security in samba
David Collier-Brown
davecb at canada.sun.com
Tue Feb 8 13:51:19 GMT 2000
You asked:
| In our group, we used to use 'samba' in UNIX machine (OS: AIX 4.3).
One
| day the UNIX machines were broken by a hacker, and we could not
figure
| out how the hacker could break the system. So now we are concerned
to
| keep using 'samba' for this security matter.
Alas, there's lots of ways to break security on a system
which doesn't have **mandatory** access controls. And
very very few systems do...
| Is there any function that samba can help for security?
| I had 'hosts allow' commands in configuration file.
| I am also wondering if 'hosts allow' function is reliable enough for
| security.
It protects against connections which come from the
specified IP addresses: if the addresses are taken over
by Mr. Hacker, it doesn't help much (;-))
Basically, you need the following prerequisites:
1) a protected network (e.g., a firewall and a way
to keep PCs and sniffers off the net)
2) good authentication of users (via passwords) and
hosts (by a non-spoofed DNS)
3) no hackers on the samba server!
4) samba's security options.
The latter are discussed briefly in
http://www.oreilly.com/catalog/samba/chapter/book/ch06_02.html
Because MS wants SMB to be friendly and backwards-compatable,
they have to stop short of really serious security. At the
moment, only the military has decent security, using OSs
with so-called "Trusted Computing Bases".
--dave (who has Trusted Solaris 7 on a test machine at home) c-b
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba
mailing list