Samba3 RPC Server
asn at samba.org
Mon Jun 6 09:27:04 MDT 2011
On Friday 27 May 2011 19:51:56 Volker Lendecke wrote:
> On Fri, May 27, 2011 at 06:20:18PM +0200, Andreas Schneider wrote:
> > I think you know that Simo and I are working on preforking
> > support for Samba3.
> > I'm currently working on a LSA Service Daemon and trying
> > to cleanup and fix some Samba3 RPC server flaws.
> > Lets take a look at
> > source3/rpc_server/srv_pipe.c +1551
> > api_pipe_request() checks if the user connecting is
> > authenticated user and then becomes the user connecting
> > before each RPC call.
> > Before SambaXP I discussed that with Simo in spoolssd that
> > it doesn't make sense to do it. If the user has to deal
> > with files we should switch to the user and not in any
> > other case. So we implemented it this way in spoolss.
> > I think the same should apply to all other rpc calls. I
> > would like to remove the become_authenticated_pipe_user()
> > call in the api_pipe_request() function and switch to the
> > "guest" or "nobody" user when we fork a daemon. This
> > implies that we correctly switch to root (or the user) and
> > back in all rpc services.
> > If this is fine for you I would start to implement and
> > test this.
> Well, that's a pretty deep assumption in Samba (3!) that we
> do the become_user centrally and not for every operation
> that requires it. I know this leads to many become_root
> calls, and that it has caused trouble with for example
> pdb_ldap called via the samr server, but I'm a bit worried
> about a change like that. Probably eventually we will have
> to do it, but we need a very clear security model here. And
> we need to think hard about a good safety net if we drop
> that assumption.
Instead of switching always to the user connecting we would switch to the user
'nobody' on startup (after forking). The become_root() calls will not be
touched. Switching to the right user at the right point should be already done
correctly cause of the 'force user' stuff. This is RPC and not the file
serving part. The only rpc service dealing with files is spoolss at the moment
and there it is handles correctly.
So if we create a become_guest() or become_nobody() function and will check
that it works as it was before would this be fine with you? As I see it is is
a minor change but we should gain more security and get rid of some
dependencies in the rpc_server to smbd.
Andreas Schneider GPG-ID: F33E3FC6
Samba Team asn at samba.org
More information about the samba-technical