[PATCHESv2] Add vfs_admin vfs module
Jeremy Allison
jra at samba.org
Tue Oct 6 15:36:34 UTC 2015
On Tue, Oct 06, 2015 at 09:43:57AM +0300, Uri Simchoni wrote:
>
>
> On 10/06/2015 03:10 AM, Jeremy Allison wrote:
> >On Sun, Oct 04, 2015 at 09:39:50PM +0300, Uri Simchoni wrote:
> >>This time with correct patch set. Sorry for the mess..
> >>Uri.
> >>
> >>On 10/04/2015 09:28 PM, Uri Simchoni wrote:
> >>>Oops... something got messed up with this patch, resending shortly.
> >>>
> >>>On 10/04/2015 09:22 PM, Uri Simchoni wrote:
> >>>>Hi,
> >>>>
> >>>>This patch set adds vfs_admin, a simple vfs module that fixes
> >>>>file ownership for admin users.
> >>>>When a user is defined as an admin user, smbd runs as root, and
> >>>>files created by this user are
> >>>>owned by root. This patch fixes that by adding a vfs module to
> >>>>change the ownership of created objects.
> >Are there any security implications here ? I'm still
> >thinking about this.. Do you need to use the race-free
> >techniques we use in change_file_owner_to_parent() ?
> >
> >Jeremy.
> >
> For regular file creation, I use fchown() (SMB_VFS_FCHOWN to behave
> nicely), so I believe no races and no security implications.
Yep.
> For directories, symbolic links, and "mknods", It seems to me
> there's no POSIX way to do it atomically, so from the OS perspective
> there's room for race. Perhaps SMB's share mode gives some
> protection here - not sure.
For directories, the only "safe" POSIX way to do this as
root is :
a). mkdir(name)
b). fd = open(name, O_RDONLY);
c). fstat(fd);
d). Ensure owner/primary group match current POSIX
creds.
e). fchown(fd, newcreds);
That's not race-free, but at least it can detect
any races.
> When there's a race, it appears to me the implications are not
> security implications but usability implications - the object ends
> up being owned by someone "more powerful" so that could give less
> privileges to someone "less powerful" who believes he created the
> object, and suddenly cannot use it.
>
> A totally different approach would be to use linux capabilities for
> "admin users" and not run as root - but that's linux specific.
Yeah, I've had disasters with Linux caps, so I don't
want to depend on them :-).
More information about the samba-technical
mailing list