disable smbstatus?

Jeremy Allison jra at samba.org
Tue May 2 13:46:04 GMT 2006


On Tue, May 02, 2006 at 03:11:00PM +0200, Mark Proehl wrote:
> On Tue, May 02, 2006 at 05:22:31AM -0700, Jeremy Allison wrote:
> > On Tue, May 02, 2006 at 12:47:04AM -0700, Bob Walters wrote:
> > > Thanks Volker and Mark, both of your solutions worked, thus far setting just
> > > /var/db/samba to 700 is sufficient, it then also sets most of the
> > > permissions of the tdb files in /var/lock accordingly as 700.
> > > 
> > > Does it matter in my scenario if regular users can access (as 644)
> > > brlock.tdb, sessionid.tdb, or unexpected.tdb? I'm not certain if that would
> > > give away any valuable information, but was considering making /var/run
> > > restricted as well? (probably a crazy idea, but I'm thinking about it) If it
> > > doesn't mess up samba, I'll probably go for it.
> > 
> > Regular users don't need to access these files - if you want to
> > disable smbstatus that's the only user-readable utility that
> > needs access to that directory.
> > 
> > Jeremy.
> 
> chmod 0700 /var/lib/samba was a bad idea. testparm complains:
> 
>   WARNING: lock directory /var/lib/samba/ should have permissions 0755 for browsing to work

Hmmm. Ah yes, anonymous smbd access is needed for the browse.dat
file I think.

Jeremy.


More information about the samba-technical mailing list