VB: become_root remove patches (head)

[Michael Stockman]

> Hello,
>
> > Michael Stockman wrote:
> > >
> > > Hello,
> > >
> > > Here are the patches that eliminates every call to become_root
> > from
> > > samba (head). The function definition is not removed.
> > >
> > > They should be applied to locking/shmem_sysv.c
> locking/locking_slow.c
> > > rpc_server/srv_samr.c rpc_server/srv_netlog.c
> rpc_server/srv_pipe.c
> > > rpc_server/srv_lookup.c smbd/password.c smbd/dosmode.c
> > > smbd/chgpasswd.c.
> > >
> > > I haven't tried fixing any problems this might cause (please do
> that
> > > while I make some patches for the 2.0.X branch:-). I should have
> some
> > > time for that tonight.
> >
> > Why are you wanting to remove become_root() from 2.0.x ?
>
> Actually I could hardly care less for 2.0.X. However lkcl (according
> to my interpretation) asked for it in a previous mail.
>
> There is also a debate over here about whether if become_root would
> ever would be needed in a good design. A side note is that samba is
> taking heavy damage in that debate and I'm having a hard time
> defending it.
>
> Still, I did ask for specific reasons why become_root exists and how
> samba changes uid during run-time. The contest is still open (sorry
no
> prize :-). Well, actually you could win some respect for finally
> caring about this.
>
> > This function is needed in many places to take on root
> > authority whilst doing something and then call unbecome_root()
> > to relinquish it again (eg. scanning the smbpasswd file).
>
> This function is seriously missused (in head branch) to bypass unix
> filesystem security. Samba is evidently giving out information that
> the user doesn't have access to (through becoming root in the RPC
> stuff). I suppose we all agree that samba must never send
information
> obtained whilst being root, rather than the user, to the client.
>
> > What have you replaced this functionality with ?
>
> As I wrote, nothing.
>
> If I'm correct in my assumption that samba runs as root most of the
> time and only changes down to perform services for the user, I
refuse
> to believe that both a become_user and become_root system is really
> necessary. If I'm wrong, please say so and we can discuss matters
from
> there.
>
> > become_root() got broken somewhat in HEAD due to some
> > careless changes in the authentication code. It works
> > correctly in 2.0.x as far as I know.
>
> That is quite possible, why hasn't it been fixed? I know head isn't
> considered stable, but I can see no reason what so ever that we
should
> save known errors in it (especially not security sensitive such).
>
> Best regards
>   Michael Stockman
>   pgmtekn-micke at algonet.se