dynamic context transitions

Andrew Bartlett abartlet at samba.org
Sun Nov 14 11:22:31 GMT 2004 

On Sun, 2004-11-14 at 22:15, Luke Kenneth Casson Leighton wrote:
> On Sun, Nov 14, 2004 at 12:18:24PM +1100, Andrew Bartlett wrote:
> > On the other hand, adding an extra #ifdef to become_user() and friends
> > is a small, maintainable solution.  It just may not fit with the SELinux
> > world view.
> 
> andrew,
> 
> your comments are appreciated - esp. the ones about ensuring
> maintainability.

Thanks.  I was a bit worried that this thread had been 'left alone'...

> i should point out [because you may not be on the selinux ml]

Indeed I am not.

> that about 10 days ago stephen smalley said that, all things
> being considered, he was happy for a "seteuid"-like extension
> to selinux to be added, and urged the discussion to move from
> "if" to "how".

Good.  I saw one mail on that point, then this distraction.  I wanted to
make sure it wasn't lost :-).

> a seteuid-like function, which allows a single process to
> transition to a new domain - yes, it would be called in become_user,
> become_root and the corresponding "un"s.

The right spot will need to be carefully chosen, but yes.

> i've said it before (and won't mention it again, i promise!) but
> personally i believe it far more sensible [and this is a
> practical solution that i believe could be done _now_ without
> any samba or selinux code modifications, just some time writing
> up the config files and policies] to run a samba-4 server with
> an smb client vfs redirector going to a samba-3 back-end smbd
> server on the same machine.

I'm actually not sure this helps - the samba-3 backend still needs to
move to and from root.  In any case, that setup currently doesn't proxy
the authentication (fixing that is on the todo list).  When it does, I
don't think the problem changes.

What you want is a way to demultiplex the protocol stream based on VUID,
but even if we get that (and perhaps the 'terminal server' case will
cause such a proxy to be written), we still have the problem of needing
to become root for some operations.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041114/21210dc8/attachment.bin

More information about the samba-technical mailing list