On Thu, 2014-08-07 at 11:09 -0400, John P Janosik wrote: > > On Wed, 2014-08-06 at 23:29 -0500, Andrew Deason wrote: > > > However, even if that is working, I would think that setup would > only > > > work if samba uses separate processes for connections for > different > > > users; I don't know if that's true. You could ask samba for more > info > > > > It does; otherwise it'd need to swap uids around between > connections, > > which is kinda scary from a security standpoint. In fact I think it > may > > be process per connection (client+share) because some shares may > force a > > specific Unix uid (`force user`). > > With the versions of Samba I have used a new smbd process is forked > for each TCP connection. It has been a long time but I know on some > old Windows Terminal Servers we supported there was only one TCP > connection for all users. Back when we served IBM DFS data via Samba > I had to patch the code in Samba that switched uids to also switch DFS > pags via a custom kernel module. I just checked a fairly recent > version of the Samba source (4.1.5) and the code that switches > security contexts is still there, see source3/smbd/sec_ctx.c.
Yep. I used to maintain AFS patches for Samba, so am familiar with the older model (and was it ever scary, security-wise; I was always worried about permissions leaks). I like the new one a lot better. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix openafs kerberos infrastructure xmonad http://sinenomine.net
