Patch: Allow unprivileged processes to read registry
idra at samba.org
Thu Apr 5 16:47:00 MDT 2012
On Thu, 2012-04-05 at 13:59 -0700, Jeremy Allison wrote:
> On Thu, Apr 05, 2012 at 06:58:27PM +0200, Stef Walter wrote:
> > The samba configuration is shared between daemons and clients. If
> > 'config backend = registry' is configured, then currently clients
> > running without root privileges (like smbclient) fail with:
> > Failed to initialize the registry: WERR_ACCESS_DENIED
> > The attached patch fixes this issue. The database is created with 0644
> > permissions. If write access to the database fails, then the database is
> > opened in read-only mode.
> > I've tested this with various commands and it seems to do the trick.
> > Does this look like a good approach? If so, I'll file a bug for the patch.
> Hmmmm. My only fear is that there is security-sensitive data
> stored in the registry this would expose.
No it is not ok IMO.
Not only you could end exposing data like passwords embdedded in the
But because this is TDB based you can also create a DoS situation
easily, as unprivileged clients can then grab a fcntl read lock and let
the samba server unable to ever update the contents.
Don't do that.
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical