Samba3 RPC Server

simo idra at samba.org
Fri May 27 12:23:50 MDT 2011 

On Fri, 2011-05-27 at 19:51 +0200, Volker Lendecke wrote:
> On Fri, May 27, 2011 at 06:20:18PM +0200, Andreas Schneider wrote:
> > I think you know that Simo and I are working on preforking
> > support for Samba3. 
> > I'm currently working on a LSA Service Daemon and trying
> > to cleanup and fix some Samba3 RPC server flaws.
> > 
> > Lets take a look at
> > 
> > source3/rpc_server/srv_pipe.c +1551
> > 
> > api_pipe_request() checks if the user connecting is
> > authenticated user and then becomes the user connecting
> > before each RPC call.
> > 
> > Before SambaXP I discussed that with Simo in spoolssd that
> > it doesn't make sense to do it. If the user has to deal
> > with files we should switch to the user and not in any
> > other case. So we implemented it this way in spoolss.
> > 
> > I think the same should apply to all other rpc calls. I
> > would like to remove the become_authenticated_pipe_user()
> > call in the api_pipe_request() function and switch to the
> > "guest" or "nobody" user when we fork a daemon. This
> > implies that we correctly switch to root (or the user) and
> > back in all rpc services.
> > 
> > If this is fine for you I would start to implement and
> > test this.
> 
> Well, that's a pretty deep assumption in Samba (3!) that we
> do the become_user centrally and not for every operation
> that requires it. I know this leads to many become_root
> calls, and that it has caused trouble with for example
> pdb_ldap called via the samr server, but I'm a bit worried
> about a change like that. Probably eventually we will have
> to do it, but we need a very clear security model here. And
> we need to think hard about a good safety net if we drop
> that assumption.

Yes, we are proposing to become_nobody() (making up the name) by
default, to make sure we are not caught pants down if we forget a
become_user() somewhere.

> BTW, the other one that probably needs removing at some
> point is the chdir() before every SMB call I think.

I guess this could fail if we are not always root, but we are not
touching smbd yet.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list