Disable SaMBa (smbd): recent vulnerability

Due to a recent SaMBa vulnerability CVE-2021-44142, I’d like to disable smbd on my GL-MT300N-V2 Mango:

root@GL-MT300N-V2:~# /usr/sbin/smbd --version
Version 3.6.25

The vulnerability exists prior to 4.13.17.

I tried disabling File Sharing in the Applications menu (and rebooting), to no effect. I’ve tried terminating and/or killing the smbd (and nmbd for good measure) process in the Advanced menu, also to no effect.

I’d prefer a way of doing this via the GUI, but I am also not afraid of deleting /etc/rc.d/S60samba if that’s what it takes.

(Currently running firmware 3.105, but I have checked the release notes for the later two stable releases 3.203 and 3.211 and don’t see anything about upgrading SaMBa.)

1 Like

To stop running a script in /etc/rc.d, you can rename it in SSH so that it does not begin with “S” or “K”:

mv /etc/rc.d/S60samba mv /etc/rc.d/zzzS60samba

There is also not much danger deleting it because it is only a symbolic link to the actual file in the /etc/init.d directory.

In the same page you linked, you can see that this vulnerability only affects users using the vfs_fruit module, you can disable it:

As a workaround remove the “fruit” VFS module from the list of
configured VFS objects in any “vfs objects” line in the Samba
configuration smb.conf.

VFS fruit is for Apple/MacOS SMB clients, so it should be okay if you do not have that. I do not have a /etc/smb.conf file, only a /etc/config/samba file, which does not have any “vfs_object” lines anyway.

If anyone still wants to, you can just disable any /etc/rc.d startup or shutdown script just by renaming it without prefix of “S” (for Start) or “K” (for Kill).

You can also enable or disable startup scripts in LuCi → System → Startup.

On firmware 3.211 samba is not installed by default.