URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc

Michael H. Warfield mhw at wittsend.com
Tue Dec 21 14:09:19 GMT 1999 

On Tue, Dec 21, 1999 at 07:51:13PM +1100, Volker Lendecke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----

> > 1) you CANNOT put smbpasswd in /etc.

> SuSE does this as well. It was partly my decision. For a standard
> installation I did not want to clobber the directories. I really do
> not see any further security benefit if smbpasswd is put somewhere
> else. People who play with permissions in /etc/ have to know what they
> do. The standard installation does it just fine, and if you chmod
> anything there, you are on your own.

	Something else we could do is...

	1) Bitch to high heaven at startup if permissions are any looser
than 600 owned by root.  Precedence is ssh and fetchmail amongst others.

	2) Refuse to use the smbpasswd file if permissions are any looser
than 600 owned by root.  Same as #1.

	3) Set the permissions to 600 or tighter any time the file is
updated for any reason.

	That way we can keep the permissions acceptable no matter where
we stuff the file and the admin can only get away with changing them
to a stupid value for a very short period of time.

	Several security related pieces of software are known for doing that
and the practice is entirely acceptable provided enough clear screaming
(verbose error messages) is done to indicate why something is no longer
working.

> Volker

> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
> Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface

> iQCVAwUBOF8+sz/9BWnmOc5FAQHmXwP/ZaJhDEyOt0AJtHDtxs9nFDUSTg3Cj9G9
> qzfrHfPb6MvIkgngzSVU2baHZXlDJrjfBoGhF5RHvdTtwOo3288FI8Q7kw6BLdA9
> 70wAVJh3MpoZQkiIh3TSsNC+emt4ph4QMETQ2cFqofnE9+Fbe6eYRV/9MIz+LtcH
> 8kigqdruSU8=
> =aFLm
> -----END PGP SIGNATURE-----

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the samba-ntdom mailing list