[PATCH] Fix bug #9746 - guest ok + force user + force group doesn't work

Andrew Bartlett abartlet at samba.org
Wed Apr 3 18:07:02 MDT 2013

On Wed, 2013-04-03 at 15:57 -0700, Jeremy Allison wrote:
> On Thu, Apr 04, 2013 at 09:06:46AM +1100, Andrew Bartlett wrote:
> > 
> > If authentication/authorization code isn't obviously correct to me, then
> > I stand by it not being obviously correct.  If it is un-obviously
> > correct, then we need clarifications and comments so it becomes so.  
> > 
> > The ordering in make_connection_snum() is subtle, and while we check the
> > 'guest ok' smb.conf parameter first-up, the check against the share ACL
> > is currently after the force user/group stuff, and this change. 
> > 
> > >From here, I would like to understand where we use the is_guest flag for
> > the (reasonable to assume, and clearly the basis for which you claim
> > this is obviously correct) task of substituting in the guest token, and
> > therefore not the named user.  I can't see that code in my master tree.
> > 
> > To be clear, I'm not worried about fixing the uid/gid the account
> > becomes, I'm worried about the other implications of dropping the guest
> > bit (and so adding the authenticated users SID to an un-authenticated
> > user). 
> > 
> > I hope this explains my fears better, so we can work out a way to fix
> > this and alleviate them.
> Been working with Andrew on IRC, and he's suggested a better
> way to fix this and uploaded to the bug report, so I'm withdrawing
> this patch :-).

In particular, testing and code inspection shows that the problem code
path doesn't actually exist in 4.0/master.  So this is a 3.6 issue only.

We both expressed our incredible gratitude that security=share no longer
plagues the 4.0/master codebase :-)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list