IPC User Problem (was Situational Deadlock)

Esh, Andrew Andrew_Esh at adaptec.com
Mon Feb 2 21:16:38 GMT 2004 

This patch will break "admin user" for the IPC share, but not for any other shares. But isn't that OK? Is there anything the IPC does that requires the admin user to be set up?

The other way to fix this is to test conn->ipc when the user is being validated in check_user_ok. Then the change becomes the following. This hasn't been tested at all.

Index: uid.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/uid.c,v
retrieving revision 1.110
diff -u -c -r1.110 uid.c
cvs server: conflicting specifications of output style
*** uid.c	9 Sep 2003 04:07:29 -0000	1.110
--- uid.c	2 Feb 2004 21:13:51 -0000
***************
*** 65,71 ****
  		if (conn->vuid_cache.list[i] == vuser->vuid)
  			return(True);
  
! 	if ((conn->force_user || conn->force_group) 
  	    && (conn->vuid != vuser->vuid)) {
  		return False;
  	}
--- 65,71 ----
  		if (conn->vuid_cache.list[i] == vuser->vuid)
  			return(True);
  
! 	if (!conn->ipc && (conn->force_user || conn->force_group) 
  	    && (conn->vuid != vuser->vuid)) {
  		return False;
  	}

-----Original Message-----
From: samba-technical-bounces+andrew_esh=adaptec.com at lists.samba.org
[mailto:samba-technical-bounces+andrew_esh=adaptec.com at lists.samba.org]O
n Behalf Of Andrew Bartlett
Sent: Monday, February 02, 2004 2:39 PM
To: Simo Sorce
Cc: Gerald (Jerry) Carter; samba-technical at lists.samba.org
Subject: Re: IPC User Problem (was Situational Deadlock)


On Tue, 2004-02-03 at 04:18, Simo Sorce wrote:
> On Mon, 2004-02-02 at 18:05, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Esh, Andrew wrote:
> > 
> > | I have tested the code below (and in the included HEAD
> > | patch file) and it passes all my regression tests with
> > | "force group" set in the global area. The patch prevents
> > | "force user" and "force group" from having any effect on
> > | the IPC service.
> > |
> > | Without this fix, Windows NT can fail to obtain access to
> > | the IPC service on Samba 3.0 (release-3-0alpha20) and later
> > | when either "force" tag is in the global configuration section.
> > | This prevents user access to other shares due to the new
> > | code "force" tests added in smbd/uid.c:check_user_ok at
> > | version 1.94.
> > 
> > Does anyone object to this patch ?  It would seem to help
> > prevent an admin from getting into trouble that is hard to
> > diagnose on a mailing list.
> > 
> > Just trying to get some resolution here.
> 
> Seem OK to me, I'll bet there is no more than 0.00001% of admin out
> there that ever tought of setting such permissions on the IPC$ share on
> samba knowingly.

If everybody else thinks this is a good idea, then I'm in.

It needs to also not honer 'admin users' on those shares.  (Which ends
up being implemented as a 'force user')

Personally, I would prefer to have each admin hit over the head with a
clue-stick, but failing that...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list