Should samba become_root() before calling panic action?

[David Brodbeck]

> -----Original Message-----
> From: Steve Langasek [mailto:vorlon at netexpress.net]

> How would you accomplish this?  The only ways I can think of 
> doing this
> (passwordless su; or encoding the root password in the panic action
> script, which must be world-readable to be usable in this 
> circumstance)
> are far more dangerous, IMHO, than the hypothetical risk of an admin
> deploying an insecure panic action script.

You could use sudo.  This is somewhat more secure because you can configure
sudo to limit what the user can do. You could create a sudo entry that only
allowed gdb to be run, for example.  This still isn't as good as Samba
becoming root before running the panic action, because now you're in a
situation where any of your users who can log into the Samba server on the
console can run gdb as root and attach to running processes!  However, for a
temporary debugging situation it might be okay.

I'd say the best way to do this would be to require panic actions as root to
be turned on specifically, maybe as a compile-time directive (to avoid yet
more config file option bloat).  Then users who currently have insecure
panic action scripts don't get bitten, and anyone who turns it on and then
installs an insecure panic action has only themselves to blame.