[PATCH] Log client process name in winbindd
Andreas Schneider
asn at samba.org
Mon Nov 5 11:14:38 UTC 2018
On Monday, 5 November 2018 10:56:18 CET Andrew Bartlett via samba-technical
wrote:
> On Mon, 2018-11-05 at 10:47 +0100, Andreas Schneider wrote:
> > On Monday, 5 November 2018 09:00:05 CET Andrew Bartlett wrote:
> > > On Mon, 2018-11-05 at 08:53 +0100, Andreas Schneider via samba-
> > >
> > > technical wrote:
> > > > Hello,
> > > >
> > > > attached is patchset which will log the name of the client process
> > > > connecting>
> > > >
> > > > to winbindd to request information. It will look like this:
> > > > winbindd_getpwnam_send: [nss_winbind (18130)] getpwnam SAMBA-TEST/
> >
> > nobody
> >
> > > > or
> > > >
> > > > winbindd_getuserdomgroups_send: [smbtorture (18506)]
getuserdomgroups
> > > >
> > > > S-1-5-21-757409344-3469499077-298407722-1000
> > > >
> > > > By default it will get the process name. I think for pam_winbind or
> > > > nss_winbind we are not interested in the process name as the process
> > > > doesn't implement samba code so I changed the name e.g. to
> > > > nss_winbind.
> > > >
> > > >
> > > > Please review and comment. Push if OK.
> > >
> > > Shouldn't pam_winbind be using the pam service name if you don't want
> > > to be looking for the actual process name?
> >
> > I'm now logging the pam_winbind request type. I think that's what you
> > want.
>
> I meant:
>
> pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
>
> > > Also, please sanitize the input here to avoid logfile injection attacks
> > > (a broader issue) and other strange things regardless.
> >
> > I'm not sure what you exactly want, but I've added something. Please
> > check.
>
> I meant on the server side of the pipe (ie, in the trusted not
> untrusted code). Gary may have suggestions on sanitization, otherwise
> look at the existing auth logging stuff.
I think you open a new can of warms, then you also have to sanitize user names
and all other strings sent over that protocol. Those are also directly passed
to DEBUG ...
> Finally, I take it that ntlm_auth is handled by this automatically?
The process name is used so it will be ntlm_auth.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list