>The integrated CIFS server project made running a server
>on port 445 (which CIFS uses) a privileged operation - the
>process needs to have PRIV_SYS_SMB (see privileges(5)).
>Samba knows how to operate with this privilege, but the
>privilege is not in the default set that is considered
>safe in a zone. You can adjust the zone config to get
>this to work - here's an example:
Unfortunately, that change was made incompatibly.
Whenever you change the privilege needed for a particular operation, you
generally should check for the old privilege also.
PRIV_SYS_SMB is also used to allow starting the in-kernel CIFS server
but the kernel should allow processes with PRIV_NET_PRIVADDR to bind
to the CIFS ports.
The code says:
* NBT and SMB ports, these are extra privileged ports,
* allow bind only if the SYS_SMB privilege is present.
but clearly the NBT and SMB ports are NOT extra privileged ports as they're
all < 1024.
zones-discuss mailing list