[PATCH] s4/provision: don't mix local uid numbers with domain mappings

[Andrew Bartlett]

On Wed, 2017-12-13 at 14:42 +0100, Björn Jacke via samba-technical
wrote:
> From 514e4d8c57b9189a0a3dddcee1748db832f7b851 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bjacke at samba.org>
> Date: Wed, 13 Dec 2017 14:38:03 +0100
> Subject: [PATCH] s4/provision: don't mix local uid numbers with domain
>  mappings
> 
> mixing local IDs with domain mapped IDs is a bad idea. Especially don't mess
> with root's uid 0.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=9837
> 
> Signed-off-by: Bjoern Jacke <bjacke at samba.org>
> ---
>  python/samba/provision/__init__.py | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
> index d95f46a..b63ef2e 100644
> --- a/python/samba/provision/__init__.py
> +++ b/python/samba/provision/__init__.py
> @@ -786,8 +786,10 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
>      """
>      idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
>  
> -    idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
> -    idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
> +    # we should not mess with local uid/gid numbers (especially not root's
> +    # and the domain mappings, see bug 9837.
> +    #idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
> +    #idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
>  
>  
>  def setup_samdb_partitions(samdb_path, logger, lp, session_info,

My primary concern with this is will, after this, administrator have
the rights of root in terms of being able to override permissions on
the files owned by others?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba