URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
Luke Kenneth Casson Leighton
lkcl at samba.org
Tue Dec 21 23:51:46 GMT 1999
samba does modify the file permissions on *.mac and prvate/smbpasswd to
root only. but by that ime, the damage is already done.
my main concern is to stop the idiots, particularly as idiotic things by
idioticlocal administratiors can have devastating consequences for remote
PDCs. i _know_ people keep telling me on the various threads with this
subject that it's ok to assume that idiotic administrators should bear the
consequences for stuffing up the configuration of their own box. i've not
seen anything that says it's ok to stuff the security of a _remote_ box by
stuffing a local one.
see that rpcclient demonstration script i sent to the other samba lists
for details.
it obtains an entire remote SAM using a .mac file, as a Sam Sync is
supposed, legitimately, to do, but it means that you MUST, absolutely
MUST, keep that .mac file safe otherwise you compromise the security of a
remote box.
_now_ do you really want idiotic administrators to be allowed to set
read-to-group-and-world on these files, by mistake? [serious question].
luke
> This would still have the potential of having the data available for a
> while, but if Samba refused to run it would make even the most
> incompentent administrator take time to stop and figure out why. It could
> be put very clearly and visibly in the logs with the recommended
> permissions.
>
> Best,
> Sean
>
> ------------------------------------------
> Sean E. Millichamp, Consultant
> Ingematics - A Division of Compu-Aid, Inc.
>
More information about the samba
mailing list