I have a security-sensitive customer...
abartlet at samba.org
Thu May 19 12:42:24 GMT 2005
On Thu, 2005-05-19 at 08:24 -0400, David Collier-Brown wrote:
> In a discussion of Samba behavior, a customer asked why smbd processes,
> which had in 2.x spent the majority of their time running under
> the uid of the user, switched to running under the root uid in 3.x.
> They understand the performance costs, but normally
> try to guarantee "least privilege", and are concerned that
> Samba had moved away from that.
Samba has, due to the operation of the protocol, never operated under
just the uid of the user, it always has operated with the 'right to
regain root'. What changed was where it spends the idle cycles, but it
is no more/less secure.
Yes, we are screwed on a buffer overflow either way.
> The material they store is corporate confidential, and
> they are happy with the access control provided by the Unix
> kernel (:-)). They wish to avoid privilege escalation
> leading to access control done **solely** by Samba.
> . Have we an answer to their concerns? In particular, are
> there cases where the way we do it is more secure?
For the times when we are actually accessing files, we 'become' the
connecting user. This causes the kernel to enforce file access control
on that basis, while still allowing us to switch back to root (and
subsequently other users) for other operations.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050519/d63fd3dc/attachment.bin
More information about the samba-technical