>The integrated CIFS server project made running a server
>on port 445 (which CIFS uses) a privileged operation - the
>process needs to have PRIV_SYS_SMB (see privileges(5)).
>Samba knows how to operate with this privilege, but the
>privilege is not in the default set that is considered
>safe in a zone.  You can adjust the zone config to get
>this to work - here's an example:

Unfortunately, that change was made incompatibly.

Whenever you change the privilege needed for a particular operation, you 
generally should check for the old privilege also.

PRIV_SYS_SMB is also used to allow starting the in-kernel CIFS server
but the kernel should allow processes with PRIV_NET_PRIVADDR to bind
to the CIFS ports.

The code says:

                 * NBT and SMB ports, these are extra privileged ports,
                 * allow bind only if the SYS_SMB privilege is present.

but clearly the NBT and SMB ports are NOT extra privileged ports as they're
all < 1024.


zones-discuss mailing list

Reply via email to