Patch: Allow unprivileged processes to read registry

[Stef Walter]

On 2012-04-06 00:47, simo wrote:
> On Thu, 2012-04-05 at 13:59 -0700, Jeremy Allison wrote: 
>> On Thu, Apr 05, 2012 at 06:58:27PM +0200, Stef Walter wrote:
>>> The samba configuration is shared between daemons and clients. If
>>> 'config backend = registry' is configured, then currently clients
>>> running without root privileges (like smbclient) fail with:
>>>
>>> Failed to initialize the registry: WERR_ACCESS_DENIED
>>>
>>> The attached patch fixes this issue. The database is created with 0644
>>> permissions. If write access to the database fails, then the database is
>>> opened in read-only mode.
>>>
>>> I've tested this with various commands and it seems to do the trick.
>>>
>>> Does this look like a good approach? If so, I'll file a bug for the patch.
>>
>> Hmmmm. My only fear is that there is security-sensitive data
>> stored in the registry this would expose.
> 
> No it is not ok IMO.
> Not only you could end exposing data like passwords embdedded in the
> file.
> But because this is TDB based you can also create a DoS situation
> easily, as unprivileged clients can then grab a fcntl read lock and let
> the samba server unable to ever update the contents.
> 
> Don't do that.

I see. That really is completely broken for client usage. I was hoping
that if the patch was incorrect someone would be able to suggest a
viable solution.

But I guess if it is really completely irreparably broken, then I'll
submit the attached patch which adds a warning to the smb.conf manual
page steering people away from the registry if they want to use Samba
client programs.

Cheers,

Stef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Document-brokenness-of-samba-registry-when-using-cli.patch
Type: text/x-patch
Size: 1119 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120406/5019eb37/attachment.bin>