Become_root depth is nonzero
Doug VanLeuven
ldx at ibm.net
Sun Aug 8 22:42:44 GMT 1999
Michael Stockman wrote:
> Hello,
>
> After starting to use usrmgr yesterday I noticed a problem with
> nonzero root depth. This occurs in rpc_server/srv_lookup.c and I
> believe it is caused by a call to lookup_name in make_dom_gids being
> wrapped in become_root. Since all privileged calls from lookup_name
> and it's descendants also are wrapped, the error occurs when we get to
> them.
I researched & posted on this a while back. On my system
Redhat 5.2, kernel 2.0.36, gcc 2.7.2.3-14,
samba CVS as of 7-28-99 with LDAP
the above mentioned call was the one responsible for all my reported errors.
>
>
> The patch I'm proposing removes the seemingly unneeded become_root /
> unbecome_root pair around that call. I have not been able to detect
> any new problems from this, and it seems to me that the pair was
> anyway on the wrong level in the architecture.
>
Because the second unbecome_root incorrectly restored root privliges, I felt it
was a security issue & rewrote the become/unbecome root pair to push & pop
user & directory info to a depth of 2, no errors since.
I reverted smbd/uid.c & applied your patch.
1. boot an NT standalone server joined to samba PDC domain
2. run user manager for domains
3. user/properties
4. edit groups
5. Add a group that user is not member of
6. Informed "Access denied error"
7. Logs indicate become/unbecome root error
8. Closing & re-opening groups shows user now in additional groups and
is reflected in LDAP DB.
so I'm still getting the error in this circumstance.
-- Doug VanLeuven - 707-545-6933 (voice) 707-545-6945 (fax)
Chief Engineer, USMM roamdad at ibm.net
Programmer/Analyst, SCWA doug at scwa.ca.gov
More information about the samba-technical
mailing list