[Samba] IPC$ share accessible with arbitrary usernames/passwords

Andrew Bartlett abartlet at samba.org
Fri Nov 22 02:54:23 GMT 2002


On Wed, 2002-11-20 at 07:51, Andrew Bartlett wrote:
> On Wed, 2002-11-20 at 01:45, kirk johnson wrote:
> > 
> > AB = andrew bartlett
> > 
> >  AB > Both options are only in Samba 3.0. Run 'testparm', before you
> >     > wonder why an option doesn't work.
> > 
> > ah, now i understand what you meant by "samba HEAD".
> > 
> >  AB > It's an information leak - an unauthenticated user can find out
> >     > a list of all users.  Interestingly, much of this information
> >     > can be inferred from other calls that are not controlled by
> >     > 'restrict anonymous = 1'.
> > 
> > okay.
> > 
> >  AB > Samba 3.0 implements 'restrict anonymous = 1'.  I'm about to add
> >     > 'restrict anonymous = 2' support.  (Which locks down all guest
> >     > access to IPC$, but breaks lots of things, like PDC and browse
> >     > mater support).
> > 
> > so is it fair to say that this "hole" is not completely closed by any
> > currently-released versions of samba?
> 
> To close this 'hole' will cause significant loss of functionality, on
> both NT and Samba, but yes - you cannot fully disable this in a
> currently released version of Samba.

Update:  I've just committed 'restrict anonymous = 2' support to Samba
3.0 and HEAD.  This still allows a session setup as guest, but if you
don't have any shares with 'guest ok', then you get the security
advantage.

The features you lose are:  browse sync (to don't allow your machine to
be elected master browser etc) and a lot of DC stuff.  A very boring
file server should function however.

(and in security, boring is good :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021122/cf6c8195/attachment.bin


More information about the samba mailing list