[PATCH] s3: introduce new share parameter "open special files"

Scott Lovenberg scott.lovenberg at gmail.com
Fri May 3 15:35:32 MDT 2013


On Fri, May 3, 2013 at 4:55 PM, Simo <simo at samba.org> wrote:

> On 05/03/2013 07:15 AM, Ralph Wuerthner wrote:
>
>> Hi list,
>>
>> attached patch introduces a new share parameter "open special files" to
>> control whether special files such as sockets, devices and fifo's will be
>> opened by the server or not. If set to "no" open requests to special files
>> will fail with "access denied". Default value for "open special files" is
>> "no".
>>
>> Access to special files impose a security risk because it may for example
>> allow remote clients raw access to local hard drives or kernel memory.
>>
>> Regards
>>
>>         Ralph
>>
>
> Access do device files is already regulated via file system permissions,
> why do we need an additional special option ?
> In what case it is ok to give a user access on a file locally but
> artificially prevent that access via samba ?
>
> Simo.
>
>
To be completely fair, Samba already allows this via a couple of overrides.
 However, I concur with Andrew; if Samba is your last line of defense,
you've messed something up along the way (this is, of course, paraphrased).
 I know that I strive to handle permissions at the lowest level possible to
cover for all possibilities at the higher end of the stack.


-- 
Peace and Blessings,
-Scott.


More information about the samba-technical mailing list