Patches to head (become_root and some RPC stuff)
ldx at ibm.net
Wed Aug 25 00:21:56 GMT 1999
Michael Stockman wrote:
> You are using LDAP, right? The patches rely on trying to do something
> and failing. If the ldap server gives out the information to a process
> with user privileges, then you should get it. The idea is that smbd
> acts with your privileges and smbd thus cannot do anything you
> couldn't do anyway.
> I don't know LDAP, so please, could you tell me how the LDAP server is
> secured, because that is the key to what smbd is doing wrong.
I read thru this message again & got a different insight. Any unix user can access
the LDAP database for read. If they know the LDAP "root" password they can
suffix "o=LDX Micros, c=US"
rootdn "uid=root, o=LDX Micros, c=US"
access to dn=".*, o=LDX Micros, c=US"
by self write
by * search
Samba binds to the rootdn using the secret password.
Am I getting a glimmer that this may need to be redone in a more restrictive way?
-- Doug VanLeuven - 707-545-6933 (voice) 707-545-6945 (fax)
Chief Engineer, USMM roamdad at ibm.net
Programmer/Analyst, SCWA doug at scwa.ca.gov
More information about the samba-technical