Security/authentication flaw(s) found (PR#7625)

Jeremy Allison jallison at whistle.com
Wed Jun 10 17:12:14 GMT 1998 

Hi Bob,

	I am CC:ing this reply to the general Samba list
as I think it may be of interest. This is a report that
crops up from time to time as a security hole report, and
I'd like to explain in general why this is a misunderstanding.

Bob Atkins wrote:

> We are unable to keep individual users from mapping to any other user's
> home directory once they have supplied a valid password! They only need
> to enter their own password. I have not found *any* method that I can
> use to configure samba to enforce that only a user may map their own
> home directory.
> ......
> Problem #1 (with above config):
> 
> User xyzzy can map his home directory. Once mapped user xyzzy can also map
> *anyone* elses home directory!
> ....
> Any help would be greatfully apprectiated. I have tried everything I
> can and the above described problems do seem like pretty serious
> security flaws.

This is not a security flaw, it is by design. Samba allows
users to have *exactly* the same access to the UNIX filesystem
as they would if they were logged onto the UNIX box, except
that it only allows such views onto the file system as are
allowed by the defined shares.

This means that if your UNIX home directories are set up
such that one user can happily cd into another users
directory and do an ls, the UNIX security solution is to 
change the UNIX file permissions on the users home directories
such that the cd and ls would be denied.

Samba tries very had not to second guess the UNIX administrators
security policies, and trusts the UNIX admin to set
the policies and permissions he or she desires.

Samba does allow the setup you require, and your
Problem #2:, when you have set the "only user = yes"
option on the share, is that you have not set the
valid users list for the share.

>From the smb.conf man page on 'only user' :

   only user (S)
       This is a boolean option that controls whether connections
       with usernames not in the user= list will be  allowed.  By
       default  this  option is disabled so a client can supply a
       username to be used by the server.

       Note that this also means Samba won't try to deduce  user-
       names  from the service name. This can be annoying for the
       [homes] section. To get around this you could use "user  =
       %S"  which means your "user" list will be just the service
       name, which for home directories is the name of the  user.

       Default:      only user = False

       Example:      only user = True

Note that only user works in conjunction with the users= list,
so to get the behavior you require, add the line :

user = %S

to the definition of the [homes] share, as recommended in
the above text.

Hope this helps,

	Jeremy Allison.
	Samba Team.



-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba mailing list