winbindd privileged dir permissions

Andrew Bartlett abartlet at
Mon Nov 1 05:41:20 GMT 2004

On Mon, 2004-11-01 at 15:59, rpv_muma wrote:
> I have build samba+openldap PDC and wanted to setup NTLM auth on my
> squid proxy. My system is FreeBSD 5.1 and samba version is 3.0.7.
> In this setup ntlm_auth works as squid user and need
> to open $LOCKDIR/winbindd_privileged/pipe.
> As documented in winbindd  man page "only users in the 'root' group will   get this
> access", but group permissions is r-x by default. When started,
> winbindd checks ownership and permissions and it is impossible to
> change it to my needs. It looks like a problem %)

I really don't see the problem.  You should only change the groupid,
usually to 'squid'.

> I propose to change default permissions from 0750 to 0770 in
> winbindd_util.c/open_winbindd_priv_socket(void)
> {
>         if (_winbindd_priv_socket == -1) {
>                 _winbindd_priv_socket = create_pipe_sock(
> --                        get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
> ++                        get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0770);
>                 DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
>                            _winbindd_priv_socket));

This change looks very dangerous to me.  Why is write permission
required?  Hundreds of sites have deployed Squid/ntlm_auth without this
change, and giving the 'privileged' group the right to delete the socket
would allow them more privileges than I certainly would prefer.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Authentication Developer, Samba Team  
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list