[Samba] valid users = %S in rc4

Petty, Robert rpetty at DenverNewspaperAgency.com
Fri Sep 26 16:28:00 GMT 2003


No, I haven't filed a bug report... 

The key part of my message "was": 
"Since nobody's home > directory was "/" > > it would open the root
directory"

I have changed it since I immediately recognized it as a security issue.

The initial response to "Why is 'nobody' home set at '/' - why not '/tmp'
or" is that when you install a brand new version of Solaris 9, that's how
Sun sets it.  Ironically, applying jass didn't change it!  Seems to me that
jass missed a key issue.  anyhow, I'm heading off topic.  

This will be interesting to see how the %S plays out since we essentially
require it to enforce security for home directories....

Robert


> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Friday, September 26, 2003 10:18 AM
> To: Petty, Robert
> Cc: Chris Smith; samba at lists.samba.org
> Subject: RE: [Samba] valid users = %S in rc4
> 
> 
> On Fri, 26 Sep 2003, Petty, Robert wrote:
> 
> > The problem I have with this, using 2.2.8a on Solaris is 
> any user can open
> > any other's home if they simply know the name of the other 
> user.  logging in
> > as rpetty, I can open NOBODY, ROOT, UUCP etc.  I have to be 
> able to limit
> > the ability.  What perplexes me is that even when I am not 
> sharing [homes],
> > I can still open the "NOBODY" share.  Since nobody's home 
> directory was "/"
> > it would open the root directory!  In case it matters, I am 
> using Winbind
> > for my security model (security = domain) but am having 
> considerable issues
> > with querying trusted domains.  Winbind is being very 
> painful with 7-9
> > second connection times for each share or files within 
> shares.  This only
> > happens when the Winbind timeout time lapses so I've bumped 
> it up to 300
> > seconds.  Not _as_ painful but still too painful for production.
> 
> Directory access is limited by file system access controls. 
> Samba honors
> these.
> 
> Why is 'nobody' home set at '/' - why not '/tmp' or some 
> other inocuous
> path?
> 
> Have you files a bug report? https://bugzilla.samba.org
> 
> - John T.
> >
> > > -----Original Message-----
> > > From: John H Terpstra [mailto:jht at samba.org]
> > > Sent: Friday, September 26, 2003 10:05 AM
> > > To: Chris Smith
> > > Cc: samba at lists.samba.org
> > > Subject: Re: [Samba] valid users = %S in rc4
> > >
> > >
> > > Guys,
> > >
> > > The homes share should be set to be "browsable = No".
> > > Do NOT set the "valid users = %S" on the homes share.
> > >
> > > - John T.
> > >
> > >
> > > On Fri, 26 Sep 2003, Chris Smith wrote:
> > >
> > > > On Friday 26 September 2003 10:26, Derek T. Yarnell wrote:
> > > > > I see this problem too. I thought that I was going crazy.
> > > > >
> > > > > On Fri, Sep 26, 2003 at 10:14:36AM -0400, Chris Smith wrote:
> > > > > > On Friday 26 September 2003 00:15, Hannu Tikka wrote:
> > > > > > > After upgrading rc2 -> rc4 (suse binary packages)
> > > > > > >
> > > > > > > line 'valid users = %S' in [homes] section prevents
> > > user getting to his
> > > > > > > homedirectory
> > > > > >
> > > > > > Same change occured here when upgrading from 2.2.7a to
> > > the 3.0.0 release.
> > > >
> > > > Not only that but here I also see the homes share exposed
> > > twice in browse
> > > > lists, both as "homes" and also as the usersname with both
> > > shares being the
> > > > users home directory for that user. This is also different
> > > from previous
> > > > versions.
> > > >
> > > > Chris
> > > >
> > >
> > > --
> > > John H Terpstra
> > > Email: jht at samba.org
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> >
> 
> -- 
> John H Terpstra
> Email: jht at samba.org
> 



More information about the samba mailing list