[PATCH] Mark smbstatus as root only util
Jeremy Allison
jra at samba.org
Tue Dec 16 16:29:31 MST 2014
On Tue, Dec 16, 2014 at 06:57:02PM +0100, Volker Lendecke wrote:
> On Tue, Dec 16, 2014 at 09:06:47AM -0800, Jeremy Allison wrote:
> > On Tue, Dec 16, 2014 at 04:02:06PM +0100, Andreas Schneider wrote:
> > > On Tuesday 16 December 2014 15:56:56 Andreas Schneider wrote:
> > > > Hi,
> > > >
> > > > in the meantime smbstatus tries to collection information from tdb's
> > > > which are only accessible by root as they contain sensitive information
> > > > like session keys and other secrets. This means smbstatus can no longer
> > > > be executed as a user.
> > > >
> > > > The attached patch displays a warning and exits.
> > >
> > > Here with the correct patch :)
> >
> > NAK. It needs to be geteuid(), not getuid().
>
> Sorry, I did not see that. It's in now.
Actually, it's ok...
The reason is just before the getuid() check it does:
if (getuid() != geteuid()) {
d_printf("smbstatus should not be run setuid\n");
ret = 1;
goto done;
}
which means uid must == euid anyway. So this patch
works as-is. Sorry for the confusion, it's just that
if (getuid() != 0)
is almost *always* wrong :-).
More information about the samba-technical
mailing list