security review of authorise_login() requested (or an explanation

Luke Kenneth Casson Leighton lkcl at samba.org
Tue Feb 8 07:38:43 GMT 2000


On Mon, 7 Feb 100 jeremy at varesearch.com wrote:

> > 
> > hi, why is authorise_login() doing a check for a previously registered
> > guest username, and then if this succeeds, setting the guest status to
> > True without reinitialising any other info?
> > 
> > i mean, is it _ok_ to reuse user_structs like this?
> 
> No, usually it isn't although being remote right now
> I can't take a look at what you're referring to.

oo.
 
> That's why I don't think you should be rewriting this
> code :-).

no, i agree with you, i shouldn't.  i'm really naary about it all, doing
as little as i can to solve some of the more major problems i come across.

e.g if i have no user session key, i'm forced to add NET_USER_INFO_3 to
the damn user_struct, to cache the user login response from the PDC!



More information about the samba-technical mailing list