Summary: | User should be prompted to enter a Samba password if necessary when that user first creates a share | ||
---|---|---|---|
Product: | [Frameworks and Libraries] kdenetwork-filesharing | Reporter: | Ian Proudler <i.proudler> |
Component: | general | Assignee: | Nate Graham <nate> |
Status: | RESOLVED FIXED | ||
Severity: | grave | CC: | ae, alexkde, bugseforuns, dklais, frank78ac, hoperidesalone, jey.and.key, kdelibs-bugs, nate, postix, sitter, uzunov |
Priority: | VHI | Keywords: | usability |
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | https://invent.kde.org/network/kdenetwork-filesharing/commit/d9692b4cd8109bbf459e4a532df93b0b90fabff2 | Version Fixed In: | 20.12 |
Sentry Crash Report: |
Description
Ian Proudler
2014-05-16 11:45:43 UTC
Thanks for the bug report. The Properties dialog is not provided by Dolphin itself, but by a library in kdelibs. I'll reassign your report there (even though I'm not sure if the problem is somewhere else in the stack, like some library that is used for the handling of smb shares). *** Bug 381688 has been marked as a duplicate of this bug. *** *** Bug 381301 has been marked as a duplicate of this bug. *** *** Bug 339787 has been marked as a duplicate of this bug. *** *** Bug 403385 has been marked as a duplicate of this bug. *** For comparison: the way macOS handles this is by hiding the fact that the Samba serve's user account is completely independent of your own user account on the computer. It automatically creates a Samba server user with the same name as the currently logged-in user, then prompts the user to enter their own password, as though authenticating to something. In reality, the user is entering their current password as the password for the new Samba server user's account. This is clever, but non-ideal for the following reasons: - Sharing a password between your user account and Samba account is a security risk - If you change your user account's password, the Samba sharing user's password doesn't get updated automatically (or maybe it does now?) Either way we should probably prompt the user to enter a username/password combination when creating a share. *** Bug 413679 has been marked as a duplicate of this bug. *** Sorry to say, but I'm surprised that this issue has appearently been known for five years and despite being marked as "grave", being totally unsolvable for the average user, and the solution even being mentioned here and relatively trivial... should fixing this not have priority over any newly added features? Indeed it is, and you might notice that the kdenetwork-filesharing module hasn't gotten any new features either. :) KDE is just short-staffed for developers capable of fixing this issue, unfortunately. I've done some work on this module but my prior attempts to resolve this particular bug have not been successful yet. Patches are welcome if anyone passing by wants to take a crack at it. Understood... would help if I had any solid footing in the whole Qt/KDE ecosystem, but I almost exclusively do iOS / Hybrid App development nowadays. Oh well! :) Sorry for the complaints. *** Bug 178187 has been marked as a duplicate of this bug. *** Turns out this is rocket science. The only way to get a list of users known to samba and can be assumed to have a password set is to use pdbedit it seems. That tool has no separate access control so it needs running as a user with suitable access or won't work (i.e. needs an elevated kauth helper to query as root). Possible design: testparm backend==tdbsam && elevate to check if pdbedit knows about the user. If a different auth backend from tdbsam is used we can't really do much. I am also not sure what exactly happens when the computer is a domain member, but I guess it's best to guard against with testparm security==AUTO|USER That only gets us as far as knowing if a given user is in the password database. If it is not then further complications await! smbdpasswd needs either running as the currently authenticated user but then it can only add that user, or as root in which case it can add arbitrary users. So, another kauth helper is needed there since we'll want to also allow other uses access. Trouble is we'd then send passwords over dbus, which I think we'd like to avoid very much :| I suppose we could also ignore the problem of other users, working under the assumption that they'll have been set up properly already. proof of concept https://invent.kde.org/sitter/kdenetwork-filesharing/-/commits/work/smbpasswd UX needs figuring out A possibly relevant merge request was started @ https://invent.kde.org/network/kdenetwork-filesharing/-/merge_requests/4 Git commit d9692b4cd8109bbf459e4a532df93b0b90fabff2 by Harald Sitter. Committed on 21/08/2020 at 11:43. Pushed by sitter into branch 'master'. add smb user management support this rejiggers the model a bit and splits out user mapping logic into a usermanager. the usermanager loads all users and models their samba state. to do this it uses samba's pbedit tool. since this is a database editor tool actually it needs a kauth helper to carry out the lookups. this allows modelling of whether a user is enabled in samba or not (an actual GUI for this is not part of this commit) in addition to looking up the state this adds a new page for the page stack for when the current user is not enabled in samba. this is to prevent users from setting up shares but then not being able to access them (assuming guest access is not possible - as is the case by default without a smb.conf enabling support for it) this new page sports a simple password setting UI that then again turns to the auth helper for help. the auth helper runs smbpasswd, also a samba CLI tool, to set a password for the user all of this is conditional on samba actually having been configured to use a local pdb instance as authentication database. other options would be ldap or some such and will likely never be supported because they'd only be used in corporate/managed environments where the user at hand wouldn't be able to manage users anyway FIXED-IN: 20.12 M +15 -1 samba/filepropertiesplugin/CMakeLists.txt A +72 -0 samba/filepropertiesplugin/authhelper.cpp [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)] A +21 -0 samba/filepropertiesplugin/authhelper.h [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)] M +8 -47 samba/filepropertiesplugin/model.cpp M +4 -3 samba/filepropertiesplugin/model.h A +20 -0 samba/filepropertiesplugin/org.kde.filesharing.samba.actions A +131 -0 samba/filepropertiesplugin/qml/ChangePassword.qml [License: LGPL(3+eV) LGPL(v3.0) LGPL(v2.1)] A +84 -0 samba/filepropertiesplugin/qml/UserPage.qml [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)] M +4 -4 samba/filepropertiesplugin/qml/main.qml M +2 -0 samba/filepropertiesplugin/qml/qml.qrc M +31 -2 samba/filepropertiesplugin/sambausershareplugin.cpp M +13 -3 samba/filepropertiesplugin/sambausershareplugin.h A +184 -0 samba/filepropertiesplugin/usermanager.cpp [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)] A +58 -0 samba/filepropertiesplugin/usermanager.h [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)] https://invent.kde.org/network/kdenetwork-filesharing/commit/d9692b4cd8109bbf459e4a532df93b0b90fabff2 <3 <3 |