How the heck can it work?

Ron Alexander rcalex at home.com
Mon Jul 24 22:17:23 GMT 2000 

What I meant, is that the returning of the password (encrypted or not) is
not allowed in a POSIX conforming application. The API call is 'struct
passwd *getpwnam(const char *name);' Neither the pw_password nor pw_gecos
fields of the  passwd struct are available in POSIX.1.

As far as I know, there is no other method to get the password.

The 'toeing the line' comment was from a friend of mine who pointed out that
many non POSIX conforming systems were changing the getpwnam call to NOT
return the password so they would be POSIX conforming. Now that I think
about it though, it makes no sense unless there is another way to
authenticate a user.

Thanks,
Ron Alexander
35 months to retirement.

-----Original Message-----
From: Steve Langasek [mailto:vorlon at netexpress.net]
Sent: July 24, 2000 5:36 PM
To: Ron Alexander
Cc: James Sutherland; Gerald Carter; Samba-Technical
Subject: RE: How the heck can it work?


On Mon, 24 Jul 2000, Ron Alexander wrote:

> I just discovered part of the problem. What I have been trying to do all
day
> now is to RESTRICT swat so only the root user could modify the smb.conf
> file. The mistake I made was to start inetd as root. This somehow gave
swat
> different rights (I suspect real UID vs EUID).

> To answer your question, if I SUID the swat pgm, I see the start and stop
> buttons on the status page.

> Here is the problem. I do NOT get a login screen for swat since I have to
> run it in -a mode. The reason I have to do that, is that the encrypted
> password is NOT returned in the pwnam structure. This is an extension to
> POSIX and we have decided not to implement it since many of our *nix
cousins
> are starting to toe the POSIX line.

> My understanding is that I lose the password maintenance screen of swat if
I
> use -a mode. I can live with that for now.

> I assume therefore that I must be running as root group root and the 640
> perms on the smb.conf file are controlling the behavior.

> At this point, I can either give everyone the ability to look at the main
> page and view the config, or only allow the root user full access and
> everyone else no access.

>From the swat man page:

-a
	This option disables authentication and puts swat in demo mode. In
	that mode anyone will be able to modify the smb.conf file.

So if you run swat with the -a option, you can't control who will be able to
modify the smb.conf file using swat because at that point, swat has no
concept
of a 'user'.  Whatever permissions the user listed in inetd.conf are the
permissions that everyone who uses it will have, unless you turn
authentication on.

I'm not sure what you mean when you say that Unices are 'starting to toe the
POSIX line'.  All Unices have some concept of a password associated with
login
IDs; if the password isn't returned by getpwnam(), then there's another
standard system function that can be used for retrieving it.  Does VOS not
have such a function?

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list