Smbpasswd and setuid

Scott Gifford sgifford at suspectclass.com
Sat Oct 20 12:02:16 GMT 2001 

The DJ <hartman at mac.com> writes:

> >> The application would be called by my program, in a way in which no
> >> additional options other then the ones I have told my application can be
> >> specified (hardcoded in program).
> > 
> > then why not become root in your app before running it? Or write a
> > setuid wrapper?
> > 
> > Having the smbpasswd binary itself setuid seems unnecessary
> > 
> 
> You'r thinking too much unix style now ;-)
> It wouldn't be the mac way to do.
> 
> This is how it works.
> I make an app. It is acompanied by an adapted version of smbpasswd which
> will allow itself to run setuid. (I won't distribute it with setuid bit on
> in the permissions or something). In the code I ask the system to run a
> command (smbpasswd -a user) with root privs if a user presses a certain
> button and if he can give the system appropriate loginname/password. If the
> system can confirm this, then the SYSTEM runs the command (setuid, don't ask
> me why, it's the way the API was written.) and gives back results to my app.

Ah, so you're not talking about actually setting the setuid bit on the
smbpasswd executable.  You're talking about your program getting root
privileges (through su or a helper app) in a way that has an effective
UID of root, and a real UID of the username, after doing some kind of
(presumably secure) authentication.  Is that right?

That's certainly safer.  Make sure your application is very careful,
though.

> The only thing I'm a bit worried about is the environment variables of
> libsmb. I don't exactly know how that works. Can any random user effect the
> execution of smbpasswd this way? If so, then I seem to have a problem. I
> would have to write my own variant of the Security API, that would simply
> call sudo.

You just want to clear out the environment before you call it.  If
you're calling it with one of the exec(2) system calls, use one of the
exec?e calls, which let you specify the environment, and simply
specify an empty environment, or else use:

    /usr/bin/env - /bin/su -c cmd

.  If you're not, probably easiest just to look at your own
environment and unset everything.

If the API uses su(1), you may find that it's done automatically
anyways.  You'll have to experiment a little bit.

If you're not making the call yourself, but using an Apple API, you'll
have to find out exactly what the Apple API does before anybody here
can help you much.  I certainly don't know, and I doubt anybody else
here does either (or else they would have piped up by now).  If it's
poorly documented, a command like truss, strace, or ktrace may be of
help if one is available

Good luck,

----ScottG.

More information about the samba-technical mailing list