Smb multi-sessions, samba3.0.2pre1
Jianliang Lu
j.lu at tiesse.com
Tue Jan 20 11:25:58 GMT 2004
> On Tue, 2004-01-20 at 20:27, Jianliang Lu wrote:
> NT does not have the concept to 'force user'. When we act on 'force
> user', I ensure that the second VUID (smb_uid) cannot access that share,
> as they will not have passed the access control tests. Perhaps this
> could be looked at again.
>
> > That I'd like to avoid is to set the user's uid = 0, it is so ugly. We
> > should use "admin users" instead until we have not implemented the
> > "user provileges". Any patch to set euid=0 looking at not only the conn-
>uid
> > but also the smb_uid?
>
> This is what our standard behaviour is.
>
> Andrew Bartlett
>
I think that we should perform the access check using the uid (smb_uid), not
the Tid to admin_users. Following are the descriptions of "CIFS 1.0" of SNIA,
page 22:
3.2.6 Uid Field
Uid is a reference number assigned by the server after a user authenticates
to it, and that it will associate with that user until client requests the
association be broken. ... Requests that do authorization, such as open
requests, will perform access checks using the identity associated with the
Uid.
So if we want grant the root privilege to a user (set euid=0) we should
associate it with the Uid, not the Tid. Now Samba did "set_admin_user" in
function "make_connection_snum" with conn->admin that implicate that we
should check the Tid to have certain privilege. I suppose that may be more
correct to do the "set_admin_user" in "change_to_user", checking the vuid
in "admin users".
Jianliang Lu
TieSse s.p.a. Ivrea (To) - Italy
j.lu at tiesse.com luj at libero.it
http://www.tiesse.com
More information about the samba-technical
mailing list