Removing geteuid() != 0 check in smbldap_open()

Andrew Bartlett abartlet at
Fri Oct 17 20:50:17 GMT 2008

On Fri, 2008-10-17 at 13:05 -0700, Jeremy Allison wrote:
> I'm planning to remove this code in lib/smbldap.c from
> smbldap_open().
>         if (geteuid() != 0) {
>                 DEBUG(0, ("smbldap_open: cannot access LDAP when not
> root\n"));
>                 return  LDAP_INSUFFICIENT_ACCESS;
>         }
> #endif
> We already check access via the SAMR and LSA handles,
> and *every single time* this error message has come
> up the hunt has been to find and add
> become_root()
> unbecome_root()
> pairs around a pdb_XXX call. It's not gaining us anything,
> and it's causing more trouble than it's worth.
> I'm going to audit all the handle opens and read/write
> accesses in lanan.c, samr.c and lsa.c to make sure we
> do access checks, then remove this code.
> If anyone wants to defend this, please explain with
> SPECIFIC EXAMPLES of where it protects the backends
> from unauthorized access.

I added this code originally to avoid security bugs where smbpasswd
operations would fail (unable to open the file), but LDAP operations
would succeed.

But the reverse must also be true, so how do you intend to handle this
for tdb and smbpasswd backed systems?

The other reason to keep this is that as non-root, will we always have
access to the ldapi socket, if so configured?  Normally it is
world-accessible (but a sysadmin might restrict it), but if we ever add
support for SASL EXTERNAL binds to our directory server, it will need to
be root during that bind (so OpenLDAP can verify we are privileged via
the getpeerid call). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list