On (20/12/16 12:24), Sergey Senozhatsky wrote: > On (20/12/15 15:29), Stefan Metzmacher wrote: > > >> 6. Why is SMB_SERVER_CHECK_CAP_NET_ADMIN an compile time option and why is it off by default? > > >> I think the behavior should be enforced without a switch. > > > I can make it default yes. Can you explain more why it should be enforced ? > > > > Why should an unprivileged user ever be able to start the server? > > Wouldn't that be a massive security problem as that user would provide > > the share definitions and users and controls what ksmbd_override_fsids() will use? > > The idea was that user-space needs to have its own user:group > (e.g. CIFSD:CIFSD). And smb.conf and password file should not > be readable by anyone who's not from CIFSD:CIFSD - similar to > how .ssh/config is 0700 on any reasonably configured system. > > The massive security problem here is that the server runs in > the kernel. So I don't always see why people want to also run > user-space (which serves RPC calls, and technically can be > tricked to do something that it was not intended to do) under > root - wouldn't this just increases the attack surface? So SMB_SERVER_CHECK_CAP_NET_ADMIN enforces the "user-space must be a privileged process" policy. Even CAP_NET_ADMIN is too huge, not to mention that _probably_ this CAP requirement means that people will just "sudo cifsd". One way or another a malformed RPC request can do quite a bit of damage to the system, because user-space runs with the CAPs it doesn't really need. It would be better to enforce a different policy, IMHO. Something like: groupadd ... CIFSD_GROUP useradd -g CIFSD_GID -p CIFSD_PASSWORD CIFSD_LOGIN chmod 0700 smb.conf and password db chown CIFSD_LOGIN:CIFSD_GROUP smb.conf and password db And perhaps we need to add some checks to the user-space cifsd: make sure that smb.conf and password db are 0700 + some more. -ss
