REPEAT: hasn't anyone used smbclient linux->linux?

Paul L. Lussier plussier at ne.arris-i.com
Thu Oct 21 13:03:37 GMT 1999 

In a message dated: Thu, 21 Oct 1999 07:02:55 +1000
Andreas Hasenack said:

>Em qua, 20 out 1999, Paul L. Lussier escreveu:
>
>I think I agree with you. I just don't like the concept that, with the root
>password of a *client* machine, one can su to any local user and thus
>invalidate the user authentication part. OK, one shouldn't give the root
>password away, but I don't like this concept: a client machine being able to
>look at any file (but root owned ones) on a *server* machine.

True, which is why netgroups comes in so handy.

As you pointed out, you shouldn't give root access out to anyone, and even if 
you don't, that doesn't prevent someone from walking in with a laptop, or 
installing linux (or other version of Unix) on their system, and gaining root 
access that way.  Netgroups can allow you to export filesystems to only those 
groups of machines you want to give access.  Of course, this also doesn't 
prevent someone from crashing an allowed host on the network, and then 
configuring their system as that host in order to mount the filesystems, then 
su'ing to some user to access some files.  No matter what you do, though, 
there's always a way around it.

NFS isn't the most secure of protocols, but neither is SMB.  In fact, I'd say 
that NFS is more secure than SMB, and it is a whole lot more stable.  And as 
much network traffic as NFS creates, SMD is a whole lot worse.  If you really 
that concerned about protecting your data from unauthorized access, you should 
probably consider using one of the ACL packages and combine that with an 
encrypted filesystem.  Nothing short of that will really keep prying eyes from 
your data.

Another question you should ask is, who around here really knows how to get 
around NFS security?  I've got some brilliant network protocol developers that 
work here on my network, but ask them to check the permissions on their own 
files, and they're completely baffled :)  Also, if you find that you being 
forced into giving out root access for some reason or other, look into using 
sudo.  It allows you to create and ACL for various commands that need to be 
run as root and you can allow exactly only what the user really needs to run 
and when and where they can run it. I use this extensively here, and no one 
but the sysadmin team knows the root password for anything on our network.

-- 

Seeya,
Paul
----
	    Depression is merely anger without enthusiasm.
     There cannot be a crisis today; my schedule is already full.
  A conclusion is simply the place where you got tired of thinking.
	 If you're not having fun, you're not doing it right!

More information about the samba mailing list