URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
Luke Kenneth Casson Leighton
lkcl at samba.org
Mon Dec 20 21:56:15 GMT 1999
On Mon, 20 Dec 1999 vorlon at netexpress.net wrote:
> On Tue, 21 Dec 1999, Luke Kenneth Casson Leighton wrote:
> > this is REALLY bad.
> > 1) you CANNOT put smbpasswd in /etc.
> > 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.
> > i know that these require root access, however if your users start to
> > assume that just because these files are in /etc, they are equivalent to
> > /etc/passwd, they may decide to make these world-readable, and as a result
> > they will compromise the security of the box, and potentially the security
> > of remote nt-compatible boxes too (including other samba servers) because
> > these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.
> > for example, private .mac files can contain information sufficient to
> > compromise a remote server by obtaining all remote clear-text equivalent
> > passwords: the .mac file is used to store the "Backup Domain Controller"
> > trust account password.
> I find this conclusion to be rather odd. There are plenty of files in the
> /etc directory on all my RedHat systems which are only readable by root,
> the most notable being /etc/shadow. Have you encountered real-world cases
> of users/admins changing the permissions on /etc/smbpasswd after it has
> been properly installed root-only, or are you extrapolating based on what
> you know of the intelligence of the average RedHat user? ;)
i know what damage can be done with those .mac files. you can anonymously
use them to obtain remote SAM databases.
it scares me that people might not realise this, and think it's ok to
change the permissions on them, or edit them.
> I don't see why anyone with legitimate root-access to a system would
> willfully go about changing permissions on files if they don't understand
> what those files are. I also don't see how moving the file to a
> subdirectory will make a difference: the admin can just as easily chmod
> the private directory as he can the smbpasswd file, so moving the file to
> a subdirectory doesn't get you all that much security.
true, however it's another level to make it _really_ clear not to mess
> As long as the RPM properly installs the files root-only, and as long as
> *Samba* properly secures all of the .mac files upon creation instead of
> making unsafe assumptions about directory permissions, then /etc should be
> just as safe as anywhere else.
it just scares me, that's all. and yes, we put the right create
permissions on .mac files.
> Also, please note that RedHat themselves are not the only ones creating
> RPMs with these settings. If you take a look at samba.org's ftp site,
> you'll find that the RPMs provided there use the same directory structure.
> Here's a look at one such package:
> $ rpm -qi samba
> Name : samba Relocations: (not relocateable)
> Version : 2.0.6 Vendor: (none)
> Release : 19991110 Build Date: Wed 10 Nov 1999 11:05:24 PM CST
> Install date: Sun 05 Dec 1999 04:26:11 PM CST Build Host: arvidsjaur
> Group : Networking Source RPM: samba-2.0.6-19991110.src.rpm
> Size : 7536253 License: GNU GPL version 2
> Packager : John H Terpstra [Samba-Team] <jht at samba.org>
> ...so perhaps this should be discussed more thoroughly among the members
> of the Samba Team before you start scaring the distribution maintainers?
:) yeah i wondered who created it. thx 4 pointing this out.
More information about the samba-technical