security bug in 2.4.1

Alexandre Oliva oliva at
Tue Sep 8 20:23:56 GMT 1998

A bit of context for the SAMBA mailing list:

Amanda <URL:> is a distributed back up software
that can be used to back up M$Win shares, using smbclient.  Some
Amanda users have complained that the password to access shares can be
obtained by running `ps', and we're trying to figure out a way to fix
this problem.  The PASSWD environment variable won't do, because it is
possible to ask `ps' to print environment variables too.

David Wolfskill <dhw at> writes:

>> Date: Fri, 4 Sep 1998 08:41:20 -0700
>> From: Steve Shah <sshah at cert.UCR.EDU>

>> The only way to do password hiding in that regard is to pass that
>> information into smbclient through another input stream.

> by default, it prompts at the command-line.

Unfortunately, it is *really* from the command-line, i.e., getpass()
will read from /dev/tty, not stdin or such.  Unless we do some pty
magic, we won't be able to feed smbclient a password this way.  Maybe
the best bet is to support environment variables PASSWD_FILE (read
password from this file) and/or PASSWD_FD (read it from the given file
descriptor).  I'd prefer the latter, because creating temporary files
containing passwords is always dangerous.  What do SAMBA people think?

There's another SAMBA issue that has bothered me for a while: `Total
bytes listed' will only be printed if `dir' is run with a logging
level 3 or higher.  This means that, for Amanda to obtain an estimate
of the backup (by running smbclient -c `archive [01];recurse;dir'),
Amanda must skip through all the directory listing, and there's no way 
to separate the directory listing and all the logging from the wanted
information (the `Total bytes listed' line).  The problem is worsened
by the fact that Amanda will store all the output of estimate commands 
in a debugging file in /tmp/amanda.

Are SAMBA people willing to cooperate with us?  I can see a few ways
to work around this problem:

1) create a new command, say, du, that will traverse the directory
tree without printing anything but the total bytes. (preferred option)

2) create a new command-line switch or interactive command that allows
the total bytes to be printed even with lower logging levels.  It
would not solve the problem of storing all the dir listing in
/tmp/amanda, but it would at least reduce the amount of noise due to
SAMBA debugging output.

What would you prefer?  If I submitted a patch implementing `du',
would you consider it for installation in SAMBA 2.0.0?  How about
support for PASSWD_FILE and/or PASSWD_FD?

Alexandre Oliva
mailto:oliva at mailto:aoliva at
Universidade Estadual de Campinas, SP, Brasil

More information about the samba mailing list