On (20/12/15 15:29), Stefan Metzmacher wrote: > >> 6. Why is SMB_SERVER_CHECK_CAP_NET_ADMIN an compile time option and why is it off by default? > >> I think the behavior should be enforced without a switch. > > I can make it default yes. Can you explain more why it should be enforced ? > > Why should an unprivileged user ever be able to start the server? > Wouldn't that be a massive security problem as that user would provide > the share definitions and users and controls what ksmbd_override_fsids() will use? The idea was that user-space needs to have its own user:group (e.g. CIFSD:CIFSD). And smb.conf and password file should not be readable by anyone who's not from CIFSD:CIFSD - similar to how .ssh/config is 0700 on any reasonably configured system. The massive security problem here is that the server runs in the kernel. So I don't always see why people want to also run user-space (which serves RPC calls, and technically can be tricked to do something that it was not intended to do) under root - wouldn't this just increases the attack surface? -ss
