Temp files created on read-only share

Ries van Twisk riest at franksintl.nl
Thu Nov 15 08:12:10 GMT 2001


Hi All,

I didn't follow the complete thread but I also run a lot of word documents for a 
read-only share and I have never seen this happening. This in 2 years of 
running samba.
The security to the dirs is maintained by the underlaying OS (Linux 2.4.9) 
and it's also set in SAMBA.

Ries

On 15 Nov 2001, at 9:07, Bill Grzanich wrote:

> Hi, Joel.
> 
> (Comments at end)
> 
> >On Wed, Nov 14, 2001 at 10:06:57AM -0600, Bill Grzanich wrote:
> >> Hello, All.
> >> 
> >> We have Samba 2.0.7 running on Red Hat 6.2 (up for 351 days!) and have discovered the following 
> >> anomaly:
> >> 
> >> There is a share called "appsg" that contains a number of folders, including one called 
> >> OfficeTemplates.  The share definition in smb.conf is:
> >> 
> >> [appsg]
> >>         comment = Apps in Applications
> >>         path=/home/applications/apps
> >>         public = No
> >>         read only = Yes
> >>         write list = @staff
> >>         printable = No
> >> 
> >> The other day we noticed that for one user, Jared, Word was opening temporary files in the 
> >> OfficeTemplates folder on that share.  These files were like ~normal.dot, and were being creat
ed 
> >> read-write!  From his PC, we attempted to create or save a file to the above share, but the 
> process 
> >> was denied because the share is read-only to everyone but the I.T. staff. (As expected.)
> >> 
> >> It turns out that his Word was configured to point at the share for his user templates.  When 
we 
> >> changed that so user templates were on his local C:\ drive, and the workgroup templates locati
on 
> >> was the appsg\OfficeTemplates folder, these temporary files did not appear.  
> >> 
> >> The question is: why did Samba allow Word to create the temporary files on the read-only share
?  
> No 
> >> warning was received, nor was anything logged in the Samba logs.  Now that we have his Office 

> >> configured properly, it's not an issue, but I'm at a loss for an explanation, and the NT guys 

> here 
> >> are laughing up their sleeves at this perceived security hole in Linux/Samba.
> >> 
> >> Thanks very much for any clues.
> 
> Original message from: Joel Hammer
> >Just a few ignorant questions/comments here.
> >Isn't this really a security issue for Word?
> 
> Probably.  I was just curious if anyone else had observed similar behavior and perhaps had an 
> explanation for why this was happening.
> 
> >Would an NT server allow this to happen to it?
> 
> Good question.  We may have to try that.
> 
> >To track down this problem, I would set log level =3, misconfigure his Word
> >again, and watch the interaction.
> 
> Yes, also a good idea.  
> 
> >Would changing permissions on the /home/applications/apps directory get
> >around this? Making the linux directory writable only by staff might prevent
> >this. 
> 
> That's what we have, isn't it?  Oh, you mean the Linux permissions!  That would likely work, but 

> shouldn't Samba have accomplished the same thing?  And that's the real point of my original 
> message.  Why did Samba allow this?  Frankly, it's moot at this point, but still odd.
> 
> >Is security by share or by user? What user name does samba run under if
> >security = share ?
> 
> Security = domain.  We have NT servers for PDC and BDC, and users authenticate against them.
> 
> Thanks for the suggestions.  That gives me something to try.  Of course, since this is a producti
on 
> machine, my options for playing are a bit limited, but I'll see what I can do.
> 
> Best regards,
> 
> -- 
> Bill Grzanich
> IT Manager
> ORGANICS/LaGrange, Inc.
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 






More information about the samba mailing list