URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc

Mon Dec 20 21:49:28 GMT 1999

On Tue, 21 Dec 1999, Luke Kenneth Casson Leighton wrote:

> this is REALLY bad.

> 1) you CANNOT put smbpasswd in /etc.

> 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.

> i know that these require root access, however if your users start to
> assume that just because these files are in /etc, they are equivalent to
> /etc/passwd, they may decide to make these world-readable, and as a result
> they will compromise the security of the box, and potentially the security
> of remote nt-compatible boxes too (including other samba servers) because
> these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.

> for example, private .mac files can contain information sufficient to
> compromise a remote server by obtaining all remote clear-text equivalent
> passwords: the .mac file is used to store the "Backup Domain Controller"
> trust account password.

Luke,

I find this conclusion to be rather odd.  There are plenty of files in the
/etc directory on all my RedHat systems which are only readable by root,
the most notable being /etc/shadow.  Have you encountered real-world cases
of users/admins changing the permissions on /etc/smbpasswd after it has
been properly installed root-only, or are you extrapolating based on what
you know of the intelligence of the average RedHat user? ;)

I don't see why anyone with legitimate root-access to a system would
willfully go about changing permissions on files if they don't understand
what those files are.  I also don't see how moving the file to a
subdirectory will make a difference: the admin can just as easily chmod
the private directory as he can the smbpasswd file, so moving the file to
a subdirectory doesn't get you all that much security.

As long as the RPM properly installs the files root-only, and as long as
*Samba* properly secures all of the .mac files upon creation instead of
making unsafe assumptions about directory permissions, then /etc should be
just as safe as anywhere else.

Also, please note that RedHat themselves are not the only ones creating
RPMs with these settings.  If you take a look at samba.org's ftp site,
you'll find that the RPMs provided there use the same directory structure.
Here's a look at one such package:

$ rpm -qi samba
Name        : samba                        Relocations: (not relocateable)
Version     : 2.0.6                             Vendor: (none)
Release     : 19991110                      Build Date: Wed 10 Nov 1999 11:05:24 PM CST
Install date: Sun 05 Dec 1999 04:26:11 PM CST      Build Host: arvidsjaur
Group       : Networking                    Source RPM: samba-2.0.6-19991110.src.rpm
Size        : 7536253                          License: GNU GPL version 2
Packager    : John H Terpstra [Samba-Team] <jht at samba.org>

...so perhaps this should be discussed more thoroughly among the members
of the Samba Team before you start scaring the distribution maintainers?
:)

-Steve Langasek
postmodern programmer