Executing smbstatus as non-root user

I found that after upgrading to samba 3 (Debian 2.6.15 unstable), I was unable to execute smbstatus as a non-root user. This was very inconvenient, since I was using a PHP script to track which users are connected to my server (see my previous post). The error that occurs looks as follows:

ERROR: Failed to initialise messages database: Permission denied
messaging_tdb_init failed: NT_STATUS_ACCESS_DENIED
messaging_init failed

Making smbstatus suid root unfortunately didn’t do the trick. Taking a closer look at the error suggested that it got to do with the *.tdb files that samba is using. So, I went to the folder containing these files (for me /var/run/samba/*.tdb). All these database files were chmodded to 644, so only enabled rw permissions to root.

By changing the permissions of messages.tdb to 666 (rw permissions on world, if you find this to devil-ish, 646 would also do the trick ;)) a normal user can also open the database file and thus everything worked again. Of course, you should keep in mind that this may pose a security risk.

~ by moiristo on February 16, 2009.

7 Responses to “Executing smbstatus as non-root user”

  1. This was helpful – but you only need to change the permissions of messages.tdb (so smbstatus can read and write to it).

  2. Thanks for the info, I’ve updated the post

  3. Thanks a lot for info!
    It’s very useful to see smbstatus from conky.

  4. I’m having problems running smbstatus from an .sh script being prompted through cron.. It pukes this into syslog..

    grandchild #28122 failed with exit status 126

    The script simply pipes output from smbstatus into a file and then I have another script that parses through to find certain things and then send off an email..

    This post may have no bearing but.. It came up in my searches.. 126 is some permissions problem and I’m not sending output from cron so I don’t really know where it’s hung up. I can run the command from command line su —

    ? — maybe

  5. Please disregard the previous question.. Thanks..

  6. A better way would be to add the following to /etc/sudoers

    www-data ALL=NOPASSWD: /usr/bin/smbstatus

    (Assuming that you want www-data to run smbstatus, and that’s the full path to your smbstatus command)

    This way there are no additional security risks modifying your samba .tdb permissions.

  7. …ahem.. and then you can simply call ‘sudo smbstatus’ from your scripts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: