SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts

[Luke Kenneth Casson Leighton]

> keeping a 1-1 mapping doesn't help. All that means is you are using
> the unix kernel as a storage place for 1 global variable. That global

[Forall(Arguments where security-context exists) apply same
logic-reasoning/justifications that are in smbd, to msrpc daemons].

ehh?  so... what does become_user() do, then?  and why am i doing a
become_user() in the msrpc code?  because it's done in smbd, that's why.


> variable (the euid) has nothing to do with the meaning you are giving
> it in msrpcd. Imagine someone who stored the day of the week in the
> euid - you could do it by using seteuid() and geteuid(), but it would
> be a very bad thing to do.

well, i take it that in smbd we don't allow code patches that do
seteuid(time(NULL)), right???

> on several occasions you said you don't want to implement a security
> system in msrpcd, you want to use the unix uid system to do that. The

yes.  maintaining a one-to-one _conceptual_ representation between a [to
some people, non-existent] NT security context and a unix one.  see
user_struct in tng.  i added NET_USER_INFO_3 structure, it contains
eve3rtyhng that's needed [i hope!].

> problem is that the unix security system knows nothing about the
> objects you re protecting, so it doesn't protect them. 

ok.  objectively, you're absolutely correct.  conceptually [paradigm-wise,
whatever-you-want-to-call-it], this is wrong.


> So right now you have no protection.

that's not true.  compile up samba tng, connect as an anonymous user with
rpcclient (rpcclient -S smbtng -U% -l log) and issue the lsaquery command,
followed by createuser someusername -p somepassword.

it will fail.

why?

because in srv_samr_dom_tdb.c:_samr_open_domain(), the unix user to which
the anonymous user has been mapped does not have write permission to open
the S-1-5-21-xxx-xxx-xxx.usr.tdb file, because its permissions are
rw-r--r-- and it's owned by root.

it's very simple, and it doesn't need a function which we don't have at
the moment, which does NT-style security permission checking.


> I think it is better to either make it clear
> in the code that there is no msrpc security system or implement one -

not now.  it will take weeks to implement and integrate into all of the
tng functions.  there's well over a hundred of them, andrew.


> using the unix security system in this way just gives a false sense of
> security. 

ok, in what way do you think i am using the unix security system such that
it gives such a non-existent security?

please describe it to me in terms of either pseudo-code or actual
functions (doesn't matter which branch).

i will let you know if this is what i am doing or not.
 
> Cheers, Tridge
> 
> PS: Jeremy says hi :)

hi jeremy, you're moving about a lot!