summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>1996-05-29 07:45:45 +0000
committerAndrew Tridgell <tridge@samba.org>1996-05-29 07:45:45 +0000
commit0cb74d3bb87452dc47ca8d4763d31837b9741a10 (patch)
tree4ff602a8f6780576309af1facef369657d19ce19 /docs
parent4513edd077acf1ef3b6ae73381990ff0a2cc2860 (diff)
downloadsamba-0cb74d3bb87452dc47ca8d4763d31837b9741a10.tar.gz
samba-0cb74d3bb87452dc47ca8d4763d31837b9741a10.tar.bz2
samba-0cb74d3bb87452dc47ca8d4763d31837b9741a10.zip
added comments about trapdoor uids
(This used to be commit 2f793c48a9447955195620c891d30d93b518ee0d)
Diffstat (limited to 'docs')
-rw-r--r--docs/samba.faq32
-rw-r--r--docs/textdocs/UNIX-SMB.txt3
2 files changed, 35 insertions, 0 deletions
diff --git a/docs/samba.faq b/docs/samba.faq
index 1df0e7d9c0..e58c88bc18 100644
--- a/docs/samba.faq
+++ b/docs/samba.faq
@@ -402,6 +402,38 @@ valid.
See also 'guest account' in smb.conf man page.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+* 11: You get the message "you appear to have a trapdoor uid system"
+ in your logs
+
+This can have several causes. It might be because you are using a uid
+or gid of 65535 or -1. This is a VERY bad idea, and is a big security
+hole. Check carefully in your /etc/passwd file and make sure that no
+user has uid 65535 or -1. Especially check the "nobody" user, as many
+broken systems are shipped with nobody setup with a uid of 65535.
+
+It might also mean that your OS has a trapdoor uid/gid system :-)
+
+This means that once a process changes effective uid from root to
+another user it can't go back to root. Unfortunately Samba relies on
+being able to change effective uid from root to non-root and back
+again to implement its security policy. If your OS has a trapdoor uid
+system this won't work, and several things in Samba may break. Less
+things will break if you use user or server level security instead of
+the default share level security, but you may still strike
+problems.
+
+The problems don't give rise to any security holes, so don't panic,
+but it does mean some of Samba's capabilities will be unavailable.
+In particular you will not be able to connect to the Samba server as
+two different uids at once. This may happen if you try to print as a
+"guest" while accessing a share as a normal user. It may also affect
+your ability to list the available shares as this is normally done as
+the guest user.
+
+Complain to your OS vendor and ask them to fix their system.
+
===============================================================================
SECTION FOUR: Specific client problems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/textdocs/UNIX-SMB.txt b/docs/textdocs/UNIX-SMB.txt
index b2c064215c..92167a9e84 100644
--- a/docs/textdocs/UNIX-SMB.txt
+++ b/docs/textdocs/UNIX-SMB.txt
@@ -155,6 +155,9 @@ within the one process. On some unixes (such as SCO) this is not
possible. This means that on those unixes the client is restricted to
a single uid.
+Note that you can also get the "trapdoor uid" message for other
+reasons. Please see the FAQ for details.
+
Port numbers
============