[Samba] Warning messages when provisioning an ADDC

Andrew Bartlett abartlet at samba.org
Tue Feb 9 22:03:13 UTC 2021

On Tue, 2021-02-09 at 09:57 +0100, Ralph Boehme via samba wrote:
> Am 2/9/21 um 9:15 AM schrieb Andrew Bartlett:
> > Regarding unprivileged containers, jails etc, I would warn that
> > anyone
> > who stores Samba ACLs in an unprivileged namespace owns the
> > security
> > result themselves.  Samba assumes that these values are protected
> > by
> > the kernel, if they are not then our security assumptions are
> > revoked.
> hm, hm, with the acl_xattr VFS module with "acl_xattr:ignore system 
> acls" set to yes we're already relying on userspace for security 
> bypassing the kernel, so I wonder whether the namespace issue is
> really 
> the one I would worry about. As long as users don't have direct
> access 
> to the server storing the xattr in the user namespace might be an
> option.

Well, I guess I'm just nervous that the security assumptions of
"acl_xattr:ignore system acls" and some of the other cases where our
stored NT ACL trumps the kernel ACL interpretation are based on the
xattr being read-only to normal users.

Are we really sure there is no remote method to access these?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list