[PATCHES] smbcontrol disconnect-client

David Collier-Brown davec-b at rogers.com
Sat Dec 7 13:59:02 MST 2013 

On 12/07/2013 07:05 AM, Stefan (metze) Metzmacher wrote:
> Am 07.12.2013 00:15, schrieb Christof Schmitt:
>> Here are a few patches that Christian had developed some time ago. They
>> implement a 'smbcontrol disconnect-client <ip address>'  call that
>> disconnects all clients from a certain IP address. That is useful when a
>> config file for a specific client has been changed and that change has
>> to be enforced.
>>
>> Comments?
> I think this is too dangerous, if the client still has files with
> batch/exclusive oplocks
> open and changes in the local buffer, we may trigger data corruption. At
> least without
> durable opens.
>
>
> I think the command (maybe a 2nd one) should first trigger a break to
> level2 to all opens
> and don't grant more for the rest of the connection lifetime. And the
> disconnect
> should only work if the connection is in good shape.
>
> metze
>
If you're strictly thinking of security, you may want to separate this
out into one or more specific operations.

One might be a "quiesce client", so that the client will stop using a
samba service and disconnect safely.  It can then reconnect to the same
or a different service, under different ground-rules. That will work for
misconfigurations, brain-dead clients and the like.

A second one might be "kick quiesced client entirely off", for
recovering from wedged clients, bugs and the like. It would only apply
after one did what one could to quiesce the user.

In the scurity space, a possible third is "apply new restriction", which
would succeed if the client was not currently using the thing
restricted, and fail if not.  On failure, you might then need to quiesce
them so that they disconnected and thereafter could only connect with
the restriction in place. That's less dangerous that an unconditional
disconnect.

Or, you could simply say "restrictions come into play on open/connect",
and not have to do anything with the client. 
The latter won't pass orange-book requirements, but it's not
unreasonable so long as one does have a "kill" in one's back pocket to
deal with really evil cases.

--dave
[Multics AIM under the Orange Book had a "apply MAC change right now"
functionality that could utterly mess up a process that was losing
privilege.  It was one of the few cases I know of where a sysadmin could
really do something harmful]

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain
(416) 223-8968

More information about the samba-technical mailing list