Security/authentication flaw(s) found (PR#7625)
Bob Atkins
bob at cherokee.digilink.net
Wed Jun 10 18:04:36 GMT 1998
Hi Jeremy,
Thank you for your timely reply.
>
> I am CC:ing this reply to the general Samba list
> as I think it may be of interest. This is a report that
> crops up from time to time as a security hole report, and
> I'd like to explain in general why this is a misunderstanding.
>
See below...
> Bob Atkins wrote:
>
> > We are unable to keep individual users from mapping to any other user's
> > home directory once they have supplied a valid password! They only need
> > to enter their own password. I have not found *any* method that I can
> > use to configure samba to enforce that only a user may map their own
> > home directory.
> > ......
> > Problem #1 (with above config):
> >
> > User xyzzy can map his home directory. Once mapped user xyzzy can also map
> > *anyone* elses home directory!
> > ....
> > Any help would be greatfully apprectiated. I have tried everything I
> > can and the above described problems do seem like pretty serious
> > security flaws.
>
I understand and I do appreciate this feature.
> This is not a security flaw, it is by design. Samba allows
> users to have *exactly* the same access to the UNIX filesystem
> as they would if they were logged onto the UNIX box, except
> that it only allows such views onto the file system as are
> allowed by the defined shares.
>
> This means that if your UNIX home directories are set up
> such that one user can happily cd into another users
> directory and do an ls, the UNIX security solution is to
> change the UNIX file permissions on the users home directories
> such that the cd and ls would be denied.
>
> Samba tries very had not to second guess the UNIX administrators
> security policies, and trusts the UNIX admin to set
> the policies and permissions he or she desires.
>
> Samba does allow the setup you require, and your
> Problem #2:, when you have set the "only user = yes"
> option on the share, is that you have not set the
> valid users list for the share.
>
> >From the smb.conf man page on 'only user' :
>
> only user (S)
> This is a boolean option that controls whether connections
> with usernames not in the user= list will be allowed. By
> default this option is disabled so a client can supply a
> username to be used by the server.
>
> Note that this also means Samba won't try to deduce user-
> names from the service name. This can be annoying for the
> [homes] section. To get around this you could use "user =
> %S" which means your "user" list will be just the service
> name, which for home directories is the name of the user.
>
> Default: only user = False
>
> Example: only user = True
>
> Note that only user works in conjunction with the users= list,
> so to get the behavior you require, add the line :
>
> user = %S
>
> to the definition of the [homes] share, as recommended in
> the above text.
>
Ahhhh!
Thank you for your patience. Deep down I knew that Samba could handle
this. I read and re-read the above so many times and it just didn't
register :( Too early in the am the last few days.
I only wish that this capability was 'exposed' a bit better in the
docs. I'm fairly sure that restricting users to their own home
directory would be a popular feature from an administrator's
standpoint. Currently such a feature is fairly well concealed in the
copious and well written docs. I also searched the mail archives and
the FAQs and all of the docs in the distribution and found nothing that
addressed restricting users to their home directories.
Perhaps it would be a good idea to identify the above combination as
one of the basic configuration examples in the online docs and in the
distribution docs so as to bring this capability out into the open a
bit more.
Step 3 in the UNIX_INSTALL.txt file and a heading/paragraph in the
UNIX-SMB.txt file might be a good places to mention this alternative
capability.
> Hope this helps,
>
Very much so! Thank you!
---
Bob Atkins
More information about the samba
mailing list