IPC User Problem (was Situational Deadlock)

Esh, Andrew Andrew_Esh at adaptec.com
Fri Jan 30 20:18:43 GMT 2004 

I have tested the code below (and in the included HEAD patch file) and it passes all my regression tests with "force group" set in the global area. The patch prevents "force user" and "force group" from having any effect on the IPC service.

Without this fix, Windows NT can fail to obtain access to the IPC service on Samba 3.0 (release-3-0alpha20) and later when either "force" tag is in the global configuration section. This prevents user access to other shares due to the new code "force" tests added in smbd/uid.c:check_user_ok at version 1.94.

-----Original Message-----
From: samba-technical-bounces+andrew_esh=adaptec.com at lists.samba.org
[mailto:samba-technical-bounces+andrew_esh=adaptec.com at lists.samba.org]O
n Behalf Of Esh, Andrew
Sent: Wednesday, January 28, 2004 4:35 PM
To: Andrew Bartlett
Cc: samba-technical at lists.samba.org
Subject: RE: IPC User Problem (was Situational Deadlock)


Well, I'm making all my force group settings share specific, so my problem will be solved in that way. If you'd like me to test an unset of conn->force_user and conn->force_group in smbd/service.c:make_connection_snum right after conn->ipc is set, I can. I was thinking of this:

Index: service.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/service.c,v
retrieving revision 1.128
diff -u -c -r1.128 service.c
cvs server: conflicting specifications of output style
*** service.c	3 Oct 2003 15:11:38 -0000	1.128
--- service.c	28 Jan 2004 22:31:41 -0000
***************
*** 436,441 ****
--- 436,445 ----
  	conn->used = True;
  	conn->printer = (strncmp(dev,"LPT",3) == 0);
  	conn->ipc = ((strncmp(dev,"IPC",3) == 0) || strequal(dev,"ADMIN$"));
+ 	if (conn->ipc) {
+ 	  conn->force_user = False;
+ 	  conn->force_group = False;
+ 	}
  	conn->dirptr = NULL;
  	conn->veto_list = NULL;
  	conn->hide_list = NULL;
***************
*** 454,460 ****
  	 * of the user we're forcing.
  	 */
  	
! 	if (*lp_force_user(snum)) {
  		struct passwd *pass2;
  		pstring fuser;
  		pstrcpy(fuser,lp_force_user(snum));
--- 458,464 ----
  	 * of the user we're forcing.
  	 */
  	
! 	if (!conn->ipc && *lp_force_user(snum)) {
  		struct passwd *pass2;
  		pstring fuser;
  		pstrcpy(fuser,lp_force_user(snum));
***************
*** 489,495 ****
  	 * any groupid stored for the connecting user.
  	 */
  	
! 	if (*lp_force_group(snum)) {
  		gid_t gid;
  		pstring gname;
  		pstring tmp_gname;
--- 493,499 ----
  	 * any groupid stored for the connecting user.
  	 */
  	
! 	if (!conn->ipc && *lp_force_group(snum)) {
  		gid_t gid;
  		pstring gname;
  		pstring tmp_gname;


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, January 28, 2004 4:05 PM
To: Esh, Andrew
Cc: Andrew Bartlett; samba-technical at lists.samba.org
Subject: RE: IPC User Problem (was Situational Deadlock)


On Thu, 2004-01-29 at 08:23, Esh, Andrew wrote:
> Yes, I agree that force settings are probably being misused for 
> other shares, and the change I am suggesting would leave the 
> enforcement in place for those shares. I don't feel as though 
> the same rules should apply to IPC, however. Why would someone 
> ever want to limit access to IPC? It appears to allow full access 
> as the guest user as a matter of course. Doesn't IPC live under 
> a different set of rules within Windows?

perhaps we should not honour any form of 'force user' on IPC$ - the
problem is that we can't just make everybody guest on IPC$, as things
like remote user administration occurs over this share, as the
authenticated user.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unforce_ipc.patch
Type: application/octet-stream
Size: 1052 bytes
Desc: unforce_ipc.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20040130/8da4537a/unforce_ipc.obj

More information about the samba-technical mailing list