SYSTEM vs RELAX in lsa
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Nov 25 01:40:25 MST 2010
the best explaination you will find in my dochelp request which was also
logged on "cifs-protocol". Basically we have to deny modifications of
trusted domain and secret objects over LDAP.
Now I've seen about the possibility of untrusted connections. I'm
working on a patch which uses this one - should be much safer, or?
tridge at samba.org wrote:
> Hi Matthias,
> Can you explain 1352a9406f3e3067a8e751ac157eab67796bc0c6 a bit more?
> > commit 1352a9406f3e3067a8e751ac157eab67796bc0c6
> > Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> > Date: Tue Nov 23 15:15:09 2010 +0100
> > s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified
> > This fits better than the RELAX one.
> It looks to me like you've introduced a security hole. As far as I can
> tell, this means all LSA CreateTrustedDomain() calls now happen as
> SYSTEM, which would bypass all ACL checking.
> Also, why change from RELAX to SYSTEM at all? We should only ever do
> something as SYSTEM if we really need ACL bypass, and only when we
> have already done careful access checking in the call to ensure the
> user is allowed to perform this operation.
> Cheers, Tridge
More information about the samba-technical