Samba under Coherant and Macintosh

Luke Kenneth Casson Leighton lkcl at samba.org
Sun Dec 19 21:51:55 GMT 1999


On Mon, 20 Dec 1999, Michael Stockman wrote:

> Hello,
> 
> > > why is it that you think that msrpc services don't need to do file
> access?
> > > what about access to private/smbpasswd from samrd?
> >
> > we do become_root() before those anyway, so thats totally
> > irrelevant. (the smbpasswd can _only_ be accessed as root).
> 
> Don't, pretty please. become_root must only be used when samba is
> collecting data for internal use. It is not acceptable that samba
> return any data that a user would not have access to if logged in to
> the machine while samba isn't running.

so, how should a user change their own password?  this is the only way (at
present).

actually, at present, we do a become_root() / unbecome_root() around
anything that provides read-only samr info.  the only become_root()
/unbecome_root() that allows _changes_ is the change user password call,
and that is only allowed when the old user password has been validated.

all other modify-or-add password / group / alias API calls do not have a
become_root() / unbecome_root() around them, therefore the daemon must
already _Be_ root, and that requires the administrator SMB password.
 
> Why are you so against allowing the administrator control who has
> access to smbpasswd?

i am?  what makes you think that?

> Maybe we should split it into two (or even more)
> files sometime in the future, so that the admin could control who can
> see/change what based on unix file permissions?

*sigh*.  that's exactly what i want to do, particularly as it's already
what's used in 2.0.X and 2.1prealpha.

however, andrew is in favour of only running as root and then doing access
control validation for everything.  i was planning the access control
validation as a later enhancement, and using reasonable approximations in
the mean-time.
 
> > > do you want anonymous users to be able to read the SAM database,
> > > just like NT allows?
> >
> > of course not, but doing become_user() won't stop that. It will just
> > give you a false sense of security.
> 
> In regards to disk access, you would have to elabourate to convince me
> (supposing that I or anyone else can prevent you from calling
> become_root everywhere).

who said i was going to call become_root() everywhere?
 
> Best regards
>   Michael Stockman
>   pgmtekn-micke at algonet.se
> 
> PS. Though of the day: become_root is almost equal to become_rotten,
> if used badly ;).

not quite.  from what i understand of what andrew was saying, how are you
going to stop people, say, from abusing potential race conditions on, say,
log files?




More information about the samba-technical mailing list