IPC User Problem (was Situational Deadlock)

Simo Sorce simo.sorce at xsec.it
Mon Feb 2 17:18:34 GMT 2004

On Mon, 2004-02-02 at 18:05, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Esh, Andrew wrote:
> | I have tested the code below (and in the included HEAD
> | patch file) and it passes all my regression tests with
> | "force group" set in the global area. The patch prevents
> | "force user" and "force group" from having any effect on
> | the IPC service.
> |
> | Without this fix, Windows NT can fail to obtain access to
> | the IPC service on Samba 3.0 (release-3-0alpha20) and later
> | when either "force" tag is in the global configuration section.
> | This prevents user access to other shares due to the new
> | code "force" tests added in smbd/uid.c:check_user_ok at
> | version 1.94.
> Does anyone object to this patch ?  It would seem to help
> prevent an admin from getting into trouble that is hard to
> diagnose on a mailing list.
> Just trying to get some resolution here.

Seem OK to me, I'll bet there is no more than 0.00001% of admin out
there that ever tought of setting such permissions on the IPC$ share on
samba knowingly.
Most of them just want to force user/group by default on normal shares
not special ones (and I think we may also consider to apply the same fix
to the other "special shares" as homes, pritn$, etc ... but this is
another story and a much more invasive change I do not want to discuss
right now).

In the end, IPC$ is a very special share, I think we can safely
disregard any global option like force user/group that are not tought
for such shares.


Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399

More information about the samba-technical mailing list