doing a test build of samba

Andrew Bartlett abartlet at
Mon Apr 4 22:31:24 UTC 2022

On Tue, 2022-04-05 at 00:58 +0300, Michael Tokarev wrote:
> 05.04.2022 00:51, Andrew Bartlett wrote:
> > > build enables -D WITH_NTVFS_FILESERVER=1.
> > > This one, in turn does this:
> > 
> > This MUST NOT be enabled in production, as Samba upstream provides
> > no
> > security support for this code, which remains because it is hard
> > work
> > to remove due to the support it provides to some of our tests.
> How about just removing $libdir/samba/service/ for production
> package?
> It is not enabled by default in "server services" anyway, so in order
> to trigger any issues in that code (security or not), one have to
> enable
> it in the config first (server services = +smb).
> But it is still not a big deal to just remove it on install, is it?
> I especially looked at what's being enabled. I found this very
> module,
> plus a few unrelated goodies.
> > If you want to do a selftest build, do a selftest build but don't
> > put
> > it into the production binaries.
> What else, besides, is wrong?
> > If Debian can't handle that, talk to Debian :-)
> Debian can, but why?

Samba really doesn't want to make security support promises for code
compiled with --enable-developer or --enable-selftest.  There are other
#ifdef things, like fault injection (root-only I think) and in the past
we would honour more environment variables for unsafe things.

We try not do make it horribly unsafe, but I would be disturbed if a
major packager distributed binaries compiled that way.

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list