samba 2.2.2, session userids, and hp-ux 11.00

Andrew Bartlett abartlet at pcug.org.au
Thu Jan 10 04:07:03 GMT 2002


"Gerald (Jerry) Carter" wrote:
> 
> On Wed, 9 Jan 2002, Frank Smith wrote:
> 
> > with samba 2.2.2 and hp-ux 11.00, i noticed that the smbd
> > sessions retained the root userid, even though they created test files with the
> > appropriate ownership:
> >     root   641     1  0  Jan  7  ?         0:02 /usr/sbin/inetd
> >     root  7749   641  0 02:08:35 ?         0:00 smbd
> >     root  7747   641  1 02:08:18 ?         0:00 smbd
> >     root  7751   641  0 02:08:49 ?         0:00 smbd
> > btw- the smbd daemon is launched via inetd.
> >
> > user daemons running as root processes concern me because if/when someone
> > cracks their samba daemon, they gain root access to my system.
> 
> smbd runs as root except when perform some operation on behalf
> of the user.   This is by design.

Its also a fairly recent change that both confuses admins and makes a
quick 'who is that chewing my cpu' a little harder. 

That said, one smbd can serve any number of users, and often has to do
things as root.  As such we now move back to root in our idle loop - I
think we only did that as required in the past (meaning we ran as the
user most of the time instead).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba mailing list