Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

SECURITY ISSUE: CIFS/SMB share user/password revealed #2502

Closed
itheiss opened this Issue · 5 comments

4 participants

@itheiss

The current implementation of the CIFS/SMB support for External storage reveals user and password during execution of the smbclient command. Every user logged in can read user and password with a simple 'ps' command. Additionally user and password are logged in cleartext to syslog or logfile.

Solution: The smbclient call should be modified to use the authfile option 'smbclient -A ' which implies the authfile has to be created when a share is created/updated (stored in the users data directory?).

@Raydiation
Collaborator
@LukasReschke
Collaborator

I wouldn't rate this as a security issue but this is definitely a valid point that we have to address. @MTGap could you please take care of this?

@DeepDiver1975

@icewind1991 is working on an alternative implementation of SMB which will arrive with OC6.
I see no real need to fix this in OC5

@itheiss

For me it´s not a big issue if this get´s fixed with OC5 or OC6 (I am just home user). But I don´t understand how you guys define a security issue. In several bug trackers, issues like this one block whole releases.

In my private setup owncloud and samba use ldap. My windows PC and that from my girlfriend are members of the samba domain. So guess what you can do with the password watching ps accidentally.

This setup is surely not uncommon for small offices/companies.

@DeepDiver1975

Quick explanation why I closed this and decided not to fix this in OC5:
The smb lib we use currently is unmaintained for a long time - we will throw it away pretty soon.
I don't see the need to invest time (private free time BTW ;-) ) in fixing stuff we throw away.

The new lib for sure not be backported to OC5.

I'm pretty sure @icewind1991 is the same opinion and we are the only dev touching this code anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.