Permissions on private directory.

MCCALL,DON (HP-USA,ex1) don_mccall at
Wed Apr 11 15:08:15 GMT 2001

Hi folks,
Just my humble opinion, but working as a support engineer in a corporate 
environment, I constantly hear frustrated administrators who WANT to run
samba on their HP-UX/*nix boxes, but are being blocked because the powers
be are concerned about -security-.  Now, you and I know that samba is as
as you CONFIGURE it, and a damn site MORE secure than nfs, for example.  But

I guess what I'm saying is, any option that strengthens samba's security 
potential, is probably worth having just for that reason...

-----Original Message-----
From: Steve Langasek [mailto:vorlon at]
Sent: Wednesday, April 11, 2001 10:18 AM
To: Jeremy Allison
Cc: Tim Potter; Andrew Bartlett; Multiple recipients of list
Subject: Re: Permissions on private directory.

On Wed, 11 Apr 2001, Jeremy Allison wrote:

> On Wed, Apr 11, 2001 at 04:19:51PM +1000, Tim Potter wrote:
> > Steve Langasek writes:

> > > > So if UNIX users can read these files then you could be in a bit
> > > > of security trouble.

> > > I don't dispute that the smbpasswd file and secrets.tdb need to
> > > be protected from non-root users; but many systems have shadow
> > > password files with hashes so weak that they're nearly
> > > plaintext equivalent, yet I've never heard anyone object that
> > > it's insecure to keep this file in the public /etc directory --

> > Good point.  I can't think of a reason why this isn't the case.
> > Perhaps someone else knows some of the history of the privatedir
> > stuff.

> Complete paranoia by me :-). Having a samba private directory
> isn't such a bad idea in the long run you know.

Then I'll ask for your opinion on this: does the paranoia outweigh concerns
backwards-compatibility with OSes who've already chosen to use /etc as the
privatedir?  That's the question here, since we're talking about
of RPM packages.

Note for comparison that Debian already puts all Samba configfiles
and privatedir) in /etc/samba/.  What are the long-term advantages of having
samba private directory, beyond keeping the filesystem clean?

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list