Re: [Qemu-devel] [patch] make '-smb $HOME' work

From: Troy Benjegerdes <hozer@hozed.org>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [patch] make '-smb $HOME' work
Date: Sat, 8 Oct 2005 14:44:49 -0500	[thread overview]
Message-ID: <20051008194449.GC4612@kalmia.hozed.org> (raw)
In-Reply-To: <43481E5C.5050308@stanfordalumni.org>

Which smbd are you using? The one on debian sarge wants to have write access
to some /var/run and /var/lib directories to coordinate locking. Because
it gets run as a regular user, (and is not suid root), it winds up
spitting out an error to the logfile and dying. It took me a while to
figure this out, since there's no error message display by qemu.

On Sat, Oct 08, 2005 at 03:30:36PM -0400, John Coiner wrote:
> 
> The most common use case for the '-smb' option may be '-smb $HOME'.
> 
> There is a problem with this case:
> 
> Windows attempts to connect as user "nobody". Smbd allows the connection 
> -- unfortunately, it also maps the "nobody" accesses to the host's 
> "nobody" account, so all write accesses fail.
> 
> How are people using '-smb'? Am I the only person that runs into this? 
> One lame workaround is to point '-smb' at an area on /tmp that 
> everybody, including "nobody", has access to.
> 
> The problem happens with a Windows 2000 guest, and maybe other NT 
> derivatives.
> 
> This patch sets up smbd to only allow "guest" access from Windows, and 
> no other access. (I suspect and hope that smbd can coax any version of 
> Windows into doing a "guest" access, by rejecting everything else. This 
> is only tested with Win2K.) When smbd receives a guest access, it maps 
> that onto the account of the same user who is running qemu.
> 
> This fixes the common, personal use, '-smb $HOME' case. For more 
> complicated cases, for example if you don't trust the guest, you may 
> want to craft your own 'smb.conf' rather than relying on '-smb'. From a 
> security standpoint, the patched '-smb' has no authentication to break, 
> and it constrains smb access to a single user on the host. So while the 
> gates are wide open to whatever directory you share, you at least know 
> what you're getting.
> 
> -- John
> 
> 
> 
> --- qemu-0.7.2-dmapatch/vl.c    2005-09-04 13:11:31.000000000 -0400
> +++ qemu-0.7.2-broken/vl.c      2005-10-08 14:41:55.000000000 -0400
> @@ -29,6 +29,8 @@
>  #include <time.h>
>  #include <errno.h>
>  #include <sys/time.h>
> +#include <sys/types.h>
> +#include <pwd.h>
> 
>  #ifndef _WIN32
>  #include <sys/times.h>
> @@ -1605,15 +1607,17 @@
>              "log file=%s/log.smbd\n"
>              "smb passwd file=%s/smbpasswd\n"
>              "security = share\n"
> +           "guest account=%s\n"
>              "[qemu]\n"
>              "path=%s\n"
>              "read only=no\n"
> -            "guest ok=yes\n",
> +            "guest only=yes\n",
>              smb_dir,
>              smb_dir,
>              smb_dir,
>              smb_dir,
>              smb_dir,
> +           getpwuid( geteuid( ) )->pw_name,
>              exported_dir
>              );
>      fclose(f);
> 
> 
> 
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel

-- 
--------------------------------------------------------------------------
Troy Benjegerdes                'da hozer'                hozer@hozed.org  

Somone asked me why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz