doing a test build of samba

Michael Tokarev mjt at
Mon Apr 4 22:52:14 UTC 2022

05.04.2022 01:31, Andrew Bartlett wrote:
> Samba really doesn't want to make security support promises for code
> compiled with --enable-developer or --enable-selftest.  There are other
> #ifdef things, like fault injection (root-only I think) and in the past
> we would honour more environment variables for unsafe things.

Yeah, fault injection and sleep in smbcontrol, I mentioned that.

Now when I think about this, maybe it is not just "root only" it _might_
be more than that - say, different apparmor profiles or selinux contexts
or containers or whatnot, but you gain control over the socket and you can
do evil things. Probably still a moot point though, since other stuff is
possible already. But it is still something to think about.

Overall things definitely does not look as bad as you describe.
To *me*, - sure, I know right to nothing about it.  After all, maybe
one day there's some new code guarded by WITH_NTVFS_FILESERVER or
WITH_SELFTESTS by someone who didn't think some weird distribution
enables this on production...

> We try not do make it horribly unsafe, but I would be disturbed if a
> major packager distributed binaries compiled that way.

So I'm back to my other question, - is it possible to build it in a
different directory, not in ./bin[/default]/, so there's no need to
mess up with directory renaming?

There is --with-selftest-prefix= but not --with-build-prefix.

And there is, apparently, this:

wscript:out = 'bin'
ctdb/wscript:out = 'bin'
lib/ldb/wscript:out = 'bin'

So it looks like the answer is "no" :)

I just dislike the hacking around renames or duplicating the
source tree for different builds.. :)



More information about the samba-technical mailing list