Smbpasswd and setuid

The DJ hartman at mac.com
Fri Oct 19 16:24:02 GMT 2001 

>> if ((geteuid() == (uid_t)0) && (getuid() != (uid_t)0)) {
>>                 fprintf(stderr, "smbpasswd must *NOT* be setuid root.\n");
>>                 exit(1);
>>         }
>> }
> 
> The reason this check is in there is that smbpasswd was not designed
> to be setuid. When writing a setuid program you must take a lot more
> precautions in the design of the program to ensure that anything in
> the environment it is running under cannot make it do something it is
> not meant to do. For example, you must be careful about allowing for
> command line options that change behaviour or environment variables
> that might make the code run in a different way.
> 
> These precautions have *not* been taken in writing smbpasswd, just
> like they aren't taken in 99% of all programs. We added that check
> because we learnt that some people assumed that smbpasswd should have
> the same permissions (ie. setuid) as /bin/passwd and even distributed
> it that way. That is a *very* bad idea on most unixes, so we put in
> the check as a precaution.
> 
>> Everyone with the source could compile a program without this precaution, so
>> it's more or less a sort of warning, right? Technically there is nothing
>> preventing me to do so, right?
> 
> If you do make it setuid then please realise that you may well be
> opening up a significant security hole that would allow any local
> users to obtain root privileges. This may not matter (or may not even
> have a meaning) under MacOSX, but if you are going to distribute this
> then I suggest you get a good security programmer to audit your
> utility and ensure that you have not created a problem.
> 
> Cheers, Tridge

The application would be called by my program, in a way in which no
additional options other then the ones I have told my application can be
specified (hardcoded in program). The application then asks the OS to run
the application for it in setuid mode, which will then bring up a login
panel to ask the user for appropriate username and passwd to run the
application setuid.

It is not that I would distribute the application standard as setuid. The OS
and the OS alone makes it temporarily setuid if you specify the right
passwd. As far as I can see now (knowing quite a lot more of this then I did
yesterday), the only security breach is if there is a security hole in the
OS parts providing me with this service, and if such a thing would be
discovered, would be the responsibility of Apple to fix.

DJ
---------------------------------------------------------------------------
Universiteit Twente
---------------------------------------------------------------------------
Derk-Jan 'The DJ' Hartman
ICQnr: 10111559
Mail:  mailto:hartman at mac.com
WWW:   http://home.student.utwente.nl/d.hartman/
Goto:  http://www.student.utwente.nl/~macsatcampus

More information about the samba-technical mailing list