force mode (Was: RE: more thoughts on Samba permissions manipulat
Branko Cibej
branko.cibej at hermes.si
Fri Jun 18 20:17:20 GMT 1999
Edward Jajko wrote:
> :)Actually, the correct fix for this particular Microsoftish misfeature is to
> :)cache the permissions and ownership of deleted files for a few seconds, and
> :)restore them if the same file is created again while the info in the cache is
> :)still alive.
>
> This sounds like a very nasty security hole- if one were to do this, you
> should at least force a restriction to a nonprivileged account.
Well ...
> :)Hmmm ... now that I think about it, caching the permissions isn't enough -- you
> :)have to preserve hard links, i.e. the node number, too. Which means you have to
> :)"logically" delete the file: put it in a table of invisible files, perhaps
> :)rename it to, e.g., `.#deleted#<filename>', and delay the unlink. Should be
> :)fairly easy to do in a VFS module, and the nice thing is that if you're allowed
> :)to delete a file, you're also allowed to rename it (don't know about the sticky
> :)bit semantics, though).
>
> And this sounds like the biggest security hole yet ;)
... yes and no:
* the cache must be per-process -- only the user who deleted the file may create
it again;
* she must also have read and write permission to the file (the latter is required
by CIFS for delete, I think).
So the security hole is as large as the administrator makes it. There are already
other such potential holes, such as "force user = root", f'r instance :-)
If VFS modules are service-specific, and no ordinary user can edit the config files,
I think you can make it safe.
Brane
--
Branko Čibej <branko.cibej at hermes.si>
HERMES SoftLab, Litijska 51, 1000 Ljubljana, Slovenia
voice: (+386 61) 186 53 49 fax: (+386 61) 186 52 70
More information about the samba-technical
mailing list