Best choice for ntlm_auth's access to winbindd_privileged directory

Dmitry Butskoy buc at odusz.so-cdu.ru
Thu Sep 14 16:50:48 GMT 2006 

According to nltm_auth(1) man page,

> Some  of  these  commands  also  require  access  to the directory win-
> bindd_privileged in $LOCKDIR. This should be  done  either  by  running
> this  command  as root or providing group access to the winbindd_privi-
> leged directory. For security reasons, this  directory  should  not  be
> world-accessable.

As a rpm packager (for mod_ntlm_winbind under Fedora Extras) I'm trying 
to find some solution to avoid the need of manual permission changes 
after the install. In other words, to write some post-install scripts 
for the package which do this job automatically.

Currently ntlm_auth is used by Squid and "mod_ntlm_winbind" module of 
Apache. Both daemons have special user accounts ("squid" and "apache" 
respectively). Therefore, some solution is:

The "samba-common" package (which owns "ntlm_auth" helper and 
"/var/cache/samba/winbindd_privileged" directory) pre-creates a special 
group -- let it be named "winbind" -- and the directory has rights 
"drwxr-x---  root/winbind".
The packages who can use "ntlm_auth" just add their specific usernames 
to this group at install time (using "rpm trigger scripts" feature), i.e.:

    %triggerin -- samba-common
    usermod -a -G winbind squid

for squid, and similar for apache.

But this solution seems to be not universal, as requires for 
applications to have the special user accounts. One of issues here is 
the cyrus-sasl library (there is a patch which allows it to use 
winbind). This way sendmail/postfix can do ntlm and gss-spnego auth 
etc... But in general, this is *the library*, i.e. at the install time 
we don't know exactly what application will use it. Therefore we don't 
know what names to add to "winbind" group in the trigger script above.

An alternate solution can be to use setgid bit for ntlm_auth binary, 
i.e. "-rwxr-sr-x root/winbind" (and the same "drwxr-x---  root/winbind" 
for winbindd_privileged dir as above). Nothing special is required for 
any application this way, but ntlm_auth will be executable by ANY user.

My question is:
For security reasons, just the directory should not be world-accessable, 
or even ntlm_auth binary itself should not be world-accessable too? In 
other words, is the setgid way security clean?


Regards,
Dmitry Butskoy

Red Hat Certified Engineer 809003662809495
http://www.fedoraproject.org/wiki/DmitryButskoy

More information about the samba-technical mailing list