SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts

Luke Kenneth Casson Leighton lkcl at samba.org
Wed Feb 9 22:51:53 GMT 2000 

> That said, while a SAM's files are protected by the kernel, yet the SAM
> service must export access to the objects in the SAM files more
> liberally than the Unix kernel protection of the files themselves. Thus
> the SAM daemon must implement its own access controls on the actual
> objects in those files because the Unix kernel knows nothing about those
> objects (and, BTW, I doubt that the NT kernel can permission objects in
> generic binary files; perhaps it can in _some_ structured binary
> files).

i choose to implement, in sambtdb, the "objects" in terms of unix files,
because those are the only kinds of "objects" in unix that i hav e that
will obey "unix" security.

from various discussions with people here, this i know, this i trust,
therefore this i follow.

i don't know what you're talking about with seteuid(), but i do know that
if smbd does a become_user(), and i transfer sufficient info across to
samrd to _Also_ do the same become_user(), and i then set up samtdb
withthe SAM database as files, i will be able to set up unix file
permissions on the SAM database files, and not have to piss about creating
a comprehensive NT security-access system that i'm just not ready to deal
with, right now.

we have _enough_ code sitting around doing bugger-all without adding
ANOTHER major set of functionality that will delay the introduction of nt
domain functionality for unix / samba.

> > seteuid(ntcontextid). Both would be wrong. Both are "harmless" in that
> > they don't actually break anything, but both give the impression that
> > something is being protected. In both cases that impression would be
> > wrong.
> 
> Even if you mapped the NT SID+RID to a Unix UID that seteuid() will be
> useless.

who said i am doing a seteuid()? i didn't.

i said i'm doing a become_user().  exactly what that does i actually
couldn't care less.  if smbd trust5s become_user to do the right job, then
so do i, in the msrpc daemons.
 
> > this trick gives you two security contexts - those that have write
> > permission on system files are those that don't. 
> 
> This trick is bad. The SAM daemon should only open its DB at startup and
> after any event where it must close it for maintenance (say,
> rewriting). Access to the records in SAM db must be controlled not by
> the DB's file permissions but by code in the SAM daemon (and ACLs,
> implicit or explicit, in the SAM DB).

that's one implemtation.  i choose not to implement it that way.
 
> > even if this is all you want, then it is still the wrong way to go about
> > it. It is using a side effect in a way that is not at all obvious,
> > which is always a very bad thing to do with security. Instead it would
> > be miles better to do:
> > 
> > if (this_is_an_anonymous_connection) {
> >    return ACCESS_DENIED;
> > }
> > 
> > that makes it explicit in the code, and doesn't require the rather
> > complex maneuvering in the uid handling code in smbd.
> 
> Not only that, the code should look more like:
> 
> if (this_caller != owner_of_this_object && this_caller != administrator/root)
> {
>     return ACCESS_DENIED;
> }
> 
> Or better yet:
> 
> if ( ! ACLeval(this_object, this_caller) )
> {
>     return ACCESS_DENIED;
> }

yes.  i know that.  i've known that for about a year.  i know exactly how
it _should_ be implemented.

i expect the implemtation to delay the introduction of tng by several
months, whilst we work out exactly what all the this_object's for every
single function call and info level.

> > the functions and a set of flags that says whether the function can be
> > run on an anonymous connection. Default all of them to no.
> 
> Right.

wrong [to the default = no bit, see other message]

> Or implement some rules and/or ACLs as above.
> 
> Besides, if you design the access control system correctly then you can
> re-use it elsewhere (hint, hint; Luke appears to like this sort of
> thought; make it a library).

yes.  actually, it's just one function call, identical parameters and
functionality to its NT equivalent.
 
> Remember the mk_tdb concept I was sharing before? Now add a layer that
> allows storing of ACLs and ACEs too and you've got a SAM_TDB concept
> that's pretty complete.

yep!

More information about the samba-technical mailing list