Gencache fails to open gencache.tdb
mimir at diament.ists.pwr.wroc.pl
Thu Feb 6 07:41:00 GMT 2003
On Thu, Feb 06, 2003 at 05:46:46PM +1100, Andrew Bartlett wrote:
> On Thu, 2003-02-06 at 10:10, Tim Potter wrote:
> > On Thu, Feb 06, 2003 at 12:06:04AM +0100, Rafal Szczesniak wrote:
> > > > Attached patch can be seen as proposal to discuss behavior of gencache in
> > > > case when it is used in applications running under non-priviledged
> > > > accounts so that O_RDWR|O_CREAT always fails against system-wide
> > > > lock_path("gencache.tdb") (which is usually created by smbd/nmbd).
> > > >
> > > > The patch adds error resistence and tries to re-open gencache.tdb in
> > > > O_RDONLY mode if O_RDWR|O_CREAT failed. This allows the application to use
> > > > existing entries but forbids cache updates.
> > >
> > > I understand your idea, but it's useful only when another root-privileged
> > > process is able to update the cache contents (like parent process ?).
> > > Otherwise, only per-user cache makes sense when it comes to being useful.
> > It is actually slightly useful. If you are a user process running on a
> > Samba server, then you can share the up to date cache data that is
> > generated by smbd and nmbd. You're right though in the fact that you
> > can't update it or expire old entries.
> > I still think it's useful though.
> One of the problems is that gencache can be used to store all sorts of
> information. For example I want to move netlogon_unigroup.tdb into it,
> and possibly more sensitive information in future.
Exactly. And implementing a sort of access control is far too much
for such simple mechanism.
> My worry is that we could leak information this way. I'm also told that
> there could be issues with the ability to 'block' smbd with byte-range
> read-locking on that database.
You mean the process that does read from gencache.tdb file could block
it and thus prevent from writing to this particular byte-range ?
|Rafal 'Mimir' Szczesniak <mimir at diament.ists.pwr.wroc.pl> |
|*BSD, GNU/Linux and Samba /
More information about the samba-technical