[Samba] Warning messages when provisioning an ADDC
Ralph Boehme
slow at samba.org
Tue Feb 9 08:57:38 UTC 2021
Am 2/9/21 um 9:15 AM schrieb Andrew Bartlett:
> Regarding unprivileged containers, jails etc, I would warn that anyone
> who stores Samba ACLs in an unprivileged namespace owns the security
> result themselves. Samba assumes that these values are protected by
> the kernel, if they are not then our security assumptions are revoked.
hm, hm, with the acl_xattr VFS module with "acl_xattr:ignore system
acls" set to yes we're already relying on userspace for security
bypassing the kernel, so I wonder whether the namespace issue is really
the one I would worry about. As long as users don't have direct access
to the server storing the xattr in the user namespace might be an option.
Thoughts?
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210209/dbf7c638/OpenPGP_signature.sig>
More information about the samba
mailing list