Can I kill 'restrict anonymous'?

Andrew Bartlett abartlet at pcug.org.au
Sat Nov 10 16:01:06 GMT 2001 

Jeremy Allison wrote:
> 
> On Sun, Nov 11, 2001 at 10:24:20AM +1100, Andrew Bartlett wrote:
> > Jeremy,
> >
> > I would like to kill the *very ugly* hack known as 'restrict
> > anonymous'.  The cvs logs indicate that its an outside patch that you
> > applied.
> >
> > Firstly, remember it is not a security paramater, but is instead used
> > for some crazy %U/%G macros exapansion reason.
> 
> I checked in 2.2, and the way it is used there is to deny a sessionsetup
> with user="", password="", domain="".

But only on the second and subsequent session setup.  Not on the *first*
session setup.

> > In any case, it isn't honered for the new SPNEGO code, and is badly
> > documented.  I'm sure that some people think it provides some security
> > advantage.
> 
> It probably doesn't. Especially in HEAD.
> 
> > So, can I kill it?
> 
> Actually, what we should do is to honor the intent of it and write
> it correctly. What it's trying to do is the same as the registry
> key of the same name on WinNT, which is to deny completely anonymous
> sessionsetups from being able to download user and group lists for
> a server. This does have a security purpose and I'm pretty sure
> this was the intent of the original code.

That is a purpose I can agree with.  The man-page seems to inidcate a
different purpose.

> What we should do is use it to try and achieve the same aim as
> on NT. In the new auth struct in HEAD, do we have anything that
> tells us this was a completely anonymous connect ? If not, we
> should add it, and then add a flag to operations that should
> be denied for anonymous if "restrict anonymous" is set. We
> should probably enable it by default.

It depends on what you call 'compleatly anonymous'.  If by that you just
mean a guest logon, then yes we have that and it passed all the way down
to the vuser.  

This would need sorting with the authenticated pipe code as well, (hence
my proposals to unify the way we deal with both entry points).  

Apart from that its a trivial modificaion, and a worthwhile addition.

As you know this code better, could you look into it?  It could be done
either by an NT ACL or a simple guest flag check.  I'll kill off the
session setup stuff.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list