samba 2.2.2, session userids, and hp-ux 11.00

Andrew Bartlett abartlet at pcug.org.au
Mon Jan 14 05:51:07 GMT 2002 

Frank Smith wrote:
> 
> andrew, gerald,
> 
> i said:
> > > > with samba 2.2.2 and hp-ux 11.00, i noticed that the smbd
> > > > sessions retained the root userid, even though they created test files
> > > > with the
> > > > appropriate ownership:
> > > >     root   641     1  0  Jan  7  ?         0:02 /usr/sbin/inetd
> > > >     root  7749   641  0 02:08:35 ?         0:00 smbd
> > > >     root  7747   641  1 02:08:18 ?         0:00 smbd
> > > >     root  7751   641  0 02:08:49 ?         0:00 smbd
> > > > btw- the smbd daemon is launched via inetd.
> > > >
> > > > user daemons running as root processes concern me because if/when someone
> > > > cracks their samba daemon, they gain root access to my system.
> 
> gerald said:
> > > smbd runs as root except when perform some operation on behalf
> > > of the user.   This is by design.
> 
> problem is, these daemons WERE launched on behalf of the user.  they were NOT
> launched as a smbd -D process.  each smbd process started after the user
> performed a net use command on a nt box.  thus, i expected to see joe user's
> userid rather than root.

Samba never 'becomes' a particular user on any permenent basis - it just
dips in and out of specific user contexts as needed.
 
> andrew said:
> > Its also a fairly recent change that both confuses admins and makes a
> > quick 'who is that chewing my cpu' a little harder.
> >
> > That said, one smbd can serve any number of users, and often has to do
> > things as root.  As such we now move back to root in our idle loop - I
> > think we only did that as required in the past (meaning we ran as the
> > user most of the time instead).
> 
> ummmm.  i was not aware that the samba daemons switched userids back and forth.
>  this makes smbd daemons sound a lot more like nfsd daemons in terms of
> behavior.  however, i thought nfs used udp while samba used tcp.  doesn't that
> make it hard to switch from one smbd process to another?  i'm also still
> concerned about what happens if someone cracks the smbd process (a'la buffer
> overflow or something like it).

If there is a buffer overflow in samba then yes - we are screwed...

In a way Samba operates is quite like an nfs deamon becouse while each
client gets its own TCP/IP connection, many people can use that same
connection (think windows terminal server).

> thank you, andrew.  your answer makes sense to me and matches my observations
> of samba-2.2.2 behavior, even if it does raise other questions and issues.

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list