CVS update: samba/source/rpc_server
abartlet at pcug.org.au
Fri Nov 9 17:14:01 GMT 2001
Andrew Bartlett wrote:
> Jeremy Allison wrote:
> > On Sat, Nov 10, 2001 at 10:54:39AM +1100, Andrew Bartlett wrote:
> > > By this point it should be clearer why keeping the 'have vuid' case
> > > should be kept simple - particularly given the security issues with the
> > > current code. (Users of NT4 terminal server are advised to always use
> > > the registry hack to permit multiple connections to samba, for both
> > > performance and security reasons).
> > Performance reasons only. Multi-user NT boxes switch vuid and do
> > multiple session setups when multiple users access the shares.
> > There are no security holes known with mutli-user NT/Citrix and
> > samba.
> But they don't do multiple tree connects do they?
> The problem is that the user_ok() code at present doesn't consider the
> guest user case.
> (or the NT ACL in tdb for that matter)
Correct me if I am wrong, but doesn't NT use the same tid for any
subsequent user of a share - ie the roaming profile and \\server\homes
Becouse its the old tid being used, we don't do any of the checks in
make_connection() and as such we don't check the ACL rules, we don't
check the 'guest ok' rules (these are in authorise_login) and we don't
use a per-conn guest user becouse we didn't set 'force_user' in the
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical