VB: become_root remove patches (head)

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed Aug 18 21:56:27 GMT 1999 

> > Actually I could hardly care less for 2.0.X. However lkcl (according

me neither, however my pre-alpha code got chucked into a release tree
about eight months ago and this is one of the issues: anonymous users can
enumerate users using USRMGR.EXE or rpcclient.

> > to my interpretation) asked for it in a previous mail.

... so i figured it's kinda a good idea to care about this sort of issue,
so mentioned it to you, michael, as you were going over cvs main as well.

> > Still, I did ask for specific reasons why become_root exists and how
> > samba changes uid during run-time. The contest is still open (sorry
> no
> > prize :-). Well, actually you could win some respect for finally
> > caring about this.

ok.  you _could_ get away with splitting the passwords out of
private/smbpasswd into:

private/DOMAIN.user1 owner user1 -rw-------
private/DOMAIN.user2 owner user2 -rw-------
...

and then individual users could change their own passwords.  they could
also, unfortunately, _delete_ their own passwords by logging in to the
samba server, cd private/, del DOMAIN.user1 oops! i can't log in any more
*dur* :-)

only root would be allowed to enumerate private/smbpasswd.* and obtain
passwords.

in fact, we already _have_ the base-level functionality to do this, it's
in private/smbpassfile.c, it currently generates .mac files.

> > > This function is needed in many places to take on root
> > > authority whilst doing something and then call unbecome_root()
> > > to relinquish it again (eg. scanning the smbpasswd file).
> >
> > This function is seriously missused (in head branch) to bypass unix
> > filesystem security.

yep.  and 2.0.x.

> Samba is evidently giving out information that
> > the user doesn't have access to (through becoming root in the RPC
> > stuff). I suppose we all agree that samba must never send
> information
> > obtained whilst being root, rather than the user, to the client.

um... well... it depends on whether you want full NT-like functionality or
not!

> > If I'm correct in my assumption that samba runs as root most of the
> > time and only changes down to perform services for the user, I

it changes down and then, during idle/clean-up, changes back up.

> > > become_root() got broken somewhat in HEAD due to some
> > > careless changes in the authentication code. It works
> > > correctly in 2.0.x as far as I know.
> >
> > That is quite possible, why hasn't it been fixed?

'cos i wrote the server-side code in a serious hurry as proof-of-concept.
it works (after a fashion), chuck it into cvs, see what happens.  i tried
to get as much done as quickly as possible.  issues like security (except
really stupid things like giving out user passwords) weren't high on my
list.  particularly as nt itself is so TOTALLY full of security holes and
anonymous DoS vulnerabilities that even with this code in, nt makes samba
look like a saint!

> > I know head isn't considered stable, but I can see no reason
> > whatsoever that we should save known errors in it (especially not
> > security sensitive such).

true.  i wasn't expecting you to remove _all_ calls to become_user() and
become_root(), just the ones in rpc_server*/*.c, passgrp/*.c and
passdb/*.c!

luke

More information about the samba-technical mailing list