[PATCH] Log client process name in winbindd

Andrew Bartlett abartlet at samba.org
Mon Nov 5 09:56:18 UTC 2018 

On Mon, 2018-11-05 at 10:47 +0100, Andreas Schneider wrote:
> On Monday, 5 November 2018 09:00:05 CET Andrew Bartlett wrote:
> > On Mon, 2018-11-05 at 08:53 +0100, Andreas Schneider via samba-
> > 
> > technical wrote:
> > > Hello,
> > > 
> > > attached is patchset which will log the name of the client process
> > > connecting> 
> > > to winbindd to request information. It will look like this:
> > > 	winbindd_getpwnam_send: [nss_winbind (18130)] getpwnam SAMBA-TEST/
> 
> nobody
> > > 
> > > or
> > > 
> > > 	winbindd_getuserdomgroups_send: [smbtorture (18506)] getuserdomgroups
> > > 	
> > > 		S-1-5-21-757409344-3469499077-298407722-1000
> > > 
> > > By default it will get the process name. I think for pam_winbind or
> > > nss_winbind we are not interested in the process name as the process
> > > doesn't implement samba code so I changed the name e.g. to nss_winbind.
> > > 
> > > 
> > > Please review and comment. Push if OK.
> > 
> > Shouldn't pam_winbind be using the pam service name if you don't want
> > to be looking for the actual process name?
> 
> I'm now logging the pam_winbind request type. I think that's what you want.

I meant:

      pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
 
> > Also, please sanitize the input here to avoid logfile injection attacks
> > (a broader issue) and other strange things regardless.
> 
> I'm not sure what you exactly want, but I've added something. Please check.

I meant on the server side of the pipe (ie, in the trusted not
untrusted code).  Gary may have suggestions on sanitization, otherwise
look at the existing auth logging stuff.

Which brings me to my next point: once we get this sorted out, we
can/should also log this into the auth logs.  This kind of thing is
exactly why we have some free-form fields in that system.

Finally, I take it that ntlm_auth is handled by this automatically?

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list