Some patches to reload tokens when signals sent to Samba and etc
Richard Sharpe
realrichardsharpe at gmail.com
Thu May 15 05:09:03 MDT 2014
On Thu, May 15, 2014 at 2:56 AM, Jeremy Allison <jra at samba.org> wrote:
> On Thu, May 15, 2014 at 02:42:58AM -0700, Richard Sharpe wrote:
>> Hi Folks,
>>
>> These are some patches that were supplied to Tandberg to provide the
>> following functionality:
>>
>> 1. If share-level permissions are changed, put them into effect for
>> currently connected clients.
>>
>> 2. On receipt of a signal (SIGUSR2 etc), reload the user's token in
>> case there has been a change of group memberships etc.
>>
>> These both take the view that already opened files will not be
>> changed. They will retain the access the was granted when the file was
>> opened. However, new opens will see whatever restrictions now apply.
>>
>> The mechanism used to reload the token is not very robust I suspect.
>>
>> Indeed, if Reauthentication is available in the version of SMB being
>> used, it would probably be better to use that.
>
> OK, I'm gonna take this as a conversation starter,
> to work out how to add this functionality into
> smbd.
>
> Using SIGUSR2 for this is a bit of a non-starter
> I'm afraid - smbcontrol messaging is the only
> reasonable way to do this - we *really* don't
> want more signal handlers being added unless we
> just can't avoid it :-).
Yes, smbcontroll would have been a better way to do this. Certainly
for handling mods to the share-level permissions it uses messaging.
> Also, having fixed a bunch of bugs in the token
> processing recently I'm going to look through
> those token changes *really* carefully :-).
>
> Thanks for posting this though Richard, it
> shows a bunch of new features we really should
> think about adding for OEMs (as they obviously
> really need them) !
>
> Cheers,
>
> Jeremy.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list