URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc

Steve Langasek vorlon at netexpress.net
Tue Dec 21 20:04:30 GMT 1999


On Tue, 21 Dec 1999, Luke Kenneth Casson Leighton wrote:

> i know what damage can be done with those .mac files.  you can anonymously
> use them to obtain remote SAM databases.

I do, too, which is why I would never think of making these files readable.
However, I don't think moving the files to a subdirectory is going to gain you
much more than a false sense of security.

> it scares me that people might not realise this, and think it's ok to
> change the permissions on them, or edit them.

I have a suggestion.  If you want to make sure that administrators understand
that the files *must* be kept private, you could add an autogenerated comment
to the top of each file explaining this.  In the case of the .mac files, this
may require a minor change to the way they're parsed, but smb.conf at least
supports /bin/sh-style (#) comments already.  Any administrator I know who can
figure out how to compromise the permissions on a file also knows enough to
look at the file first to get at least *some* idea what it is.

This way, everyone has a little bit more information to work with (and
educating administrators whether they like it or not is always a good thing),
and you don't have to spend your time chasing down and arguing with all the
Samba packagers who disagree with your directory heirarchy.

-Steve Langasek
postmodern programmer



More information about the samba-technical mailing list