winbindd privileged dir permissions
Andrew Bartlett
abartlet at samba.org
Mon Nov 1 05:41:20 GMT 2004
On Mon, 2004-11-01 at 15:59, rpv_muma wrote:
> I have build samba+openldap PDC and wanted to setup NTLM auth on my
> squid proxy. My system is FreeBSD 5.1 and samba version is 3.0.7.
>
> In this setup ntlm_auth works as squid user and need
> to open $LOCKDIR/winbindd_privileged/pipe.
> As documented in winbindd man page "only users in the 'root' group will get this
> access", but group permissions is r-x by default. When started,
> winbindd checks ownership and permissions and it is impossible to
> change it to my needs. It looks like a problem %)
I really don't see the problem. You should only change the groupid,
usually to 'squid'.
> I propose to change default permissions from 0750 to 0770 in
>
> winbindd_util.c/open_winbindd_priv_socket(void)
> {
> if (_winbindd_priv_socket == -1) {
> _winbindd_priv_socket = create_pipe_sock(
> -- get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
> ++ get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0770);
> DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
> _winbindd_priv_socket));
This change looks very dangerous to me. Why is write permission
required? Hundreds of sites have deployed Squid/ntlm_auth without this
change, and giving the 'privileged' group the right to delete the socket
would allow them more privileges than I certainly would prefer.
Andrew Bartlett
--
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041101/3bbf7ca0/attachment.bin
More information about the samba-technical
mailing list