Patch: Allow unprivileged processes to read registry

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Apr 5 23:39:28 MDT 2012


On Thu, Apr 05, 2012 at 06:58:27PM +0200, Stef Walter wrote:
> The samba configuration is shared between daemons and clients. If
> 'config backend = registry' is configured, then currently clients
> running without root privileges (like smbclient) fail with:
> 
> Failed to initialize the registry: WERR_ACCESS_DENIED
> 
> The attached patch fixes this issue. The database is created with 0644
> permissions. If write access to the database fails, then the database is
> opened in read-only mode.
> 
> I've tested this with various commands and it seems to do the trick.
> 
> Does this look like a good approach? If so, I'll file a bug for the patch.

Others have commented that this is not ok. The "real"
solution would be to read the registry via RPC, potentially
over a local unix-domain socket. This would be served by a
light-weight small daemon. I know that this is a lot of work
and might be frustrating for you, but that way we can ensure
that no DoS happens and no unprivileged access can happen.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de


More information about the samba-technical mailing list