Best choice for ntlm_auth's access to winbindd_privileged directory
Dmitry Butskoy
buc at odusz.so-cdu.ru
Thu Sep 14 16:50:48 GMT 2006
According to nltm_auth(1) man page,
> Some of these commands also require access to the directory win-
> bindd_privileged in $LOCKDIR. This should be done either by running
> this command as root or providing group access to the winbindd_privi-
> leged directory. For security reasons, this directory should not be
> world-accessable.
As a rpm packager (for mod_ntlm_winbind under Fedora Extras) I'm trying
to find some solution to avoid the need of manual permission changes
after the install. In other words, to write some post-install scripts
for the package which do this job automatically.
Currently ntlm_auth is used by Squid and "mod_ntlm_winbind" module of
Apache. Both daemons have special user accounts ("squid" and "apache"
respectively). Therefore, some solution is:
The "samba-common" package (which owns "ntlm_auth" helper and
"/var/cache/samba/winbindd_privileged" directory) pre-creates a special
group -- let it be named "winbind" -- and the directory has rights
"drwxr-x--- root/winbind".
The packages who can use "ntlm_auth" just add their specific usernames
to this group at install time (using "rpm trigger scripts" feature), i.e.:
%triggerin -- samba-common
usermod -a -G winbind squid
for squid, and similar for apache.
But this solution seems to be not universal, as requires for
applications to have the special user accounts. One of issues here is
the cyrus-sasl library (there is a patch which allows it to use
winbind). This way sendmail/postfix can do ntlm and gss-spnego auth
etc... But in general, this is *the library*, i.e. at the install time
we don't know exactly what application will use it. Therefore we don't
know what names to add to "winbind" group in the trigger script above.
An alternate solution can be to use setgid bit for ntlm_auth binary,
i.e. "-rwxr-sr-x root/winbind" (and the same "drwxr-x--- root/winbind"
for winbindd_privileged dir as above). Nothing special is required for
any application this way, but ntlm_auth will be executable by ANY user.
My question is:
For security reasons, just the directory should not be world-accessable,
or even ntlm_auth binary itself should not be world-accessable too? In
other words, is the setgid way security clean?
Regards,
Dmitry Butskoy
Red Hat Certified Engineer 809003662809495
http://www.fedoraproject.org/wiki/DmitryButskoy
More information about the samba-technical
mailing list