As reported in ports/60361 and ports/52859, japanese/samba also has a problem that "users cannot change password from their windows". This is because of the failure of setresgid() called from lib/util_sec.c:restore_re_gid(). The setresgid(2) says, "Unprivileged processes are restricted in that each of the new IDs must match one of the current IDs." It seems that this "Unprivileged process" is such a process whose "effective uid or gid" is not zero. I checked every return value of setresgid() in lib/util_sec.c:restore_re_gid(), and found that before smbd gets PANIC, setresgid() fails with EPERM because it is called with the both non-zero effective uid and gid before restore_re_gid() is called. When getresgid() fails and results into smbd panic, the effective uid and gid are not 0 but the uid and gid of a user who wants to change his or her password (or nobody). The patch posted in ports/60361 is not good because it does not solve the problem and just does not see the 'security check failed' problem. It may cause some other security problems. The Samba Users Group Japan (SUGJ) helped me very much. Thanks. Note: Discussion on this topic in Japanese is available, see http://www.samba.gr.jp/ml/article/samba-jp/msg15772.html and http://www.samba.gr.jp/ml/article/sugj-tech/msg06065.html Fix: A diff from ports-current. New patch file is added. How-To-Repeat: Setup your samba as PDC or password server, and then try to change your password from your Windows client.
Class Changed From-To: sw-bug->maintainer-update Accurate class
I misunderstood the word "Unprivileged". I wrote, The setresgid(2) says, "Unprivileged processes are restricted in that each of the new IDs must match one of the current IDs." It seems that this "Unprivileged process" is such a process whose "effective uid or gid" is not zero. ^^^^^^ but it is better to write The setresgid(2) says, "Unprivileged processes are restricted in that each of the new IDs must match one of the current IDs." It seems that this "Unprivileged process" is such a process whose "effective uid" is not zero. Anyway the reason of the problem that you cannot change your password from Windows must be the bug of Samba itself, and I think the fix is ok. Thanks for fixing wrong class, sergei. I was hurrying too much. -- NAKAJI Hiroyuki
State Changed From-To: open->closed Commited, thanks.