[PATCH] Fix bug #9746 - guest ok + force user + force group doesn't work
jra at samba.org
Wed Apr 3 18:10:24 MDT 2013
On Thu, Apr 04, 2013 at 11:07:02AM +1100, Andrew Bartlett wrote:
> On Wed, 2013-04-03 at 15:57 -0700, Jeremy Allison wrote:
> > On Thu, Apr 04, 2013 at 09:06:46AM +1100, Andrew Bartlett wrote:
> > >
> > > If authentication/authorization code isn't obviously correct to me, then
> > > I stand by it not being obviously correct. If it is un-obviously
> > > correct, then we need clarifications and comments so it becomes so.
> > >
> > > The ordering in make_connection_snum() is subtle, and while we check the
> > > 'guest ok' smb.conf parameter first-up, the check against the share ACL
> > > is currently after the force user/group stuff, and this change.
> > >
> > > >From here, I would like to understand where we use the is_guest flag for
> > > the (reasonable to assume, and clearly the basis for which you claim
> > > this is obviously correct) task of substituting in the guest token, and
> > > therefore not the named user. I can't see that code in my master tree.
> > >
> > > To be clear, I'm not worried about fixing the uid/gid the account
> > > becomes, I'm worried about the other implications of dropping the guest
> > > bit (and so adding the authenticated users SID to an un-authenticated
> > > user).
> > >
> > > I hope this explains my fears better, so we can work out a way to fix
> > > this and alleviate them.
> > Been working with Andrew on IRC, and he's suggested a better
> > way to fix this and uploaded to the bug report, so I'm withdrawing
> > this patch :-).
> In particular, testing and code inspection shows that the problem code
> path doesn't actually exist in 4.0/master. So this is a 3.6 issue only.
Yes, Andrew is completely correct on that. The code *looks* the same,
but the underlying semantics are actually different :-). That's why
the forward port wasn't needed.
> We both expressed our incredible gratitude that security=share no longer
> plagues the 4.0/master codebase :-)
For which I'm still *very* thankful :-).
More information about the samba-technical