Smbpasswd and setuid

The DJ hartman at mac.com
Sat Oct 20 16:27:01 GMT 2001 

> The DJ <hartman at mac.com> writes:
> 
>>>> The application would be called by my program, in a way in which no
>>>> additional options other then the ones I have told my application can be
>>>> specified (hardcoded in program).
>>> 
>>> then why not become root in your app before running it? Or write a
>>> setuid wrapper?
>>> 
>>> Having the smbpasswd binary itself setuid seems unnecessary
>>> 
>> 
>> You'r thinking too much unix style now ;-)
>> It wouldn't be the mac way to do.
>> 
>> This is how it works.
>> I make an app. It is acompanied by an adapted version of smbpasswd which
>> will allow itself to run setuid. (I won't distribute it with setuid bit on
>> in the permissions or something). In the code I ask the system to run a
>> command (smbpasswd -a user) with root privs if a user presses a certain
>> button and if he can give the system appropriate loginname/password. If the
>> system can confirm this, then the SYSTEM runs the command (setuid, don't ask
>> me why, it's the way the API was written.) and gives back results to my app.
> 
> Ah, so you're not talking about actually setting the setuid bit on the
> smbpasswd executable.  You're talking about your program getting root
> privileges (through su or a helper app) in a way that has an effective
> UID of root, and a real UID of the username, after doing some kind of
> (presumably secure) authentication.  Is that right?
> 
> That's certainly safer.  Make sure your application is very careful,
> though.

Yep that is it. You got it.


>> The only thing I'm a bit worried about is the environment variables of
>> libsmb. I don't exactly know how that works. Can any random user effect the
>> execution of smbpasswd this way? If so, then I seem to have a problem. I
>> would have to write my own variant of the Security API, that would simply
>> call sudo.
> 
> You just want to clear out the environment before you call it.  If
> you're calling it with one of the exec(2) system calls, use one of the
> exec?e calls, which let you specify the environment, and simply
> specify an empty environment, or else use:
> 
>   /usr/bin/env - /bin/su -c cmd
> 
> .  If you're not, probably easiest just to look at your own
> environment and unset everything.
> 
> If the API uses su(1), you may find that it's done automatically
> anyways.  You'll have to experiment a little bit.
> 
> If you're not making the call yourself, but using an Apple API, you'll
> have to find out exactly what the Apple API does before anybody here
> can help you much.  I certainly don't know, and I doubt anybody else
> here does either (or else they would have piped up by now).  If it's
> poorly documented, a command like truss, strace, or ktrace may be of
> help if one is available
> 
> Good luck,
> 
> ----ScottG.

I'll post this stuff to the omnigroup mailing lists. They have some apple
programming freaks, who might know about the environment parts in the
security API, although I doubt it. I'll probably have to experiment ;-)

Thanx for all the help ppl.
DJ

---------------------------------------------------------------------------
Universiteit Twente
---------------------------------------------------------------------------
Derk-Jan 'The DJ' Hartman
ICQnr: 10111559
Mail:  mailto:hartman at mac.com
WWW:   http://home.student.utwente.nl/d.hartman/
Goto:  http://www.student.utwente.nl/~macsatcampus

More information about the samba-technical mailing list