IPC User Problem (was Situational Deadlock)

Esh, Andrew Andrew_Esh at adaptec.com
Wed Jan 28 21:23:29 GMT 2004 

Yes, I agree that force settings are probably being misused for other shares, and the change I am suggesting would leave the enforcement in place for those shares. I don't feel as though the same rules should apply to IPC, however. Why would someone ever want to limit access to IPC? It appears to allow full access as the guest user as a matter of course. Doesn't IPC live under a different set of rules within Windows?

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, January 28, 2004 2:59 PM
To: Esh, Andrew
Cc: Andrew Bartlett; samba-technical at lists.samba.org
Subject: RE: IPC User Problem (was Situational Deadlock)


On Thu, 2004-01-29 at 07:51, Esh, Andrew wrote:
> The "admin user" setting is not set in smb.conf. The "force group" setting is set globally to allow all users of all shares to belong to the same group. This allows some crossover functionality with NFS we needed to have. I suppose we could put "force group" in every share, but it would be a PITA.
> 
> Why can't we allow "force group" in the case of IPC? (Other shares, 
> sure, but IPC? IPC should be open to anyone, or nothing works.) 
> Remember, this will affect anyone who calls WNetAddConnection2 to 
> connect to a share from NT. Our use of that call could be idiosyncratic, 
> but I doubt it.

The IPC$ share is special only in that it is the only share on a non
termainal-server setup that is used by multiple users as a matter of
course.

The problem is this:  People who setup 'force group' and 'force user'
often set even more bizarre things in their smb.conf to get there.  They
also *think* that Samba only has one user at a time, or that each user
will open the shares independently.

This means that people setup configs like this:

[share1]
 include =/etc/smb.conf.%U

and put force user in that include file etc.  Naturally, this breaks
really badly when the second user comes along.

I would suggest that most of the cases were people use 'force user' or
'force group' (in particular) can be solved by appropriate Unix file
permissions.  If this were a unix user, you would be using tricks like 

chmod g+s dir/

So why should Samba be any different?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list