URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
Jeremy Allison
jeremy at valinux.com
Mon Dec 20 22:37:53 GMT 1999
Luke Kenneth Casson Leighton wrote:
>
> dear redhat,
>
> i examined a friend's system today, to help him configure it. assuming
> that he just "installed" from scratch the samba package, it appears that
> you have provided a default smb.conf file for redhat 6.1 that puts samba
> private configuration files in /etc. the suggested options, for example
> show "smbpasswd file = /etc/smbpasswd".
>
> this is REALLY bad.
>
> 1) you CANNOT put smbpasswd in /etc.
>
> 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.
>
> i know that these require root access, however if your users start to
> assume that just because these files are in /etc, they are equivalent to
> /etc/passwd, they may decide to make these world-readable, and as a result
> they will compromise the security of the box, and potentially the security
> of remote nt-compatible boxes too (including other samba servers) because
> these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.
Hang on a sec. Luke. They can do this so long as these
files are read only by root. Only stupid people will
change these files to world readable. Stupid people
shouldn't be admining systems :-).
I agree it would be safer to have a /etc/samba-private
directory set root only, but they do not ship the system
as insecure by default (ie. they *can* put root read
only files in /etc, and it *is* safe to do so).
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba
mailing list