IPC User Problem (was Situational Deadlock)

Andrew Bartlett abartlet at samba.org
Mon Feb 2 20:39:16 GMT 2004 

On Tue, 2004-02-03 at 04:18, Simo Sorce wrote:
> On Mon, 2004-02-02 at 18:05, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Esh, Andrew wrote:
> > 
> > | I have tested the code below (and in the included HEAD
> > | patch file) and it passes all my regression tests with
> > | "force group" set in the global area. The patch prevents
> > | "force user" and "force group" from having any effect on
> > | the IPC service.
> > |
> > | Without this fix, Windows NT can fail to obtain access to
> > | the IPC service on Samba 3.0 (release-3-0alpha20) and later
> > | when either "force" tag is in the global configuration section.
> > | This prevents user access to other shares due to the new
> > | code "force" tests added in smbd/uid.c:check_user_ok at
> > | version 1.94.
> > 
> > Does anyone object to this patch ?  It would seem to help
> > prevent an admin from getting into trouble that is hard to
> > diagnose on a mailing list.
> > 
> > Just trying to get some resolution here.
> 
> Seem OK to me, I'll bet there is no more than 0.00001% of admin out
> there that ever tought of setting such permissions on the IPC$ share on
> samba knowingly.

If everybody else thinks this is a good idea, then I'm in.

It needs to also not honer 'admin users' on those shares.  (Which ends
up being implemented as a 'force user')

Personally, I would prefer to have each admin hit over the head with a
clue-stick, but failing that...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040203/59cf61bf/attachment.bin

More information about the samba-technical mailing list