[PATCHESv2] Add vfs_admin vfs module
Uri Simchoni
uri at samba.org
Tue Oct 6 06:43:57 UTC 2015
On 10/06/2015 03:10 AM, Jeremy Allison wrote:
> On Sun, Oct 04, 2015 at 09:39:50PM +0300, Uri Simchoni wrote:
>> This time with correct patch set. Sorry for the mess..
>> Uri.
>>
>> On 10/04/2015 09:28 PM, Uri Simchoni wrote:
>>> Oops... something got messed up with this patch, resending shortly.
>>>
>>> On 10/04/2015 09:22 PM, Uri Simchoni wrote:
>>>> Hi,
>>>>
>>>> This patch set adds vfs_admin, a simple vfs module that fixes
>>>> file ownership for admin users.
>>>> When a user is defined as an admin user, smbd runs as root, and
>>>> files created by this user are
>>>> owned by root. This patch fixes that by adding a vfs module to
>>>> change the ownership of created objects.
> Are there any security implications here ? I'm still
> thinking about this.. Do you need to use the race-free
> techniques we use in change_file_owner_to_parent() ?
>
> Jeremy.
>
For regular file creation, I use fchown() (SMB_VFS_FCHOWN to behave
nicely), so I believe no races and no security implications.
For directories, symbolic links, and "mknods", It seems to me there's no
POSIX way to do it atomically, so from the OS perspective there's room
for race. Perhaps SMB's share mode gives some protection here - not sure.
When there's a race, it appears to me the implications are not security
implications but usability implications - the object ends up being owned
by someone "more powerful" so that could give less privileges to someone
"less powerful" who believes he created the object, and suddenly cannot
use it.
A totally different approach would be to use linux capabilities for
"admin users" and not run as root - but that's linux specific.
Uri.
More information about the samba-technical
mailing list