Smbpasswd and setuid

[Andrew Tridgell]

> if ((geteuid() == (uid_t)0) && (getuid() != (uid_t)0)) {
>                 fprintf(stderr, "smbpasswd must *NOT* be setuid root.\n");
>                 exit(1);
>         }
> }

The reason this check is in there is that smbpasswd was not designed
to be setuid. When writing a setuid program you must take a lot more
precautions in the design of the program to ensure that anything in
the environment it is running under cannot make it do something it is
not meant to do. For example, you must be careful about allowing for
command line options that change behaviour or environment variables
that might make the code run in a different way.

These precautions have *not* been taken in writing smbpasswd, just
like they aren't taken in 99% of all programs. We added that check
because we learnt that some people assumed that smbpasswd should have
the same permissions (ie. setuid) as /bin/passwd and even distributed
it that way. That is a *very* bad idea on most unixes, so we put in
the check as a precaution.

> Everyone with the source could compile a program without this precaution, so
> it's more or less a sort of warning, right? Technically there is nothing
> preventing me to do so, right?

If you do make it setuid then please realise that you may well be
opening up a significant security hole that would allow any local
users to obtain root privileges. This may not matter (or may not even
have a meaning) under MacOSX, but if you are going to distribute this
then I suggest you get a good security programmer to audit your
utility and ensure that you have not created a problem. 

Cheers, Tridge