[Samba] Warning messages when provisioning an ADDC

Ralph Boehme slow at samba.org
Tue Feb 9 08:57:38 UTC 2021

Am 2/9/21 um 9:15 AM schrieb Andrew Bartlett:
> Regarding unprivileged containers, jails etc, I would warn that anyone
> who stores Samba ACLs in an unprivileged namespace owns the security
> result themselves.  Samba assumes that these values are protected by
> the kernel, if they are not then our security assumptions are revoked.

hm, hm, with the acl_xattr VFS module with "acl_xattr:ignore system 
acls" set to yes we're already relying on userspace for security 
bypassing the kernel, so I wonder whether the namespace issue is really 
the one I would worry about. As long as users don't have direct access 
to the server storing the xattr in the user namespace might be an option.



Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210209/dbf7c638/OpenPGP_signature.sig>

More information about the samba mailing list