[PATCH] Fix bug #9746 - guest ok + force user + force group doesn't work
Andrew Bartlett
abartlet at samba.org
Wed Apr 3 18:07:02 MDT 2013
On Wed, 2013-04-03 at 15:57 -0700, Jeremy Allison wrote:
> On Thu, Apr 04, 2013 at 09:06:46AM +1100, Andrew Bartlett wrote:
> >
> > If authentication/authorization code isn't obviously correct to me, then
> > I stand by it not being obviously correct. If it is un-obviously
> > correct, then we need clarifications and comments so it becomes so.
> >
> > The ordering in make_connection_snum() is subtle, and while we check the
> > 'guest ok' smb.conf parameter first-up, the check against the share ACL
> > is currently after the force user/group stuff, and this change.
> >
> > >From here, I would like to understand where we use the is_guest flag for
> > the (reasonable to assume, and clearly the basis for which you claim
> > this is obviously correct) task of substituting in the guest token, and
> > therefore not the named user. I can't see that code in my master tree.
> >
> > To be clear, I'm not worried about fixing the uid/gid the account
> > becomes, I'm worried about the other implications of dropping the guest
> > bit (and so adding the authenticated users SID to an un-authenticated
> > user).
> >
> > I hope this explains my fears better, so we can work out a way to fix
> > this and alleviate them.
>
> Been working with Andrew on IRC, and he's suggested a better
> way to fix this and uploaded to the bug report, so I'm withdrawing
> this patch :-).
In particular, testing and code inspection shows that the problem code
path doesn't actually exist in 4.0/master. So this is a 3.6 issue only.
We both expressed our incredible gratitude that security=share no longer
plagues the 4.0/master codebase :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list