[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [patch] make '-smb $HOME' work
From: |
Troy Benjegerdes |
Subject: |
Re: [Qemu-devel] [patch] make '-smb $HOME' work |
Date: |
Sat, 8 Oct 2005 14:44:49 -0500 |
User-agent: |
Mutt/1.5.9i |
Which smbd are you using? The one on debian sarge wants to have write access
to some /var/run and /var/lib directories to coordinate locking. Because
it gets run as a regular user, (and is not suid root), it winds up
spitting out an error to the logfile and dying. It took me a while to
figure this out, since there's no error message display by qemu.
On Sat, Oct 08, 2005 at 03:30:36PM -0400, John Coiner wrote:
>
> The most common use case for the '-smb' option may be '-smb $HOME'.
>
> There is a problem with this case:
>
> Windows attempts to connect as user "nobody". Smbd allows the connection
> -- unfortunately, it also maps the "nobody" accesses to the host's
> "nobody" account, so all write accesses fail.
>
> How are people using '-smb'? Am I the only person that runs into this?
> One lame workaround is to point '-smb' at an area on /tmp that
> everybody, including "nobody", has access to.
>
> The problem happens with a Windows 2000 guest, and maybe other NT
> derivatives.
>
> This patch sets up smbd to only allow "guest" access from Windows, and
> no other access. (I suspect and hope that smbd can coax any version of
> Windows into doing a "guest" access, by rejecting everything else. This
> is only tested with Win2K.) When smbd receives a guest access, it maps
> that onto the account of the same user who is running qemu.
>
> This fixes the common, personal use, '-smb $HOME' case. For more
> complicated cases, for example if you don't trust the guest, you may
> want to craft your own 'smb.conf' rather than relying on '-smb'. From a
> security standpoint, the patched '-smb' has no authentication to break,
> and it constrains smb access to a single user on the host. So while the
> gates are wide open to whatever directory you share, you at least know
> what you're getting.
>
> -- John
>
>
>
> --- qemu-0.7.2-dmapatch/vl.c 2005-09-04 13:11:31.000000000 -0400
> +++ qemu-0.7.2-broken/vl.c 2005-10-08 14:41:55.000000000 -0400
> @@ -29,6 +29,8 @@
> #include <time.h>
> #include <errno.h>
> #include <sys/time.h>
> +#include <sys/types.h>
> +#include <pwd.h>
>
> #ifndef _WIN32
> #include <sys/times.h>
> @@ -1605,15 +1607,17 @@
> "log file=%s/log.smbd\n"
> "smb passwd file=%s/smbpasswd\n"
> "security = share\n"
> + "guest account=%s\n"
> "[qemu]\n"
> "path=%s\n"
> "read only=no\n"
> - "guest ok=yes\n",
> + "guest only=yes\n",
> smb_dir,
> smb_dir,
> smb_dir,
> smb_dir,
> smb_dir,
> + getpwuid( geteuid( ) )->pw_name,
> exported_dir
> );
> fclose(f);
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
--
--------------------------------------------------------------------------
Troy Benjegerdes 'da hozer' address@hidden
Somone asked me why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:
"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz