question about make_connection_snum function
simo
idra at samba.org
Fri Feb 23 18:13:05 GMT 2007
On Fri, 2007-02-23 at 12:00 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeremy,
>
> > Yes I can see a reason it isn't correct. It's valid to add
> > a security descriptor to the IPC$ share. Why exempt IPC$
> > from security checks ?
>
> True. But I think the check was probably there to prevent
> a server from suffering from a sec_desc that got corrupted
> and therefore locked everyone out. I agree with you that
> this should be possible but I don't think I would be
> comfortable unless I did more testing to know what impact
> that could have.
>
> I'm not particulary opposed to the idea (of setting an ACL
> on IPC$) but I'm not convinced it would entirely work like
> we think it should without more testing.
>
> Make sense?
Absolutely.
Actually we had a report of a user (I think a month ago or so), that had
corrupted (or was playing) with IPC$ ACLs, and made his system unusable.
Solution was to delete the shares TDB, so that the ACL was removed and
the standard access control reset.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list