Russell Coker rcoker at
Mon May 31 12:49:11 GMT 2004

On Sat, 29 May 2004 19:51, Luke Kenneth Casson Leighton <lkcl at> wrote:
> 1) doing user-space avc library calls is fine IF you can guarantee
> that the file system to which you are providing access is NOT
> accessible by any means other than through se-samba [or that
> any such access guarantees no race conditions].
> i.e. you must, in effect, write your own userspace file system.

Or we could use SE Linux policy to deny every domain other than smbd_t and 
sysadm_t access to the files.  Not that I think it's a good idea, but we 
should list all possibilities.

> and you must guarantee that there are no race conditions etc.

Yes.  User-space AVC is bad for file access because you can't check the entire 
path.  This may be good enough for some applications.  In previous 
discussions it has been suggested to have SE Linux controls for only file 
access and rely totally on Unix permissions for directory access.

I think that writing a file system entirely is even less viable than using SE 
Linux to deny everything other than smbd_t access.

> 2) all file operations go through the SMB layer: you have to
> provide a means to separate user-contexts on the same SMB TCP
> connection, and the best - i.e. quickest way with a minimal
> coding impact - way to do that is to run two smbd servers,
> one proxying to the other and to write an SMB client VFS plugin
> that multiplexes out the user-contexts received over the same
> TCP connection.

I spent some time discussing these issues with Tridge at 2004.  
It seems that there is an interface in Samba to allow plug-ins which can be 
used for such things, they aren't quite suitable for spawning an external 
process but I think it can be shoe-horned into it.

> ... although to be absolutely honest, when you already _have_
> a dedicated IPC mechanism - it's called the SMB protocol - then
> why go to all the trouble of writing another one?

Doing SMB when talking to clients is nasty enough, do we really want to do it 

I'll probably be meeting Tridge in ~40 hours.  If you have any suggestions of 
things that I should discuss with him then please send them to be by private 
email ASAP.

See above URL for disclaimer.

More information about the samba-technical mailing list