smbpasswd and euid detection
ink at inconnu.isu.edu
Thu Jan 2 22:57:00 GMT 2003
On Thu, 2 Jan 2003, Steve Langasek wrote:
> On Thu, Jan 02, 2003 at 02:23:09PM -0700, Craig Kelley wrote:
> > > I consider confusing smbpasswd with the Unix passwd command a sign that
> > > one doesn't really have that much knowledge, at least where smbpasswd
> > > itself is concerned. It's easy to jump to the conclusion that smbpasswd
> > > needs root privs to make changes to the smbpasswd file -- it does not --
> > > and the program has *not* been audited for use as an suid program, so
> > > it's dangerous to treat it the same as passwd.
> > > So if someone can run smbpasswd indirectly from an suid wrapper, there's
> > > still a high potential for security problems, the same as if smbpasswd is
> > > suid itself. If you need to let users call smbpasswd in an suid root
> > > context, your wrapper should do its own vetting of the user input and
> > > then assume full root privileges.
> > Then let's add suid checking to every program.
> Most programs don't have the problem of people assuming they're analogous
> to other suid programs.
Most people who understand how to bless suid powers on an executable
are familiar with the ramifications of doing so. Having to write wrappers
to deal with it could be even more dangerous (who knows...?)
> > They can all be abused, and the same argument should apply.
> > Regardless, the patch I presented actually does what the the warning
> > message claims it's doing. It stat()'s the actual binary of smbpasswd to
> > see if it's suid or not. It doesn't add any dependencies, and it should
> > work on all systems capable of handling geteuid(), which smbpasswd already
> > uses.
> But if you're going to concede that the check is there for a reason
> (which you seem to be doing by not asking for the check to be removed
> altogether), then that reasoning applies whether or not smbpasswd itself
> is the program carrying the suid bit as explained above.
'tis but a gift horse of a patch. Ignore it if you wish; at a minimum the
warning should be changed to something more accurate and less
heart-attack-inducing than "smbpasswd must *NOT* be setuid root"
(because, most likely, it *isn't*); perhaps something like "smbpasswd will
not run with root privileges if euid is not the same as uid because we
believe in security through obscurity" ;)
Craig Kelley -- kellcrai at isu.edu
Turn In Your Neighbor Today! http://www.bsa.org/usa/report/report.php
http://www.isu.edu/~kellcrai finger ink at inconnu.isu.edu for PGP block
More information about the samba-technical