From 2f793c48a9447955195620c891d30d93b518ee0d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 29 May 1996 07:45:45 +0000 Subject: added comments about trapdoor uids --- docs/samba.faq | 32 ++++++++++++++++++++++++++++++++ docs/textdocs/UNIX-SMB.txt | 3 +++ 2 files changed, 35 insertions(+) diff --git a/docs/samba.faq b/docs/samba.faq index 1df0e7d9c07..e58c88bc18f 100644 --- a/docs/samba.faq +++ b/docs/samba.faq @@ -402,6 +402,38 @@ valid. See also 'guest account' in smb.conf man page. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* 11: You get the message "you appear to have a trapdoor uid system" + in your logs + +This can have several causes. It might be because you are using a uid +or gid of 65535 or -1. This is a VERY bad idea, and is a big security +hole. Check carefully in your /etc/passwd file and make sure that no +user has uid 65535 or -1. Especially check the "nobody" user, as many +broken systems are shipped with nobody setup with a uid of 65535. + +It might also mean that your OS has a trapdoor uid/gid system :-) + +This means that once a process changes effective uid from root to +another user it can't go back to root. Unfortunately Samba relies on +being able to change effective uid from root to non-root and back +again to implement its security policy. If your OS has a trapdoor uid +system this won't work, and several things in Samba may break. Less +things will break if you use user or server level security instead of +the default share level security, but you may still strike +problems. + +The problems don't give rise to any security holes, so don't panic, +but it does mean some of Samba's capabilities will be unavailable. +In particular you will not be able to connect to the Samba server as +two different uids at once. This may happen if you try to print as a +"guest" while accessing a share as a normal user. It may also affect +your ability to list the available shares as this is normally done as +the guest user. + +Complain to your OS vendor and ask them to fix their system. + =============================================================================== SECTION FOUR: Specific client problems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/textdocs/UNIX-SMB.txt b/docs/textdocs/UNIX-SMB.txt index b2c064215cf..92167a9e843 100644 --- a/docs/textdocs/UNIX-SMB.txt +++ b/docs/textdocs/UNIX-SMB.txt @@ -155,6 +155,9 @@ within the one process. On some unixes (such as SCO) this is not possible. This means that on those unixes the client is restricted to a single uid. +Note that you can also get the "trapdoor uid" message for other +reasons. Please see the FAQ for details. + Port numbers ============ -- cgit