[rsbac] rsbac + ldap/samba

Amon Ott ao at rsbac.org
Thu Jan 12 15:14:57 CET 2006

On Donnerstag 12 Januar 2006 14:59, Alexander Bokovoy wrote:
> Amon Ott wrote:
> > RSBAC always uses real user ids. You can auth in whatever way you 
> > like, but only RSBAC User Management can guarantee that a user has 
> > provided a password before the setuid succeeds.
> > 
> > Most samba versions do not setuid, but rather seteuid. In this 
> >  RSBAC can only control the complete samba as a black box. You can 
> > probably hack your samba sources to make it use setuid again and 
> >  control by user.
> Samba needs to jump back and forth between superuser and a regular 
> account, that's why we use seteuid(). Changing that to setuid will 
not help.

With RSBAC CAP module we could easily allow setuid no matter what uid 
samba has. Would this be an acceptable solution?
> > A samba extension for RSBAC ACLs has been planned for years now, 
> >  never been done. With such an extension, you could administrate 
> >  RSBAC ACLs e.g. from a Windows system over network. We are always 
> > looking for volunteers...
> I remember that mouse at altlinux.org did some work on RSBAC-based ACLs 
>   Samba few years ago though that work was still unfinished.
> We still have no real solution for both RSBAC and SELinux w.r.t. 

Would you be willing to help, if someone tried to create such a 
solution? We already have ang-st creating RSBAC modules for apache, 
he might be interested.

AFAIU, the RSBAC ACL module provides a superset of Windows Network 
ACLs (if not, we can extend it), so it should be possible to have 
full Windows managed ACLs on Samba with it.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list