Should samba become_root() before calling panic action?
MCCALL,DON (HP-USA,ex1)
don_mccall at hp.com
Tue Apr 8 19:11:54 GMT 2003
sorry,
you're right, of course; was forgetting that PERL itself
would have to read the script in to execute it, it wouldn't
be running as a pure executable itself.
Never mind...
Don
> -----Original Message-----
> From: Steve Langasek [mailto:vorlon at netexpress.net]
> Sent: Tuesday, April 08, 2003 14:59
> To: MCCALL,DON (HP-USA,ex1)
> Cc: samba-technical at lists.samba.org
> Subject: Re: Should samba become_root() before calling panic action?
>
>
> On Tue, Apr 08, 2003 at 02:39:53PM -0400, MCCALL,DON
> (HP-USA,ex1) wrote:
> > Might it be better to leave this to the panic script itself; ie
> > require a 'su' to root in the panic script to ensure that it run as
> > root to do the gdb backtrace???
> > Not completely secure either, but putting responsibility
> into the *ux
> > admin's hands might be safer than preempting that choice in
> our code...
> > hope this helps,
>
> How would you accomplish this? The only ways I can think of
> doing this
> (passwordless su; or encoding the root password in the panic action
> script, which must be world-readable to be usable in this
> circumstance)
> are far more dangerous, IMHO, than the hypothetical risk of an admin
> deploying an insecure panic action script.
>
> It would be possible to get the same result with an suid perl
> script, or
> an suid binary executable, but either of those solutions seems rather
> ugly to me.
>
> Regards,
> --
> Steve Langasek
> postmodern programmer
>
>
> > > -----Original Message-----
> > > From: Steve Langasek [mailto:vorlon at netexpress.net]
> > > Sent: Tuesday, April 08, 2003 14:29
> > > To: samba-technical at lists.samba.org
> > > Subject: Should samba become_root() before calling panic action?
> > >
> > >
> > > Hello,
> > >
> > > The printing problems in 3.0 alpha23 have also brought to light a
> > > lower-priority issue within Samba's panic action
> handling. I have a
> > > panic action script for Debian which is configured to
> > > automatically mail
> > > the admin a backtrace if gdb is installed. However, with the
> > > latest bug
> > > we're seeing an empty backtrace instead, and I believe
> this is because
> > > the spawned gdb process doesn't have permission to ptrace the smbd
> > > process, due to the crash occurring in a part of the code
> where Samba
> > > has assumed the user's uid.
> > >
> > > This could be fixed by calling become_root() before
> invoking the panic
> > > action script. Do people think that would be reasonable? It does
> > > represent a marginal security risk; even if the Samba code is
> > > completely
> > > bug-free, if a local admin has configured a bad panic
> action, a user
> > > could kill -SEGV his own Samba process to trigger running a
> > > potentially
> > > damaging script as root. OTOH, being able to get instant
> > > backtraces is
> > > definitely a debugging boon.
> > >
> > > Anyone feel strongly about this?
> > >
> > > Regards,
> > > --
> > > Steve Langasek
> > > postmodern programmer
> > >
>
More information about the samba-technical
mailing list