How the heck can it work?

Ron Alexander rcalex at home.com
Mon Jul 24 21:09:15 GMT 2000


I just discovered part of the problem. What I have been trying to do all day
now is to RESTRICT swat so only the root user could modify the smb.conf
file. The mistake I made was to start inetd as root. This somehow gave swat
different rights (I suspect real UID vs EUID).

To answer your question, if I SUID the swat pgm, I see the start and stop
buttons on the status page.

Here is the problem. I do NOT get a login screen for swat since I have to
run it in -a mode. The reason I have to do that, is that the encrypted
password is NOT returned in the pwnam structure. This is an extension to
POSIX and we have decided not to implement it since many of our *nix cousins
are starting to toe the POSIX line.

My understanding is that I lose the password maintenance screen of swat if I
use -a mode. I can live with that for now.

I assume therefore that I must be running as root group root and the 640
perms on the smb.conf file are controlling the behavior.

At this point, I can either give everyone the ability to look at the main
page and view the config, or only allow the root user full access and
everyone else no access.

TIA,
Ron

-----Original Message-----
From: James Sutherland [mailto:jas88 at cam.ac.uk]
Sent: July 24, 2000 4:21 PM
To: Ron Alexander
Cc: Gerald Carter; Samba-Technical
Subject: RE: How the heck can it work?


On Mon, 24 Jul 2000, Ron Alexander wrote:

> What do you mean by It? Can you kindly be a little more specific as I see
it
> the following are involved.
>
> 1. The inetd daemon. What perms, SUID etc should it have.

Hopefully it's doing the same as on Unix - i.e. just start up the swat
program as the user specified in /etc/inetd.conf.

> 2. The inetd.conf. It specifies root as one of the parameters. Why?

swat must start up as root when called by inetd. It then works out what
user is logging in, and becomes that user.

> 3. The swat program. If I make it SUID it works differently.

SUID to root, you mean? By "differently", does it work properly or not??

> 4. The perms on the smb.conf file.

Owned by the user/group you'll be running swat as for authorised use,
presumably.

> I know VOS is not Unix. Do you mind helping someone port samba to a new
> platform? (notwithstanding the non POSIX port of 1.9... by Erik)

The more the merrier, surely? :)


James





More information about the samba-technical mailing list