[BUG] What if sombody uses our PROF_SHMEM_KEY?

Andrew Bartlett abartlet at pcug.org.au
Fri Sep 7 04:06:02 GMT 2001


Andrew Bartlett wrote:
> 
> I'm a little worried about what happens if somebody else uses the same
> shared memory key as samba:  From what I have seen, if somebody else (in
> particular an unprivileged user) creates a SHM segment with the correct
> key they can prevent any SMBD from starting on the system.
> 
> This is because we check that root created the shm segment before we use
> it.
> 
> With the recent changes to always build create the profiling shared
> memory area - and the dropping of the root-ownership check, I'm a little
> worried about the implications if we overwrite another processes data.
> (I have a patch to restore this check, in the form of
> sec_inital_uid()).

This is the patch I refer to, but there is more to this problem than
this...

Index: profile/profile.c
===================================================================
RCS file: /data/cvs/samba/source/profile/profile.c,v
retrieving revision 1.12
diff -u -r1.12 profile.c
--- profile/profile.c	18 Jul 2001 01:13:16 -0000	1.12
+++ profile/profile.c	7 Sep 2001 10:55:27 -0000
@@ -130,12 +130,10 @@
 		return False;
 	}
 
-#if 0
-	if (shm_ds.shm_perm.cuid != 0 || shm_ds.shm_perm.cgid != 0) {
-		DEBUG(0,("ERROR: root did not create the shmem\n"));
+	if (shm_ds.shm_perm.cuid != sec_initial_uid() || shm_ds.shm_perm.cgid
!= sec_initial_gid()) {
+		DEBUG(0,("ERROR: we did not create the shmem (owned by another
user)\n"));
 		return False;
 	}
-#endif
 
 	if (shm_ds.shm_segsz != sizeof(*profile_h)) {
 		DEBUG(0,("WARNING: profile size is %d (expected %d). Deleting\n",

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba-technical mailing list