Patch: Allow unprivileged processes to read registry

simo idra at samba.org
Fri Apr 6 06:39:21 MDT 2012


On Fri, 2012-04-06 at 07:32 +0200, Stef Walter wrote: 
> On 2012-04-06 00:47, simo wrote:
> > On Thu, 2012-04-05 at 13:59 -0700, Jeremy Allison wrote: 
> >> On Thu, Apr 05, 2012 at 06:58:27PM +0200, Stef Walter wrote:
> >>> The samba configuration is shared between daemons and clients. If
> >>> 'config backend = registry' is configured, then currently clients
> >>> running without root privileges (like smbclient) fail with:
> >>>
> >>> Failed to initialize the registry: WERR_ACCESS_DENIED
> >>>
> >>> The attached patch fixes this issue. The database is created with 0644
> >>> permissions. If write access to the database fails, then the database is
> >>> opened in read-only mode.
> >>>
> >>> I've tested this with various commands and it seems to do the trick.
> >>>
> >>> Does this look like a good approach? If so, I'll file a bug for the patch.
> >>
> >> Hmmmm. My only fear is that there is security-sensitive data
> >> stored in the registry this would expose.
> > 
> > No it is not ok IMO.
> > Not only you could end exposing data like passwords embdedded in the
> > file.
> > But because this is TDB based you can also create a DoS situation
> > easily, as unprivileged clients can then grab a fcntl read lock and let
> > the samba server unable to ever update the contents.
> > 
> > Don't do that.
> 
> I see. That really is completely broken for client usage. I was hoping
> that if the patch was incorrect someone would be able to suggest a
> viable solution.
> 
> But I guess if it is really completely irreparably broken, then I'll
> submit the attached patch which adds a warning to the smb.conf manual
> page steering people away from the registry if they want to use Samba
> client programs.

I think a better patch would be to provide a fallback smb-client.conf
file, which can be used by clients. Also IIRc clients attempt to use a
~/.smb.conf file or similar.

I never liked the fact clients try to use smb.conf although very
convenient for root on a server, it has the side effects of issues with
the registry tdb.

But there is another solution. If the daemon is running the client could
read the registry over named pipes using RPCs. We'd need to carefully
check permissions and it is a bit of work, but it would work fine as
long as samba is running (which I guess always is if you choose to use
the registry configuration).

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list