se-samba - a possible way to get round no seteuid
Russell Coker
russell at coker.com.au
Thu Jun 10 07:31:39 GMT 2004
On Wed, 9 Jun 2004 20:03, Luke Kenneth Casson Leighton <lkcl at lkcl.net> wrote:
> then, a set of capabilities can be associated with each executable,
> which will of course do a straight execve to /usr/sbin/exim4 -
> taking the new context with it.
>
> it occurred to me that a similar approach could be taken with samba.
>
> instead of doing a seteuid back to root, you do an execve to
> an executable named samba-root.
That doesn't work. There are more possible UIDs than the root file system may
have Inodes...
We just need to have Samba know about SE Linux and tell the kernel what
context it wants the child process to use.
> or, in the main loop, you do an execve() to an executable named
> smbd-child, and then do a setuid, and when you're done, you do
> an execve back to smbd.
execve back to smbd is a bad idea. I believe that samba already has code to
setuid() and then exit when finished with that UID, we should plan for the
same design. Letting smbd go back to the main context provides no real
benefit but a lot of work in serialisation.
> it's a hell of a lot simpler approach than messing about with
> proxying and a darn site simpler than doing a rewrite of samba
> to do user-space checking.
This still doesn't cover the case of a single TCP connection having more than
one identity...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the samba-technical
mailing list