mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
added comments about trapdoor uids
This commit is contained in:
parent
875b2dfad0
commit
2f793c48a9
@ -402,6 +402,38 @@ valid.
|
|||||||
|
|
||||||
See also 'guest account' in smb.conf man page.
|
See also 'guest account' in smb.conf man page.
|
||||||
|
|
||||||
|
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
* 11: You get the message "you appear to have a trapdoor uid system"
|
||||||
|
in your logs
|
||||||
|
|
||||||
|
This can have several causes. It might be because you are using a uid
|
||||||
|
or gid of 65535 or -1. This is a VERY bad idea, and is a big security
|
||||||
|
hole. Check carefully in your /etc/passwd file and make sure that no
|
||||||
|
user has uid 65535 or -1. Especially check the "nobody" user, as many
|
||||||
|
broken systems are shipped with nobody setup with a uid of 65535.
|
||||||
|
|
||||||
|
It might also mean that your OS has a trapdoor uid/gid system :-)
|
||||||
|
|
||||||
|
This means that once a process changes effective uid from root to
|
||||||
|
another user it can't go back to root. Unfortunately Samba relies on
|
||||||
|
being able to change effective uid from root to non-root and back
|
||||||
|
again to implement its security policy. If your OS has a trapdoor uid
|
||||||
|
system this won't work, and several things in Samba may break. Less
|
||||||
|
things will break if you use user or server level security instead of
|
||||||
|
the default share level security, but you may still strike
|
||||||
|
problems.
|
||||||
|
|
||||||
|
The problems don't give rise to any security holes, so don't panic,
|
||||||
|
but it does mean some of Samba's capabilities will be unavailable.
|
||||||
|
In particular you will not be able to connect to the Samba server as
|
||||||
|
two different uids at once. This may happen if you try to print as a
|
||||||
|
"guest" while accessing a share as a normal user. It may also affect
|
||||||
|
your ability to list the available shares as this is normally done as
|
||||||
|
the guest user.
|
||||||
|
|
||||||
|
Complain to your OS vendor and ask them to fix their system.
|
||||||
|
|
||||||
===============================================================================
|
===============================================================================
|
||||||
SECTION FOUR: Specific client problems
|
SECTION FOUR: Specific client problems
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
@ -155,6 +155,9 @@ within the one process. On some unixes (such as SCO) this is not
|
|||||||
possible. This means that on those unixes the client is restricted to
|
possible. This means that on those unixes the client is restricted to
|
||||||
a single uid.
|
a single uid.
|
||||||
|
|
||||||
|
Note that you can also get the "trapdoor uid" message for other
|
||||||
|
reasons. Please see the FAQ for details.
|
||||||
|
|
||||||
Port numbers
|
Port numbers
|
||||||
============
|
============
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user