se-samba
Russell Coker
rcoker at redhat.com
Mon May 31 12:49:11 GMT 2004
On Sat, 29 May 2004 19:51, Luke Kenneth Casson Leighton <lkcl at lkcl.net> wrote:
> 1) doing user-space avc library calls is fine IF you can guarantee
> that the file system to which you are providing access is NOT
> accessible by any means other than through se-samba [or that
> any such access guarantees no race conditions].
>
> i.e. you must, in effect, write your own userspace file system.
Or we could use SE Linux policy to deny every domain other than smbd_t and
sysadm_t access to the files. Not that I think it's a good idea, but we
should list all possibilities.
> and you must guarantee that there are no race conditions etc.
Yes. User-space AVC is bad for file access because you can't check the entire
path. This may be good enough for some applications. In previous
discussions it has been suggested to have SE Linux controls for only file
access and rely totally on Unix permissions for directory access.
I think that writing a file system entirely is even less viable than using SE
Linux to deny everything other than smbd_t access.
> 2) all file operations go through the SMB layer: you have to
> provide a means to separate user-contexts on the same SMB TCP
> connection, and the best - i.e. quickest way with a minimal
> coding impact - way to do that is to run two smbd servers,
> one proxying to the other and to write an SMB client VFS plugin
> that multiplexes out the user-contexts received over the same
> TCP connection.
I spent some time discussing these issues with Tridge at Linux.conf.au 2004.
It seems that there is an interface in Samba to allow plug-ins which can be
used for such things, they aren't quite suitable for spawning an external
process but I think it can be shoe-horned into it.
> ... although to be absolutely honest, when you already _have_
> a dedicated IPC mechanism - it's called the SMB protocol - then
> why go to all the trouble of writing another one?
Doing SMB when talking to clients is nasty enough, do we really want to do it
internally?
I'll probably be meeting Tridge in ~40 hours. If you have any suggestions of
things that I should discuss with him then please send them to be by private
email ASAP.
--
http://apac.redhat.com/disclaimer
See above URL for disclaimer.
More information about the samba-technical
mailing list