Samba3 RPC Server

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri May 27 11:51:56 MDT 2011


On Fri, May 27, 2011 at 06:20:18PM +0200, Andreas Schneider wrote:
> I think you know that Simo and I are working on preforking
> support for Samba3. 
> I'm currently working on a LSA Service Daemon and trying
> to cleanup and fix some Samba3 RPC server flaws.
> 
> Lets take a look at
> 
> source3/rpc_server/srv_pipe.c +1551
> 
> api_pipe_request() checks if the user connecting is
> authenticated user and then becomes the user connecting
> before each RPC call.
> 
> Before SambaXP I discussed that with Simo in spoolssd that
> it doesn't make sense to do it. If the user has to deal
> with files we should switch to the user and not in any
> other case. So we implemented it this way in spoolss.
> 
> I think the same should apply to all other rpc calls. I
> would like to remove the become_authenticated_pipe_user()
> call in the api_pipe_request() function and switch to the
> "guest" or "nobody" user when we fork a daemon. This
> implies that we correctly switch to root (or the user) and
> back in all rpc services.
> 
> If this is fine for you I would start to implement and
> test this.

Well, that's a pretty deep assumption in Samba (3!) that we
do the become_user centrally and not for every operation
that requires it. I know this leads to many become_root
calls, and that it has caused trouble with for example
pdb_ldap called via the samr server, but I'm a bit worried
about a change like that. Probably eventually we will have
to do it, but we need a very clear security model here. And
we need to think hard about a good safety net if we drop
that assumption.

BTW, the other one that probably needs removing at some
point is the chdir() before every SMB call I think.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen


More information about the samba-technical mailing list