smbpasswd and euid detection

[Steve Langasek]

On Thu, Jan 02, 2003 at 02:23:09PM -0700, Craig Kelley wrote:

> > I consider confusing smbpasswd with the Unix passwd command a sign that
> > one doesn't really have that much knowledge, at least where smbpasswd
> > itself is concerned.  It's easy to jump to the conclusion that smbpasswd
> > needs root privs to make changes to the smbpasswd file -- it does not --
> > and the program has *not* been audited for use as an suid program, so
> > it's dangerous to treat it the same as passwd.

> > So if someone can run smbpasswd indirectly from an suid wrapper, there's
> > still a high potential for security problems, the same as if smbpasswd is
> > suid itself.  If you need to let users call smbpasswd in an suid root
> > context, your wrapper should do its own vetting of the user input and
> > then assume full root privileges.

> Then let's add suid checking to every program.

Most programs don't have the problem of people assuming they're analogous
to other suid programs.

> They can all be abused, and the same argument should apply.

> Regardless, the patch I presented actually does what the the warning 
> message claims it's doing.  It stat()'s the actual binary of smbpasswd to 
> see if it's suid or not.  It doesn't add any dependencies, and it should 
> work on all systems capable of handling geteuid(), which smbpasswd already 
> uses.

But if you're going to concede that the check is there for a reason
(which you seem to be doing by not asking for the check to be removed
altogether), then that reasoning applies whether or not smbpasswd itself
is the program carrying the suid bit as explained above.

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030102/397835f1/attachment.bin