Samba3 RPC Server

Andrew Bartlett abartlet at samba.org
Thu Jun 9 01:26:34 MDT 2011 

On Mon, 2011-06-06 at 17:27 +0200, Andreas Schneider wrote: 
> On Friday 27 May 2011 19:51:56 Volker Lendecke wrote:
> > On Fri, May 27, 2011 at 06:20:18PM +0200, Andreas Schneider wrote:
> > > I think you know that Simo and I are working on preforking
> > > support for Samba3.
> > > I'm currently working on a LSA Service Daemon and trying
> > > to cleanup and fix some Samba3 RPC server flaws.
> > > 
> > > Lets take a look at
> > > 
> > > source3/rpc_server/srv_pipe.c +1551
> > > 
> > > api_pipe_request() checks if the user connecting is
> > > authenticated user and then becomes the user connecting
> > > before each RPC call.
> > > 
> > > Before SambaXP I discussed that with Simo in spoolssd that
> > > it doesn't make sense to do it. If the user has to deal
> > > with files we should switch to the user and not in any
> > > other case. So we implemented it this way in spoolss.
> > > 
> > > I think the same should apply to all other rpc calls. I
> > > would like to remove the become_authenticated_pipe_user()
> > > call in the api_pipe_request() function and switch to the
> > > "guest" or "nobody" user when we fork a daemon. This
> > > implies that we correctly switch to root (or the user) and
> > > back in all rpc services.
> > > 
> > > If this is fine for you I would start to implement and
> > > test this.
> > 
> > Well, that's a pretty deep assumption in Samba (3!) that we
> > do the become_user centrally and not for every operation
> > that requires it. I know this leads to many become_root
> > calls, and that it has caused trouble with for example
> > pdb_ldap called via the samr server, but I'm a bit worried
> > about a change like that. Probably eventually we will have
> > to do it, but we need a very clear security model here. And
> > we need to think hard about a good safety net if we drop
> > that assumption.
> 
> Instead of switching always to the user connecting we would switch to the user 
> 'nobody' on startup (after forking). The become_root() calls will not be 
> touched. Switching to the right user at the right point should be already done 
> correctly cause of the 'force user' stuff. This is RPC and not the file 
> serving part. The only rpc service dealing with files is spoolss at the moment 
> and there it is handles correctly.
> 
> So if we create a become_guest() or become_nobody() function and will check 
> that it works as it was before would this be fine with you? As I see it is is 
> a minor change but we should gain more security and get rid of some 
> dependencies in the rpc_server to smbd.

The biggest issue I see here is the function dependencies, and setting
up the security context stack.  Currently we have quite a delicate
situation surrounding become_root() et all in the waf build, because of
the dummysmbd.c functions mixing with the real functions. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list