URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc

Michael H. Warfield mhw at wittsend.com
Mon Dec 20 23:14:39 GMT 1999 

	Ok...  I just started parsing through this tempest in a teapot.

	Luke...  Please consult with others before yelling "fire in the
hole".  Even I do that...  I haven't been in the office the last couple of
days, but I'm a phone call or an E-Mail away.

On Tue, Dec 21, 1999 at 09:16:47AM +1100, Luke Kenneth Casson Leighton wrote:

> i know what damage can be done with those .mac files.  you can anonymously
> use them to obtain remote SAM databases.

> it scares me that people might not realise this, and think it's ok to
> change the permissions on them, or edit them.

	Why would they do that and why would you assume that any more than
any other directory?  After all /etc/shadow is there along with numerous
other critical files that people are not suppose to edit or view (like
sudoers, ipsec.secrets, ssh_host_key, at.deny, ftpaccess, securetty, etc,
etc, etc).

	It has never been an assumption by anyone I have ever known that
all the files in /etc should be readable by everyone or even be editable!
Just the opposite, in fact.  The assumption has always been that permissions
set on files in /etc are that way for a reason and should NOT be tampered
with.  Files in some other directory, which may or may not conform to the
file system standard, may not hold to that convention.

	Furthermore, the assumption is that anything in /etc/ is system
configuration and you tamper with it at your own risk!  Lots of ascii
text files in that directory have clear "do not edit" warnings embedded.
Readability or editability has never been an assumption for files in /etc/
for any version of Unix I have ever worked on.

	Subdirectories under /etc/ are generally a good thing for reducing
the flat namespace in that directory.  They are not generally done that
way to improve security.

> > I don't see why anyone with legitimate root-access to a system would
> > willfully go about changing permissions on files if they don't understand
> > what those files are.  I also don't see how moving the file to a
> > subdirectory will make a difference: the admin can just as easily chmod
> > the private directory as he can the smbpasswd file, so moving the file to
> > a subdirectory doesn't get you all that much security.

> true, however  it's another level to make it _really_ clear not to mess
> with them.

	That's more than a bit of a stretch...

> > As long as the RPM properly installs the files root-only, and as long as
> > *Samba* properly secures all of the .mac files upon creation instead of
> > making unsafe assumptions about directory permissions, then /etc should be
> > just as safe as anywhere else.

> it just scares me, that's all.  and yes, we put the right create
> permissions on .mac files.

	Then any alteration of those permissions is a self inflicted injury.
Sort of on the order of "if we add the suid bit to this game it helps us
keep score, but, duh, now people can get root through that shell escape".

> > Also, please note that RedHat themselves are not the only ones creating
> > RPMs with these settings.  If you take a look at samba.org's ftp site,
> > you'll find that the RPMs provided there use the same directory structure.
> > Here's a look at one such package:


> > $ rpm -qi samba
> > Name        : samba                        Relocations: (not relocateable)
> > Version     : 2.0.6                             Vendor: (none)
> > Release     : 19991110                      Build Date: Wed 10 Nov 1999 11:05:24 PM CST
> > Install date: Sun 05 Dec 1999 04:26:11 PM CST      Build Host: arvidsjaur
> > Group       : Networking                    Source RPM: samba-2.0.6-19991110.src.rpm
> > Size        : 7536253                          License: GNU GPL version 2
> > Packager    : John H Terpstra [Samba-Team] <jht at samba.org>

> > ...so perhaps this should be discussed more thoroughly among the members
> > of the Samba Team before you start scaring the distribution maintainers?
> > :)

> :) yeah i wondered who created it.  thx 4 pointing this out.

> john!!!! :)

	I don't see a problem with the configuration.  If the consensus is
to change it, then change it.  But it is not a security problem any more than
a lot more serious files in /etc, so let's stand down this firedrill.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the samba-technical mailing list