Proposal for changes in become root

Stefan Metzmacher metze at samba.org
Mon Apr 22 10:56:32 UTC 2024 

Hi Xavi,

>> On 4/22/24 11:11, Xavi Hernandez via samba-technical wrote:
>>> What do you think ?
>> the future plan is to move the impersonation to the VFS by passing an
>> abstract impersonation object to all VFS functions and then let the VFS
>> modules do the impersonation.
>>
>> metze and I have designed and implemented 75% of what would be needed here:
>>
>> <
>> https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/impersonation
>>>
>>
>> The top commit has a few notes and TODO.
>>
>> <
>> https://git.samba.org/?p=slow/samba.git;a=blob;f=Impersonation_Plan.org;h=ea6fe04825ec57ba4c0a7e6476255129e3f3133a;hb=f4ca9ebfc1269bbe7c3319eb991e1d0ea44a08a9
>>>
>>
>> This is probably not what you were asking for, but I'm afraid tunneling
>> become_root() through the VFS would further complicate the current logic
>> and also doesn't allow avoiding all impersonation changes, eg the logic
>> around change_to_user_and_service_by_fsp() and
>> become_user_without_service_by_fsp().
>>
> 
> That's very interesting. I wasn't aware of this work.
> 
> I've just started to take a look, but if I understand it correctly, the
> user credentials will be set just before doing the system call. I've not
> seen any reference to become_root() (I may have missed something, though),
> but I guess it needs to integrate with that and, in this case, it won't
> issue any syscalls to change the current process owner, right ?
> 
> That approach could be very useful for what I really wanted to do. If I see
> it correctly, the credentials switch happens in vfs_default, so modules are
> free to implement the credentials as they want.

Yes, exactly, the generic 'struct samba_impersonation' is passed
to each vfs call. And the impersonation would happen where needed.
The become_root() case would just pass a 'struct samba_impersonation'
representing 'root' or the overwrite_dac capability.

Then the vfs modules are free to do what is needed.
vfs_default would do the change to the correct context before each syscall (in a cached fashion).
vfs modules for userspace filesystems can use samba_impersonation_cache_id() in order
to have a unique cache id for there own context structure.

metze

More information about the samba-technical mailing list