S 2.438 Secure use of external programs on a Samba server

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Many functions such as the creation of a new user in the Unix system or querying the printer status information are not implemented in Samba.

In order to carry out these functions, Samba uses programs available on the system on which it is installed. For example, to create a new user in the Unix system, Samba calls the specified program using the "add user script" parameter. All configuration parameters used by Samba to call external programs are terminated by the following character strings:

• command
• script
• exec
• panic action
• program

In Samba 3, there are about 40 of these configuration parameters. Using the

testparm -vs | grep -E "(command =)|(script =)|(exec =)|\ (panic action =)|(program =)" | wc -l

command, the exact number of configuration parameters available in the Samba version currently being used can be displayed. If Samba uses the Common Unix Printing System (CUPS) Application Programming Interface (API) to communicate with the printing system, none of these parameters are set by default and/or none of these parameters are used. Whether or not Samba has been compiled and linked to the CUPS library can be checked using the following command:

root# ldd $(which smbd) | grep 'libcups'

If Samba does not use the CUPS API to communicate with printers, default values are used for some of the configuration parameters specific to the print system depending on the value of the "printing" configuration parameter in the "smb.conf" configuration file. Default values are used for the following configuration parameters in this case:

• print command
• lpq command
• lprm command
• lppause command
• lpresume command
• queuepause command
• queueresume command

Many of the external programs specified using such configuration parameters are executed by Samba with root rights. For this reason, it must be ensured that only programs that are not malicious can be called by Samba.

Using the

user> testparm -vs | grep -E "(command =)|(script =)|(exec =)|\ (panic action =)|(program =)"

command, all parameters responsible for integrating external programs in Samba can be output. The currently valid values of each parameter are also displayed in addition to the parameters themselves.

Review questions:

• Are external programs checked for malicious functions before these programs are integrated into Samba?