smbpasswd and euid detection
ink at inconnu.isu.edu
Thu Jan 2 20:28:00 GMT 2003
On Thu, 2 Jan 2003, Steve Langasek wrote:
> On Thu, Jan 02, 2003 at 10:47:32AM -0700, Craig Kelley wrote:
> > For some time now, I've been patching smbpasswd to get rid of the
> > effective UID "detection" that it does. In 2.2.7a it simply tests if the
> > effective UID differs from the real UID, and if the effective UID is
> > 'root' then it bails:
> > /* Check the effective uid - make sure we are not setuid */
> > if ((geteuid() == (uid_t)0) && (getuid() != (uid_t)0))
> > This test will bail out if smbpasswd isn't suid 0, but the process that
> > calls it is (eg, a utility agent for changing passwords and such). I've
> > made a preliminary diff to actually stat() the executable to determine if
> > it is suid 0:
> Why does your suid application not either assume full root privileges, or
> drop all such privileges, before exec()ing smbpasswd?
I've considered that, but thought of it more as treating the symptom
instead of the cause. A better question may be, why even check for suid?
Why should smbpasswd even care if it's running with effective privileges?
The naive may confuse it with the UNIX passwd program, which is suid root
on some systems, but those with that much knowledge surely understand the
ramifications of giving superuser privileges to an executable.
I can't recall any other userland tool that I've used checking for
effective = real root privileges (well, I suppose perl is able to, but
that behavior can be disabled). I know that in the 1.x days, it didn't
check until a certain version in which it was turned on; probably for
security reasons (?)
Craig Kelley -- kellcrai at isu.edu
Turn In Your Neighbor Today! http://www.bsa.org/usa/report/report.php
http://www.isu.edu/~kellcrai finger ink at inconnu.isu.edu for PGP block
More information about the samba-technical