Should samba become_root() before calling panic action?

Steve Langasek vorlon at netexpress.net
Tue Apr 8 18:58:34 GMT 2003 

On Tue, Apr 08, 2003 at 02:39:53PM -0400, MCCALL,DON (HP-USA,ex1) wrote:
> Might it be better to leave this to the panic script itself; ie
> require a 'su' to root in the panic script to ensure that it run as
> root to do the gdb backtrace???
> Not completely secure either, but putting responsibility into the *ux
> admin's hands might be safer than preempting that choice in our code...
> hope this helps,

How would you accomplish this?  The only ways I can think of doing this
(passwordless su; or encoding the root password in the panic action
script, which must be world-readable to be usable in this circumstance)
are far more dangerous, IMHO, than the hypothetical risk of an admin
deploying an insecure panic action script.

It would be possible to get the same result with an suid perl script, or
an suid binary executable, but either of those solutions seems rather
ugly to me.

Regards,
-- 
Steve Langasek
postmodern programmer


> > -----Original Message-----
> > From: Steve Langasek [mailto:vorlon at netexpress.net]
> > Sent: Tuesday, April 08, 2003 14:29
> > To: samba-technical at lists.samba.org
> > Subject: Should samba become_root() before calling panic action?
> > 
> > 
> > Hello,
> > 
> > The printing problems in 3.0 alpha23 have also brought to light a
> > lower-priority issue within Samba's panic action handling.  I have a
> > panic action script for Debian which is configured to 
> > automatically mail
> > the admin a backtrace if gdb is installed.  However, with the 
> > latest bug
> > we're seeing an empty backtrace instead, and I believe this is because
> > the spawned gdb process doesn't have permission to ptrace the smbd
> > process, due to the crash occurring in a part of the code where Samba
> > has assumed the user's uid.
> > 
> > This could be fixed by calling become_root() before invoking the panic
> > action script.  Do people think that would be reasonable?  It does
> > represent a marginal security risk; even if the Samba code is 
> > completely
> > bug-free, if a local admin has configured a bad panic action, a user
> > could kill -SEGV his own Samba process to trigger running a 
> > potentially
> > damaging script as root.  OTOH, being able to get instant 
> > backtraces is
> > definitely a debugging boon.
> > 
> > Anyone feel strongly about this?
> > 
> > Regards,
> > -- 
> > Steve Langasek
> > postmodern programmer
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030408/fa863529/attachment.bin

More information about the samba-technical mailing list