Patch: Allow unprivileged processes to read registry
Volker.Lendecke at SerNet.DE
Thu Apr 5 23:39:28 MDT 2012
On Thu, Apr 05, 2012 at 06:58:27PM +0200, Stef Walter wrote:
> The samba configuration is shared between daemons and clients. If
> 'config backend = registry' is configured, then currently clients
> running without root privileges (like smbclient) fail with:
> Failed to initialize the registry: WERR_ACCESS_DENIED
> The attached patch fixes this issue. The database is created with 0644
> permissions. If write access to the database fails, then the database is
> opened in read-only mode.
> I've tested this with various commands and it seems to do the trick.
> Does this look like a good approach? If so, I'll file a bug for the patch.
Others have commented that this is not ok. The "real"
solution would be to read the registry via RPC, potentially
over a local unix-domain socket. This would be served by a
light-weight small daemon. I know that this is a lot of work
and might be frustrating for you, but that way we can ensure
that no DoS happens and no unprivileged access can happen.
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical