Remote root filesystem access vulnerability in OpenWRT ksmbd server

[geldot]

A defect in OpenWRT's ksmbd SMB server configuration causes filesystem access with root permission to be granted to all remote users, potentially including guest users, bypassing authorization.

The vulnerability is verified in OpenWRT 24.10.0 and appears to have been introduced to the OpenWRT codebase six years ago.

The issue is in the net/ksmbd-tools/files/ksmbd.init init script, which attempts to require a user ACL list when the share is mapped to the root user.

However, due to an apparent typo, the logic is inverted and the script silently ignores the ACL in this case, resulting in root access being granted to all remote users, and unless disabled, guest users too:

		if [ "$force_root" -eq 1 ]; then
			printf "\tforce user = %s\n" "root"
			printf "\tforce group = %s\n" "root"
		else
			[ -n "$users" ] && printf "\tvalid users = %s\n" "$users"
		fi

The issue can be reproduced by enabling force_root in the Luci web interface or in the /etc/config/ksmbd configuration file and observing that the configured access control list is ignored, permitting all users to access the share with root permissions.

See Samba's documentation for the correct semantics:

The force user and force group parameters map all connections to the specified user and group.

The recommended fix is to remove the special handling from the script, in order to yield the correct configuration (while still allowing users to manually enable root access without authorization, for example on a trusted local network if they so choose):

		if [ "$force_root" -eq 1 ]; then
			printf "\tforce user = %s\n" "root"
			printf "\tforce group = %s\n" "root"
		fi

		[ -n "$users" ] && printf "\tvalid users = %s\n" "$users"