Permissions on private directory.

Tim Potter tpot at linuxcare.com.au
Mon Apr 9 22:37:01 GMT 2001


Steve Langasek writes:

> > I was doing some work attempting to fixup the RPM spec files, and I was
> > wondering what the correct permissions for privatedir are?  (ie
> > /etc/samba/private for an rpm install).
> 
> > The below patch sets them to 700 in the main Makefile, and this is what
> > they are set to in the spec file.  Is this correct?  The reason I ask is
> > that 'MACHINE.SID' is created in this directory with world readable
> > permissions.  Do I break things making the dir mode 700?
> 
> I'm personally a bit fuzzy on why we need a 'privatedir' in any
> case.  None of the systems I run Samba on have filesystem
> semantics that would require a separate directory; smbpasswd is
> only a little more sensitive than my shadow password file, and
> I've never been bitten by having that in /etc.

The lanman hashes (which are effectively password equivalents if
you are using encrypted passwords) are stored in the smbpasswd
file and so must be read/write only by root.

Similarly, the trust account password is also stored in the
private directory (secrets.tdb in 2.2 and HEAD, can't remember
what the file is called in 2.0).  Having access to this would
allow an intruder to masquerade as the machine on the network.

So if UNIX users can read these files then you could be in a bit
of security trouble.


Tim.




More information about the samba-technical mailing list