I have a security-sensitive customer...

David Collier-Brown David.Collier-Brown at Sun.COM
Thu May 19 13:39:35 GMT 2005

Andrew Bartlett wrote:
>  What changed was where it spends the idle cycles, but it
> is no more/less secure.

	See below...
> Yes, we are screwed on a buffer overflow either way.

	Actually I'd argue that a buffer overflow (or other
	oops) induced by the user is way more serious
	if it occurs while one is running as root.

	This is basically what the customer is stressed
	about: privelege escalation attacks.

	Now this is no more or less secure than before,
	as you noted above, it's just more visible to 
	the user, which caused him to whack me over 
	the head with the privilege escalation question (:-)) 

> For the times when we are actually accessing files, we 'become' the
> connecting user.  This causes the kernel to enforce file access control
> on that basis, while still allowing us to switch back to root (and
> subsequently other users) for other operations.

	Yes, they understand that, they know it's normal.
>> Have we an answer to their concerns? In particular, are 
>> there cases where the way we do it is more secure?

	Is there an argument we can legitimately make
	that smbd is consciously considered a security-
	critical program,and that we **downgrade**
	privilege whenever accessing anything which is
	under access control? 

	The latter clause is trivially true, we really 
	do do that (:-)), and I'd suggest that it is
	easier to audit that code than it is to audit
	all the intentional escalations in 2.x.

David Collier-Brown,      | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com     |                      -- Mark Twain
(416) 263-5733 (x65733)   |

More information about the samba-technical mailing list