disable smbstatus?

[Bob Walters]

Dear Samba Users and Developers,

Is it possible to disable the smbstatus command for non-root users? It is
extremely important on my network that users cannot see other users'
lockfiles, it is a security risk for other users to know the names of the
respective files.

I'm running Samba 3.0.22 (I've also tried most of these procedures on 2.x,
which I have run for several years) and FreeBSD (6.0), and thus far, I have
tried the following:

-in samba.conf:
status = no
in the global options.  Does nothing.

-Changing permissions of /var/db/samba/connections.tdb and
/var/lock/connections.tdb to 600.  Does nothing except shows an error, but
annoyingly it still shows the lockfile of the file that's supposed to be
secret, and all of the active sessions. (I don't care about the sesssions
being public for other users that much, but the lock files being public
really bothers me)

-tried running samba with both the samba.sh script (and without, by directly
launching smbd and nmbd)

-in samba.conf:
locking = no
On each of the respective shares.  Does nothing.

Made smbstatus chmod 700, which technically works, but not really because a
user could just copy the binary from another unix system, or build it
locally.

Either way, in which database is this information stored, and how can I be
assured that as little information is made avaiable to non-root users as
possible?

I have been searching through some of the archives to find an answer, but I
have not yet found anything conclusive.  I sincerely hope that all user
smbstatus isn't a feature.

Thank you for your time, and I sincerly hope that some kind of a secure
solution is possible.


-Bob