[Samba] Questions about 3.0.12rc1
Sergey Loskutov
lsm at tts.magadan.su
Mon Mar 14 23:18:28 GMT 2005
Gerald (Jerry) Carter write:
>> Sergey Loskutov wrote:
>> | Hello!
>> |
>> | Before this post, i'm send 3 problems in 3.0.11
>> | I'm compiled 3.0.12rc1 and found next:
>> |
>> | 1) Settings primary group .... problem solved, but question to developer
>> | You append to mapping.c in smb_set_primary_group
>> | ret = smbrun(add_script,NULL);
>> | flush_pwnam_cache();
>> | ^^^^^^^^^^^^^^^^^^^^
>> | But not check ret code .....if my script exit in code != 0, i'm change
>> | primary group ... ( script "set primary group" still needed ? )
>>
> It's just flushing the internal pwnam cache. Semantically this is ok.
> Probably not optimal. I'll look at it later.
I'm know that you flushing the cache... but thank you
>>
>> | 3) I'm analized problems 1
>> | ( user who not have privileges "add machine account" )
>> |
>> | In function _samr_create_user ( srv_samr_nt.c ) you have code:
>> |
>> | if ( can_add_account )
>> | become_root();
>> |
>> | And if user not have privileges(user|machine) you MAY CREATE USER (
>> | posix account or machine account ) through SCRIPT :(((((
>> |
>> | I'm change code to:
>> |
>> | if ( can_add_account == False ) {
>> | return NT_STATUS_ACCESS_DENIED;
>> | }
>> | it's fixed problem ....
>> | I'm do simple test and is work correct, ... but i'm do
>> | not full test.
>>
> I've thought about this before. The problem is actually that
> your 'add user script' can be run successfully as a non-root user.
> A simple 'chmod 700 <script>; chown root <script>' will solve this.
> I'll look at it some more but this is not a pressing issue I don't
> think. smbd is not doing anything that the normal user couldn't do
> anyways. And your fix doesn't cover all the possible scenarios
> (e.g. root user with no assigned privileges should still be able to join
> clients to the domain).
NO NO NO settings chmod or chown .....
Why need privileges ? :) I'm want settings privileges add machine to
user, who not members in root ....
Sample :)
chmod 770 <script>; chown root."smart man" <script>;
Look good :)
User: John ( member in "smart man" )
User: Leon ( member in "smart man" )
I want give privileges for John, but not for Leon ... :)
Why i must use setfacl|getfacl ..... i'm have privileges .....
you decision ... bad
And anyway user who have uidNumber == 0 and not having privileges, not
able join machine and users ;) i'm checked this before send code.
And why i'm permit execute script if code semantic not allowed use ldap
not member in root ? Check you ldap code ;)
Thanks you help !
Sergey Loskutov
More information about the samba
mailing list