The Samba-Bugzilla – Attachment 2967 Details for
Bug 3727
smbpasswd fails with assertion failure when -L is used by a non root user
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
avoid get_global_sam_sid panic in client tools
get_global_sam_sid-non-root.patch (text/plain), 2.74 KB, created by
Steve Langasek
on 2007-11-13 18:40:12 UTC
(
hide
)
Description:
avoid get_global_sam_sid panic in client tools
Filename:
MIME Type:
Creator:
Steve Langasek
Created:
2007-11-13 18:40:12 UTC
Size:
2.74 KB
patch
obsolete
>Goal: client programs should short-circuit before calling >get_global_sam_sid() as not-root, because the SAM SID can't be read without >root privileges and get_global_sam_sid() panics when it can't be accessed -- >reasonable for the server, not reasonable for the client. > >Author: Steve Langasek <vorlon@debian.org> > >Upstream status: not yet submitted > >Index: samba-3.0.26a/source/utils/smbpasswd.c >=================================================================== >--- samba-3.0.26a.orig/source/utils/smbpasswd.c >+++ samba-3.0.26a/source/utils/smbpasswd.c >@@ -96,6 +96,10 @@ > while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { > switch(ch) { > case 'L': >+ if (getuid() != 0) { >+ fprintf(stderr, "smbpasswd -L can only be used by root.\n"); >+ exit(1); >+ } > local_flags |= LOCAL_AM_ROOT; > break; > case 'c': >Index: samba-3.0.26a/source/pam_smbpass/pam_smb_auth.c >=================================================================== >--- samba-3.0.26a.orig/source/pam_smbpass/pam_smb_auth.c >+++ samba-3.0.26a/source/pam_smbpass/pam_smb_auth.c >@@ -100,6 +100,12 @@ > _log_err(pamh, LOG_DEBUG, "username [%s] obtained", name); > } > >+ if (geteuid() != 0) { >+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); >+ retval = PAM_AUTHINFO_UNAVAIL; >+ AUTH_RETURN; >+ } >+ > if (!initialize_password_db(True)) { > _log_err(pamh, LOG_ALERT, "Cannot access samba password database"); > retval = PAM_AUTHINFO_UNAVAIL; >Index: samba-3.0.26a/source/pam_smbpass/pam_smb_acct.c >=================================================================== >--- samba-3.0.26a.orig/source/pam_smbpass/pam_smb_acct.c >+++ samba-3.0.26a/source/pam_smbpass/pam_smb_acct.c >@@ -69,6 +69,11 @@ > _log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name); > } > >+ if (geteuid() != 0) { >+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); >+ return PAM_AUTHINFO_UNAVAIL; >+ } >+ > /* Getting into places that might use LDAP -- protect the app > from a SIGPIPE it's not expecting */ > oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); >Index: samba-3.0.26a/source/pam_smbpass/pam_smb_passwd.c >=================================================================== >--- samba-3.0.26a.orig/source/pam_smbpass/pam_smb_passwd.c >+++ samba-3.0.26a/source/pam_smbpass/pam_smb_passwd.c >@@ -124,6 +124,11 @@ > _log_err(pamh, LOG_DEBUG, "username [%s] obtained", user); > } > >+ if (geteuid() != 0) { >+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); >+ return PAM_AUTHINFO_UNAVAIL; >+ } >+ > /* Getting into places that might use LDAP -- protect the app > from a SIGPIPE it's not expecting */ > oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2967">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 3727
: 2967