[Samba] security bug or misconfiguration ?
Hans B. Randgaard
HBR at maerskoil.dk
Mon Oct 28 19:43:32 GMT 2002
Dear list,
We are experiencing users unexpectedly accessing each others files.
It happens when they try to access files that are called the same and which
is located in an equal file structure under their login drive. Two other
conditions
need to be fulfilled: one of the users needs to have the file locked and
both users
needs to be logged into the same Citrix server(windows-2000).
For instance if userA uses Outlook to open a PST file located here:
L:\user.pst and
userB tries to open L:\user.pst, it fails for userB even though the file
L:\user.pst are
different files since L: is the login drive for the user.
The login drive is defined in smb.conf as:
[user$]
comment = Users home directory (L:)
path = /pcstorage/%G/users/%U
read only = No
inherit permissions = Yes
create mask = 0600
directory mask = 0700
"user$" is referred to in the user profile on the NT PDC(\\pcserver\user$).
%G resolves to the primary UNIX group that the user belongs to and
%U resolves to the UNIX user ID.
The file structure on the UNIX server is layed out as this:
/storage1/department1/users/user1
/storage1/department1/users/user2
/storage1/department1/users/user3
.
.
/storage1/department2/users/user1
/storage1/department2/users/user2
/storage1/department2/users/user3
etc.
This setup has been working fine for some time now, but suddenly we
found out that some files in the users personal area were overwritten by
other users.
The Outlook example above will not overwrite, but is an easy test to prove
the
described functionality.
The question is:
Is this a bug or is our Samba setup misconfigured ?
We run Samba-2.2.5 with ACL support and winbind on Solaris-8.
Below is our smb.conf file:
[global]
workgroup = DOMAIN1
netbios name = storage1
netbios aliases = pcstorage
interfaces = ge0 79.0.0.0/255.0.0.0 193.167.89.0/255.255.255.0
security = DOMAIN
encrypt passwords = Yes
password server = dc01, dc02, mailsrv
wins server = 79.17.7.1
#
# User that have all rights on all shares regardless of the permissions:
#
admin users = DOMAIN1+hbr,DOMAIN1+rbh
log file = /usr/local/samba/var/log.%m
max log size = 100
local master = No
deadtime = 180
username map = /usr/local/samba/lib/users.map
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
winbind cache time = 3600
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
client code page = 850
character set = ISO8859-1
valid chars = ø:Ø
[user$]
comment = Users home directory (L:)
path = /pcstorage/%G/users/%U
read only = No
inherit permissions = Yes
create mask = 0600
directory mask = 0700
.
.
.
Rest of the drives...
I hope some of you have been in the same situation or can tell me what
is wrong.
Thanks very much in advance.
Kind regards, Hans.
**********************************************************************
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this e-mail in error please notify
the system manager at hotline at maerskoil.dk.
This e-mail and its contents do not constitute and shall not be
considered as a financial commitment of Maersk Olie og Gas AS
and its affiliates.
Maersk Olie og Gas AS expressly disclaims any responsibility
as to the accuracy and use of this e-mail and its contents.
**********************************************************************
More information about the samba
mailing list