dynamic context transitions
Andrew Bartlett
abartlet at samba.org
Sun Nov 14 11:22:31 GMT 2004
On Sun, 2004-11-14 at 22:15, Luke Kenneth Casson Leighton wrote:
> On Sun, Nov 14, 2004 at 12:18:24PM +1100, Andrew Bartlett wrote:
> > On the other hand, adding an extra #ifdef to become_user() and friends
> > is a small, maintainable solution. It just may not fit with the SELinux
> > world view.
>
> andrew,
>
> your comments are appreciated - esp. the ones about ensuring
> maintainability.
Thanks. I was a bit worried that this thread had been 'left alone'...
> i should point out [because you may not be on the selinux ml]
Indeed I am not.
> that about 10 days ago stephen smalley said that, all things
> being considered, he was happy for a "seteuid"-like extension
> to selinux to be added, and urged the discussion to move from
> "if" to "how".
Good. I saw one mail on that point, then this distraction. I wanted to
make sure it wasn't lost :-).
> a seteuid-like function, which allows a single process to
> transition to a new domain - yes, it would be called in become_user,
> become_root and the corresponding "un"s.
The right spot will need to be carefully chosen, but yes.
> i've said it before (and won't mention it again, i promise!) but
> personally i believe it far more sensible [and this is a
> practical solution that i believe could be done _now_ without
> any samba or selinux code modifications, just some time writing
> up the config files and policies] to run a samba-4 server with
> an smb client vfs redirector going to a samba-3 back-end smbd
> server on the same machine.
I'm actually not sure this helps - the samba-3 backend still needs to
move to and from root. In any case, that setup currently doesn't proxy
the authentication (fixing that is on the todo list). When it does, I
don't think the problem changes.
What you want is a way to demultiplex the protocol stream based on VUID,
but even if we get that (and perhaps the 'terminal server' case will
cause such a proxy to be written), we still have the problem of needing
to become root for some operations.
Andrew Bartlett
--
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041114/21210dc8/attachment.bin
More information about the samba-technical
mailing list