[Samba] Questions about 3.0.12rc1

2005-03-14 Thread Sergey Loskutov 
Hello!
Before this post, i'm send 3 problems in 3.0.11
I'm compiled 3.0.12rc1 and found next:
1) Settings primary group  problem solved, but question to developer
   You append to mapping.c  in smb_set_primary_group
   ret = smbrun(add_script,NULL);
   flush_pwnam_cache();
   
 But not check ret code .if my script exit in code != 0, i'm change 
primary group ... ( script set primary group still needed ? )

2) Next in this code is winbind, but debug message string have code 
DEBUG(3,(smb_delete_group:

You use copy/paste  ;)
This is affect in function:   smb_add_user_group,smb_delete_user_group
smb_add_user_group  have bug
  if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
 DEBUG(3,(smb_delete_group: winbindd added user (%s) to the group 
(%s)\n,
  unix_user, unix_group));
  return -1;
^^
needed  return 0;

  }
3)  I'm analized  problems 1
( user who not have privileges add machine account )
In function _samr_create_user ( srv_samr_nt.c ) you have code:
if ( can_add_account )
  become_root();
And if user not have privileges(user|machine)  you MAY CREATE USER ( 
posix account or machine account ) through SCRIPT  :(

I'm change code to:
if ( can_add_account == False ) {
  return NT_STATUS_ACCESS_DENIED;
}
it's fixed problem 
I'm do simple test and is work correct, ... but i'm do not full test.
and I want to apologize for my english, well .. you understand ;)
Sergey Loskutov
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Questions about 3.0.12rc1

2005-03-14 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sergey Loskutov wrote:
| Hello!
|
| Before this post, i'm send 3 problems in 3.0.11
| I'm compiled 3.0.12rc1 and found next:
|
| 1) Settings primary group  problem solved, but question to developer
|You append to mapping.c  in smb_set_primary_group
|ret = smbrun(add_script,NULL);
|flush_pwnam_cache();
|
|  But not check ret code .if my script exit in code != 0, i'm change
| primary group ... ( script set primary group still needed ? )
It's just flushing the internal pwnam cache.  Semantically this is ok.
Probably not optimal.  I'll look at it later.
| 2) Next in this code is winbind, but debug message string have code
| DEBUG(3,(smb_delete_group:
|
| You use copy/paste  ;)
|
| This is affect in function:   smb_add_user_group,smb_delete_user_group
|
| smb_add_user_group  have bug
|
|   if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
|  DEBUG(3,(smb_delete_group: winbindd added user (%s) to the group
| (%s)\n,
|   unix_user, unix_group));
|   return -1;
| ^^
| needed  return 0;
|
|   }
The 'winbind local accounts' code is deprecated at this point.  So this
code will eventually be removed anyways.  However, I'll clean up the
debug messages and check return codes before the final 3.0.12.
| 3)  I'm analized  problems 1
| ( user who not have privileges add machine account )
|
| In function _samr_create_user ( srv_samr_nt.c ) you have code:
|
| if ( can_add_account )
|   become_root();
|
| And if user not have privileges(user|machine)  you MAY CREATE USER (
| posix account or machine account ) through SCRIPT  :(
|
| I'm change code to:
|
| if ( can_add_account == False ) {
|   return NT_STATUS_ACCESS_DENIED;
| }
| it's fixed problem 
| I'm do simple test and is work correct, ... but i'm do
| not full test.
I've thought about this before.  The problem is actually that
your 'add user script' can be run successfully as a non-root user.
A simple 'chmod 700 script; chown root script' will solve this.
I'll look at it some more but this is not a pressing issue I don't
think.  smbd is not doing anything that the normal user couldn't do
anyways.  And your fix doesn't cover all the possible scenarios
(e.g. root user with no assigned privileges should still be able to join
clients to the domain).
Thanks for the feedback.

cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
I never saved anything for the swim back. Ethan Hawk in Gattaca
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCNaHJIR7qMdg1EfYRAgFkAJ9RYuBYrAJkidjOAg7M3ffe/bNo1ACgkV2e
AoI7f/tiRTxysi6x8wSQmPY=
=Rgb4
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Questions about 3.0.12rc1

2005-03-14 Thread Sergey Loskutov 
Gerald (Jerry) Carter write:
Sergey Loskutov wrote:
| Hello!
|
| Before this post, i'm send 3 problems in 3.0.11
| I'm compiled 3.0.12rc1 and found next:
|
| 1) Settings primary group  problem solved, but question to developer
|You append to mapping.c  in smb_set_primary_group
|ret = smbrun(add_script,NULL);
|flush_pwnam_cache();
|
|  But not check ret code .if my script exit in code != 0, i'm change
| primary group ... ( script set primary group still needed ? )
It's just flushing the internal pwnam cache.  Semantically this is ok.
Probably not optimal.  I'll look at it later.
I'm know that you flushing the cache... but thank you
| 3)  I'm analized  problems 1
| ( user who not have privileges add machine account )
|
| In function _samr_create_user ( srv_samr_nt.c ) you have code:
|
| if ( can_add_account )
|   become_root();
|
| And if user not have privileges(user|machine)  you MAY CREATE USER (
| posix account or machine account ) through SCRIPT  :(
|
| I'm change code to:
|
| if ( can_add_account == False ) {
|   return NT_STATUS_ACCESS_DENIED;
| }
| it's fixed problem 
| I'm do simple test and is work correct, ... but i'm do
| not full test.
I've thought about this before.  The problem is actually that
your 'add user script' can be run successfully as a non-root user.
A simple 'chmod 700 script; chown root script' will solve this.
I'll look at it some more but this is not a pressing issue I don't
think.  smbd is not doing anything that the normal user couldn't do
anyways.  And your fix doesn't cover all the possible scenarios
(e.g. root user with no assigned privileges should still be able to join
clients to the domain).
NO NO NO  settings chmod or chown .
Why need privileges ? :) I'm want settings privileges add machine to
user, who not members in root 
Sample :)
chmod 770 script; chown root.smart man script;
Look good :)
User:  John ( member in smart man )
User:  Leon ( member in smart man )
I want give privileges for John, but not for Leon ...  :)
Why i must use  setfacl|getfacl . i'm have privileges .
you decision ... bad
And anyway user who have uidNumber == 0 and not having privileges, not
able join machine and users ;) i'm checked this before send code.
And why i'm permit execute script if code semantic not allowed use ldap
not member in root ?  Check you ldap code  ;)
Thanks you help !
Sergey Loskutov
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba