dynamic context transitions
Stephen Smalley
sds at epoch.ncsc.mil
Mon Nov 1 20:25:21 GMT 2004
On Mon, 2004-11-01 at 15:35, Luke Kenneth Casson Leighton wrote:
> no there is no reason why [a helper application should] not [be used].
>
> i am not sure if the simple solution [that andrew and russell
> came up with] was fully enumerated: it involves exec'ing a
> per-user helper application which does a setuid.
>
> the helper application opens files as-and-when they are needed,
> [and also does mkdirs? and rmdirs?] and then passes the file
> descriptor over a unix-domain-socket to the smbd process,
> which NEVER itself does file opens under a user context.
>
> i believe it then no longer becomes necessary for smbd to
> call become_user().
Except that SELinux mediates access to file descriptors upon transfer
via local socket IPC as well as attempted use for read/write, so SELinux
is still going to apply a permission check to the parent smbd process in
that situation. Not to mention that this no doubt has a significant
cost.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the samba-technical
mailing list