URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
geoffrey lee
snail_talk at yahoo.com
Tue Dec 21 09:40:17 GMT 1999
hi all,
i'm using mandrake and i'd just like to say that mandrake also exhibit this
problem. maybe it's a problem inherited from redhat, i don't know ..
well, at least i set my /etc/smbpasswd to 600 ...
> -----Original Message-----
> From: samba-ntdom at samba.org [mailto:samba-ntdom at samba.org]On Behalf Of
> Luke Kenneth Casson Leighton
> Sent: Tuesday, December 21, 1999 5:27 AM
> To: Multiple recipients of list SAMBA-NTDOM
> Subject: URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
>
>
> dear redhat,
>
> i examined a friend's system today, to help him configure it. assuming
> that he just "installed" from scratch the samba package, it appears that
> you have provided a default smb.conf file for redhat 6.1 that puts samba
> private configuration files in /etc. the suggested options, for example
> show "smbpasswd file = /etc/smbpasswd".
>
> this is REALLY bad.
>
> 1) you CANNOT put smbpasswd in /etc.
>
> 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.
>
> i know that these require root access, however if your users start to
> assume that just because these files are in /etc, they are equivalent to
> /etc/passwd, they may decide to make these world-readable, and as a result
> they will compromise the security of the box, and potentially the security
> of remote nt-compatible boxes too (including other samba servers) because
> these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.
>
> for example, private .mac files can contain information sufficient to
> compromise a remote server by obtaining all remote clear-text equivalent
> passwords: the .mac file is used to store the "Backup Domain Controller"
> trust account password.
>
> i know that there are people out there who are using samba configured in
> the way your installation suggests, because i have received debug log
> files from people on the samba lists showing that trust accounts are being
> read from /etc/DOMAIN.SERVER_NAME.mac.
>
> please respond urgently to confirm that you have received this message and
> that you are taking steps to correct this.
>
> thank you.
>
> luke (samba team, iss x-force research).
>
More information about the samba-ntdom
mailing list