[rsbac] rsbac + ldap/samba
Amon Ott
ao at rsbac.org
Thu Jan 12 15:14:57 CET 2006
On Donnerstag 12 Januar 2006 14:59, Alexander Bokovoy wrote:
> Amon Ott wrote:
> > RSBAC always uses real user ids. You can auth in whatever way you
> > like, but only RSBAC User Management can guarantee that a user has
> > provided a password before the setuid succeeds.
> >
> > Most samba versions do not setuid, but rather seteuid. In this
case,
> > RSBAC can only control the complete samba as a black box. You can
> > probably hack your samba sources to make it use setuid again and
then
> > control by user.
> Samba needs to jump back and forth between superuser and a regular
user
> account, that's why we use seteuid(). Changing that to setuid will
not help.
With RSBAC CAP module we could easily allow setuid no matter what uid
samba has. Would this be an acceptable solution?
> > A samba extension for RSBAC ACLs has been planned for years now,
but
> > never been done. With such an extension, you could administrate
your
> > RSBAC ACLs e.g. from a Windows system over network. We are always
> > looking for volunteers...
> I remember that mouse at altlinux.org did some work on RSBAC-based ACLs
for
> Samba few years ago though that work was still unfinished.
>
> We still have no real solution for both RSBAC and SELinux w.r.t.
Samba.
Would you be willing to help, if someone tried to create such a
solution? We already have ang-st creating RSBAC modules for apache,
he might be interested.
AFAIU, the RSBAC ACL module provides a superset of Windows Network
ACLs (if not, we can extend it), so it should be possible to have
full Windows managed ACLs on Samba with it.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list