Proposal for changes in become root
Xavi Hernandez
xhernandez at gmail.com
Mon Apr 22 10:46:30 UTC 2024
Hi Ralph,
On Mon, Apr 22, 2024 at 12:30 PM Ralph Boehme <slow at samba.org> wrote:
> Hi Xavi
>
> On 4/22/24 11:11, Xavi Hernandez via samba-technical wrote:
> > What do you think ?
> the future plan is to move the impersonation to the VFS by passing an
> abstract impersonation object to all VFS functions and then let the VFS
> modules do the impersonation.
>
> metze and I have designed and implemented 75% of what would be needed here:
>
> <
> https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/impersonation
> >
>
> The top commit has a few notes and TODO.
>
> <
> https://git.samba.org/?p=slow/samba.git;a=blob;f=Impersonation_Plan.org;h=ea6fe04825ec57ba4c0a7e6476255129e3f3133a;hb=f4ca9ebfc1269bbe7c3319eb991e1d0ea44a08a9
> >
>
> This is probably not what you were asking for, but I'm afraid tunneling
> become_root() through the VFS would further complicate the current logic
> and also doesn't allow avoiding all impersonation changes, eg the logic
> around change_to_user_and_service_by_fsp() and
> become_user_without_service_by_fsp().
>
That's very interesting. I wasn't aware of this work.
I've just started to take a look, but if I understand it correctly, the
user credentials will be set just before doing the system call. I've not
seen any reference to become_root() (I may have missed something, though),
but I guess it needs to integrate with that and, in this case, it won't
issue any syscalls to change the current process owner, right ?
That approach could be very useful for what I really wanted to do. If I see
it correctly, the credentials switch happens in vfs_default, so modules are
free to implement the credentials as they want.
See also the recent problems caused by trying to use capabilities
> instead of become_root(). Adding more logic to this is going to
> massively hurt us in the long run.
>
> Just throwing this out quickly here, we can provide more details and
> help with the design, rebase or answer any questions you may have.
>
I'll take a deeper look into this to understand it better, and come back
with more questions if needed.
Thank you very much !!!
Xavi
More information about the samba-technical
mailing list