Should samba become_root() before calling panic action?
Andrew Bartlett
abartlet at samba.org
Tue Apr 8 23:30:30 GMT 2003
On Wed, 2003-04-09 at 04:29, Steve Langasek wrote:
> Hello,
>
> The printing problems in 3.0 alpha23 have also brought to light a
> lower-priority issue within Samba's panic action handling. I have a
> panic action script for Debian which is configured to automatically mail
> the admin a backtrace if gdb is installed. However, with the latest bug
> we're seeing an empty backtrace instead, and I believe this is because
> the spawned gdb process doesn't have permission to ptrace the smbd
> process, due to the crash occurring in a part of the code where Samba
> has assumed the user's uid.
>
> This could be fixed by calling become_root() before invoking the panic
> action script. Do people think that would be reasonable? It does
> represent a marginal security risk; even if the Samba code is completely
> bug-free, if a local admin has configured a bad panic action, a user
> could kill -SEGV his own Samba process to trigger running a potentially
> damaging script as root. OTOH, being able to get instant backtraces is
> definitely a debugging boon.
If a user can kill an smbd then we have much bigger problems!
Can a user kill an smbd, that always has a real uid of root, and an euid
of user?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030409/f6d9be39/attachment.bin
More information about the samba-technical
mailing list