From owner-freebsd-current Wed Nov 27 12:57:31 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E44B37B401 for ; Wed, 27 Nov 2002 12:57:29 -0800 (PST) Received: from mallard.mail.pas.earthlink.net (mallard.mail.pas.earthlink.net [207.217.120.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 361B743EC5 for ; Wed, 27 Nov 2002 12:57:29 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0147.cvx21-bradley.dialup.earthlink.net ([209.179.192.147] helo=mindspring.com) by mallard.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 18H9FQ-0004gu-00; Wed, 27 Nov 2002 12:57:28 -0800 Message-ID: <3DE5315A.FC6D59B@mindspring.com> Date: Wed, 27 Nov 2002 12:55:54 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "David W. Chapman Jr." Cc: current@freebsd.org Subject: Re: pw_user.c change for samba References: <20021127192126.GA31706@leviathan.inethouston.net> <3DE52B70.44402B98@mindspring.com> <20021127203401.GA35573@leviathan.inethouston.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "David W. Chapman Jr." wrote: > > Why is this actually necessary for SAMBA? > > > > Is it necessary for all three of these to permit this, or is > > it sufficient to (for example) allow it in the group name? > > > > Samba needs a user account for the domain "machine account" > > the machine account always ends with a $ > > So it would only have to be for the account name I gathered that from the SAMBA site, too. The '$' is a pain. None of the examples in the original post would have worked, because the '$' was not '\$', and the shell would have blown chunks over the "variable expansion". It seems to me that this could cause a great deal of problems for scripts that process the password files, as they currently exist, if they use constructs like "eval", or back-ticks, etc.. If it's allowed, it whould probably only be allowed in the user name (i.e. the patch is wrong; it should probably add another parameter to the allowable values of 'int gecos', and change it to 'int checktype' or similar). It seems to me that another alternative is that all these names end in '$'; therefore, when you are expecting one of these names, you could imply a '$', without needing to actually have it in the password file -- in other words, it's an attribute, not really part of the account name. Will this open up a security hole for a nomal user account being used to compromise the domain system security? Is it absolutely necessary to use an in-band method to distinguish these records from ordinary user accounts? If the answer to either of these is "no", then it seems that implying the '$', rather than permitting it directly, would be best, to keep scripts working. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message