURITY ISSUE: CIFS/SMB share user/password revealed #2502

Closed
itheiss opened this Issue Mar 21, 2013 · 5 comments

Comments

Projects
None yet
4 participants
Contributor

itheiss commented Mar 21, 2013

The current implementation of the CIFS/SMB support for External storage reveals user and password during execution of the smbclient command. Every user logged in can read user and password with a simple 'ps' command. Additionally user and password are logged in cleartext to syslog or logfile.

Solution: The smbclient call should be modified to use the authfile option 'smbclient -A <path/to/authfile>' which implies the authfile has to be created when a share is created/updated (stored in the users data directory?).

Member

LukasReschke commented Mar 21, 2013

I wouldn't rate this as a security issue but this is definitely a valid point that we have to address. @MTGap could you please take care of this?

Owner

DeepDiver1975 commented Mar 22, 2013

@icewind1991 is working on an alternative implementation of SMB which will arrive with OC6.
I see no real need to fix this in OC5

Contributor

itheiss commented Mar 22, 2013

For me it´s not a big issue if this get´s fixed with OC5 or OC6 (I am just home user). But I don´t understand how you guys define a security issue. In several bug trackers, issues like this one block whole releases.

In my private setup owncloud and samba use ldap. My windows PC and that from my girlfriend are members of the samba domain. So guess what you can do with the password watching ps accidentally.

This setup is surely not uncommon for small offices/companies.

Owner

DeepDiver1975 commented Mar 22, 2013

Quick explanation why I closed this and decided not to fix this in OC5:
The smb lib we use currently is unmaintained for a long time - we will throw it away pretty soon.
I don't see the need to invest time (private free time BTW ;-) ) in fixing stuff we throw away.

The new lib for sure not be backported to OC5.

I'm pretty sure @icewind1991 is the same opinion and we are the only dev touching this code anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment