[PATCH] Log client process name in winbindd

Andreas Schneider asn at samba.org
Mon Nov 5 11:14:38 UTC 2018 

On Monday, 5 November 2018 10:56:18 CET Andrew Bartlett via samba-technical 
wrote:
> On Mon, 2018-11-05 at 10:47 +0100, Andreas Schneider wrote:
> > On Monday, 5 November 2018 09:00:05 CET Andrew Bartlett wrote:
> > > On Mon, 2018-11-05 at 08:53 +0100, Andreas Schneider via samba-
> > > 
> > > technical wrote:
> > > > Hello,
> > > > 
> > > > attached is patchset which will log the name of the client process
> > > > connecting>
> > > > 
> > > > to winbindd to request information. It will look like this:
> > > > 	winbindd_getpwnam_send: [nss_winbind (18130)] getpwnam SAMBA-TEST/
> > 
> > nobody
> > 
> > > > or
> > > > 
> > > > 	winbindd_getuserdomgroups_send: [smbtorture (18506)] 
getuserdomgroups
> > > > 	
> > > > 		S-1-5-21-757409344-3469499077-298407722-1000
> > > > 
> > > > By default it will get the process name. I think for pam_winbind or
> > > > nss_winbind we are not interested in the process name as the process
> > > > doesn't implement samba code so I changed the name e.g. to
> > > > nss_winbind.
> > > > 
> > > > 
> > > > Please review and comment. Push if OK.
> > > 
> > > Shouldn't pam_winbind be using the pam service name if you don't want
> > > to be looking for the actual process name?
> > 
> > I'm now logging the pam_winbind request type. I think that's what you
> > want.
> 
> I meant:
> 
>       pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
> 
> > > Also, please sanitize the input here to avoid logfile injection attacks
> > > (a broader issue) and other strange things regardless.
> > 
> > I'm not sure what you exactly want, but I've added something. Please
> > check.
> 
> I meant on the server side of the pipe (ie, in the trusted not
> untrusted code).  Gary may have suggestions on sanitization, otherwise
> look at the existing auth logging stuff.

I think you open a new can of warms, then you also have to sanitize user names 
and all other strings sent over that protocol. Those are also directly passed 
to DEBUG ...

> Finally, I take it that ntlm_auth is handled by this automatically?

The process name is used so it will be ntlm_auth.


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list