doing a test build of samba
abartlet at samba.org
Mon Apr 4 22:31:24 UTC 2022
On Tue, 2022-04-05 at 00:58 +0300, Michael Tokarev wrote:
> 05.04.2022 00:51, Andrew Bartlett wrote:
> > > build enables -D WITH_NTVFS_FILESERVER=1.
> > > This one, in turn does this:
> > This MUST NOT be enabled in production, as Samba upstream provides
> > no
> > security support for this code, which remains because it is hard
> > work
> > to remove due to the support it provides to some of our tests.
> How about just removing $libdir/samba/service/smb.so for production
> It is not enabled by default in "server services" anyway, so in order
> to trigger any issues in that code (security or not), one have to
> it in the config first (server services = +smb).
> But it is still not a big deal to just remove it on install, is it?
> I especially looked at what's being enabled. I found this very
> plus a few unrelated goodies.
> > If you want to do a selftest build, do a selftest build but don't
> > put
> > it into the production binaries.
> What else, besides smb.so, is wrong?
> > If Debian can't handle that, talk to Debian :-)
> Debian can, but why?
Samba really doesn't want to make security support promises for code
compiled with --enable-developer or --enable-selftest. There are other
#ifdef things, like fault injection (root-only I think) and in the past
we would honour more environment variables for unsafe things.
We try not do make it horribly unsafe, but I would be disturbed if a
major packager distributed binaries compiled that way.
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the samba-technical