se-samba
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Wed Jun 2 12:00:16 GMT 2004
On Wed, Jun 02, 2004 at 08:33:06AM +1000, tridge at samba.org wrote:
> Volker,
>
> > It's a), everything is done via a single tcp connection. One reason is that we
> > want to mirror the behaviour that the server we proxy towards gives us as
> > closely as possible. Separate smb connections give a difference that might have
> > influence on the server's behaviour.
>
> Nope, the we open a new connection for each tree connect in that
> backend.
BRILLIANT. that's even better.
> It really doesn't matter though, as unless I have completely
> misunderstood se-linux, the TConX behaviour is completely irrelevant
> for the seteuid() problem that se-linux faces. All TConX does is
> establish a connection to a new directory (ignoring ancient share
> level security setups).
the problem is that SE/Linux doesn't support seteuid.
> The relevant question is how SessionSetup is handled, because that is
> what determines the security context of requests. A client can combine
> SessionSetup with TConX in any way it wants to, with multiple TConX
> per SessionSetup or multiple SessionSetup per TConX.
>
> The CIFS proxy backend in Samba4 currently does a fixed SessionSetup
> using domain, username and password from parametric options in
> smb.conf. Andrew Bartlett has talked about adding authentication
> proxying as well, but it isn't done yet. When that is done the whole
> se-linux idea of using a CIFS proxy could be re-visited.
>
> But really I think the whole idea of using a CIFS proxy for se-linux
> Samba is a non-starter. It would work, but it would be a "party
> trick", not a serious solution. Far better for the se-linux people to
> come up with a more general solution for handling servers that need to
> handle multiple security contexts on one network connection. In
> particular the solution should not be so intimately tied to CIFS.
the solution is to have one process per security context.
it is not possible to drop from the equivalent of root into
the equivalent of a user-security-context (seteuid) and then
back to the equivalent of root again.
and SE/Linux is never going to have the equivalent of seteuid added.
an SMB proxy which de-multiplexes all SMBsessionsetupXs and
SMBtconXs is the "quickest" way to code up something that
"works" that fits the requirements.
it doesn't have to be fast.
it doesn't have to be nice.
it just has to work, and provide the required security semantics.
"next" version can be an improvement on that.
and, if i gather this correctly, the required semantics are already
satisfied by using samba(4)'s SMB proxy and a samba(3) back-end.
which is _great_.
now, as i described a couple of times before, the alternatives
are to write a special samba(4) NT-VFS plugin that communicates
via a custom-written Inter-Process-Communication system to a
de-multiplexing filesystem back-end.
or, to design a back-end that forks() on SMBsessionsetupX
and then forks() again on SMBtconX, and has some internal logic
that manages to deal with locking, consistency, and successfully
manages to communicate SMB requests through the double-layer of
forks()
that's a _lot_ more complex a solution than using SMB proxying.
> I would suggest that the se-linux people think about a potential
> user-space NFSv4 server, which faces exactly the same problem. Do the
> constraints imposed by se-linux mean that we will forever have to run
> NFSv4 servers in the kernel? Is that a good idea, given the security
> isolation aims of the project?
i believe you may be misunderstanding the issues, which are relatively
straightforward.
1) root has no special "automatic" privileges, or more specifically,
the uid "0" has no special "automatic" privileges, in SE/Linux.
all uids are treated the same, and they only have the privileges
which they are given, by the sysadmin.
2) processes, which run under user-contexts (uids) have to be given
permissions to do certain operations, such as execv(), open(),
read once opened, stat, in fact pretty much everything is
controlled.
3) processes can, on creation of a child process make that
child process "transition" to what they refer to as a new
"domain". e.g. auto_trans(samba_parent_t, samba_backend_t)
and the new domain will of course have its _own_ set of
capabilities (permissions).
[this is where it gets relevant to se-samba:]
4) IT IS NOT POSSIBLE FOR A CHILD PROCESS TO RETURN TO THE
PARENT'S DOMAIN.
therefore, with the present design of samba(3) which uses
seteuid() to jump to pretending to be a user context,
such that file writes are done as that user, and then back to
root to deal with a different TconX context, that completely
breaks down.
and yes, famd uses seteuid as well, and needs a total redesign
along the same lines (multiple forked processes).
andrew, i'm not entirely sure where you got the impression
that it is necessary to run a kernel-space service (e.g. a
kernel-space NFS server) in an SE/Linux environment.
a user-space file server is perfectly sufficient, and much more
preferable.
if it wasn't for the fact that multiple SMB sessions can be made
over the same TCP connection...
hey.
*thinks*.
could someone please remind me: a Citrix Server does multiple
SMB sessions over the same TCP connection, doesn't it?
if that's the case, then... could someone confirm this statement
for me:
"the samba(4) NT-VFS SMB proxy will do multiple TCP client
connections per SMB session"
is that statement correct?
because if so, then if the NT-VFS SMB proxy does multiple TCP
connections per TConX, then yes, that _is_ a little excessive, but
it's possible to live with that excess, and it can be solved
by the libsmbclient supporting multiple TconX connections over the
same TCP connection.
the _most_ important thing is to have separate TCP connections
for every SMBsessionsetupX.
in case anyone's interested, i believe i may have modified
samba-tng's libsmbclient code (or maybe the cliffs libsmbclient
code) to be able to do multiple TconX's per TCP connection.
it's quite straightforward.
l.
More information about the samba-technical
mailing list