[rsbac] rsbac + ldap/samba
Alexander Bokovoy
ab at altlinux.org
Thu Jan 12 14:59:10 CET 2006
Amon Ott wrote:
> RSBAC always uses real user ids. You can auth in whatever way you
> like, but only RSBAC User Management can guarantee that a user has
> provided a password before the setuid succeeds.
>
> Most samba versions do not setuid, but rather seteuid. In this case,
> RSBAC can only control the complete samba as a black box. You can
> probably hack your samba sources to make it use setuid again and then
> control by user.
Samba needs to jump back and forth between superuser and a regular user
account, that's why we use seteuid(). Changing that to setuid will not help.
> A samba extension for RSBAC ACLs has been planned for years now, but
> never been done. With such an extension, you could administrate your
> RSBAC ACLs e.g. from a Windows system over network. We are always
> looking for volunteers...
I remember that mouse at altlinux.org did some work on RSBAC-based ACLs for
Samba few years ago though that work was still unfinished.
We still have no real solution for both RSBAC and SELinux w.r.t. Samba.
--
/ Alexander Bokovoy
Samba Team http://www.samba.org/
ALT Linux Team http://www.altlinux.org/
Midgard Project Ry http://www.midgard-project.org/
More information about the rsbac
mailing list