Should samba become_root() before calling panic action?
MCCALL,DON (HP-USA,ex1)
don_mccall at hp.com
Tue Apr 8 18:39:53 GMT 2003
Might it be better to leave this to the panic script itself; ie
require a 'su' to root in the panic script to ensure that it run as
root to do the gdb backtrace???
Not completely secure either, but putting responsibility into the *ux
admin's hands might be safer than preempting that choice in our code...
hope this helps,
Don
> -----Original Message-----
> From: Steve Langasek [mailto:vorlon at netexpress.net]
> Sent: Tuesday, April 08, 2003 14:29
> To: samba-technical at lists.samba.org
> Subject: Should samba become_root() before calling panic action?
>
>
> Hello,
>
> The printing problems in 3.0 alpha23 have also brought to light a
> lower-priority issue within Samba's panic action handling. I have a
> panic action script for Debian which is configured to
> automatically mail
> the admin a backtrace if gdb is installed. However, with the
> latest bug
> we're seeing an empty backtrace instead, and I believe this is because
> the spawned gdb process doesn't have permission to ptrace the smbd
> process, due to the crash occurring in a part of the code where Samba
> has assumed the user's uid.
>
> This could be fixed by calling become_root() before invoking the panic
> action script. Do people think that would be reasonable? It does
> represent a marginal security risk; even if the Samba code is
> completely
> bug-free, if a local admin has configured a bad panic action, a user
> could kill -SEGV his own Samba process to trigger running a
> potentially
> damaging script as root. OTOH, being able to get instant
> backtraces is
> definitely a debugging boon.
>
> Anyone feel strongly about this?
>
> Regards,
> --
> Steve Langasek
> postmodern programmer
>
More information about the samba-technical
mailing list