Temp files created on read-only share
Ries van Twisk
riest at franksintl.nl
Thu Nov 15 08:12:10 GMT 2001
Hi All,
I didn't follow the complete thread but I also run a lot of word documents for a
read-only share and I have never seen this happening. This in 2 years of
running samba.
The security to the dirs is maintained by the underlaying OS (Linux 2.4.9)
and it's also set in SAMBA.
Ries
On 15 Nov 2001, at 9:07, Bill Grzanich wrote:
> Hi, Joel.
>
> (Comments at end)
>
> >On Wed, Nov 14, 2001 at 10:06:57AM -0600, Bill Grzanich wrote:
> >> Hello, All.
> >>
> >> We have Samba 2.0.7 running on Red Hat 6.2 (up for 351 days!) and have discovered the following
> >> anomaly:
> >>
> >> There is a share called "appsg" that contains a number of folders, including one called
> >> OfficeTemplates. The share definition in smb.conf is:
> >>
> >> [appsg]
> >> comment = Apps in Applications
> >> path=/home/applications/apps
> >> public = No
> >> read only = Yes
> >> write list = @staff
> >> printable = No
> >>
> >> The other day we noticed that for one user, Jared, Word was opening temporary files in the
> >> OfficeTemplates folder on that share. These files were like ~normal.dot, and were being creat
ed
> >> read-write! From his PC, we attempted to create or save a file to the above share, but the
> process
> >> was denied because the share is read-only to everyone but the I.T. staff. (As expected.)
> >>
> >> It turns out that his Word was configured to point at the share for his user templates. When
we
> >> changed that so user templates were on his local C:\ drive, and the workgroup templates locati
on
> >> was the appsg\OfficeTemplates folder, these temporary files did not appear.
> >>
> >> The question is: why did Samba allow Word to create the temporary files on the read-only share
?
> No
> >> warning was received, nor was anything logged in the Samba logs. Now that we have his Office
> >> configured properly, it's not an issue, but I'm at a loss for an explanation, and the NT guys
> here
> >> are laughing up their sleeves at this perceived security hole in Linux/Samba.
> >>
> >> Thanks very much for any clues.
>
> Original message from: Joel Hammer
> >Just a few ignorant questions/comments here.
> >Isn't this really a security issue for Word?
>
> Probably. I was just curious if anyone else had observed similar behavior and perhaps had an
> explanation for why this was happening.
>
> >Would an NT server allow this to happen to it?
>
> Good question. We may have to try that.
>
> >To track down this problem, I would set log level =3, misconfigure his Word
> >again, and watch the interaction.
>
> Yes, also a good idea.
>
> >Would changing permissions on the /home/applications/apps directory get
> >around this? Making the linux directory writable only by staff might prevent
> >this.
>
> That's what we have, isn't it? Oh, you mean the Linux permissions! That would likely work, but
> shouldn't Samba have accomplished the same thing? And that's the real point of my original
> message. Why did Samba allow this? Frankly, it's moot at this point, but still odd.
>
> >Is security by share or by user? What user name does samba run under if
> >security = share ?
>
> Security = domain. We have NT servers for PDC and BDC, and users authenticate against them.
>
> Thanks for the suggestions. That gives me something to try. Of course, since this is a producti
on
> machine, my options for playing are a bit limited, but I'll see what I can do.
>
> Best regards,
>
> --
> Bill Grzanich
> IT Manager
> ORGANICS/LaGrange, Inc.
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list