World writable files in Samba AD DC private/ dir

Description

During the creation of a new Samba AD DC, files are created in a the
private/ subdirectory of our install location. This directory is
typically mode 0700, that is owner (root) only access. However in
some upgraded installations it will have other permissions, such as
0755, because this was the default before Samba 4.8.

Within this directory files are created with mode 0666,
that is world-writable, including a sample krb5.conf and the list of
DNS names and servicePrincipalName values to update.

Patch Availability

Patches addressing both these issues have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 4.9.6 and 4.10.2 have been issued as security
releases to correct the defect. Samba administrators are advised to
upgrade to these releases or apply the patch as soon as possible.

CVSSv3 calculation

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)

This score is calculated based on modification to the dns_update_list
or spn_update_list files in a default configuration.

Administrators who rely on these files in other ways might have a
higher score. For example, the sample krb5.conf might be read as
input to Kerberos tools or used as the system-wide krb5.conf
(potentially via a symlink).

Required steps (and workaround)

Upgrading Samba will not change the file or directory permissions for
an existing installation, it will just avoid the issue for new
installations.

Assuming Samba is installed in the default location as root run:

chmod 0700 /usr/local/samba/private

The private directory can be found in the listing from
smbd -b| grep PRIVATE_DIR

Alternatively remove world-write permission from any files with:
chmod o-w /usr/local/samba/private/*

Credits

Originally reported by Björn Baumbach of the Samba Team and SerNet.

Patches provided by Andrew Bartlett of the Samba Team and Catalyst,
advisory written by Andrew Bartlett of the Samba Team and Catalyst.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team