Permissions on private directory.

Steve Langasek vorlon at netexpress.net
Wed Apr 11 05:20:24 GMT 2001 

On Tue, 10 Apr 2001, Tim Potter wrote:

> Steve Langasek writes:

> > > I was doing some work attempting to fixup the RPM spec files, and I was
> > > wondering what the correct permissions for privatedir are?  (ie
> > > /etc/samba/private for an rpm install).

> > > The below patch sets them to 700 in the main Makefile, and this is what
> > > they are set to in the spec file.  Is this correct?  The reason I ask is
> > > that 'MACHINE.SID' is created in this directory with world readable
> > > permissions.  Do I break things making the dir mode 700?

> > I'm personally a bit fuzzy on why we need a 'privatedir' in any
> > case.  None of the systems I run Samba on have filesystem
> > semantics that would require a separate directory; smbpasswd is
> > only a little more sensitive than my shadow password file, and
> > I've never been bitten by having that in /etc.

> The lanman hashes (which are effectively password equivalents if
> you are using encrypted passwords) are stored in the smbpasswd
> file and so must be read/write only by root.

> Similarly, the trust account password is also stored in the
> private directory (secrets.tdb in 2.2 and HEAD, can't remember
> what the file is called in 2.0).  Having access to this would
> allow an intruder to masquerade as the machine on the network.

> So if UNIX users can read these files then you could be in a bit
> of security trouble.

I don't dispute that the smbpasswd file and secrets.tdb need to be protected
from non-root users; but many systems have shadow password files with hashes
so weak that they're nearly plaintext equivalent, yet I've never heard anyone
object that it's insecure to keep this file in the public /etc directory -- so
long as the permissions on the file itself are secure.  Samba properly
enforces permissions on the relevant files; anything beyond that is excess.
The real danger to those files comes from admins shooting themselves in the
foot, and a subdirectory isn't likely to protect against /that/ in any case.

I'm not saying that the privatedir option should be abolished, only that it
doesn't make sense to have a separate privatedir in binary packages for
systems like RedHat.

Regards,
Steve Langasek
postmodern programmer

More information about the samba-technical mailing list