How the heck can it work?

Luke Kenneth Casson Leighton lkcl at samba.org
Tue Jul 25 17:18:40 GMT 2000 

possible problems with getpeername() when running from inetd?

On Mon, 24 Jul 2000, James Sutherland wrote:

> On Mon, 24 Jul 2000, Ron Alexander wrote:
> 
> > I just discovered part of the problem. What I have been trying to do all day
> > now is to RESTRICT swat so only the root user could modify the smb.conf
> > file. The mistake I made was to start inetd as root. This somehow gave swat
> > different rights (I suspect real UID vs EUID).
> 
> Sounds like your inetd is very different from Unix, then. Under Unix,
> IIRC:
> 
> inetd runs as root
> 
> When a connection arrives, inetd will fork a new process, which sets UID
> to that specified for this port in inetd.conf, then execs the appropriate
> file.
> 
> This file is then run as the specified user from inetd.conf. Setting it to
> be SUID will give it an EUID of the file owner, keeping a UID as specified
> in inetd.conf.
> 
> > To answer your question, if I SUID the swat pgm, I see the start and stop
> > buttons on the status page.
> > 
> > Here is the problem. I do NOT get a login screen for swat since I have to
> > run it in -a mode. The reason I have to do that, is that the encrypted
> > password is NOT returned in the pwnam structure. This is an extension to
> > POSIX and we have decided not to implement it since many of our *nix cousins
> > are starting to toe the POSIX line.
> > 
> > My understanding is that I lose the password maintenance screen of swat if I
> > use -a mode. I can live with that for now.
> > 
> > I assume therefore that I must be running as root group root and the 640
> > perms on the smb.conf file are controlling the behavior.
> > 
> > At this point, I can either give everyone the ability to look at the main
> > page and view the config, or only allow the root user full access and
> > everyone else no access.
> 
> OK, long term solution: patch swat to handle password properly on VOS. How
> are they stored - shadow-file or similar?? Or is there an API call to
> retrieve it for a given user?
> 
> 
> James.
> 
> 

<a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href=" http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href=" http://samba.org"      > Samba Web site                  </a>
 
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-technical mailing list