[Samba] Security question for newbie

Guille Williams guillemw at sbcglobal.net
Fri Jul 2 02:56:42 GMT 2004


O.k.
I decided to start from scratch with a separate box running the same linux distro (Fedora 2).
This time the linux box is a standalone server, Security=User, and I created a user *nix/smb Student, and all the other settings are defaults.
>From the WinXP box I type \\fedora\ so that I can login with Student and verify access to the home directory. 
I also browse the Network Neighborhood and only see the Home directory. So that works fine too.  But then I type \\fedora\nobody and I can see the file-system once again.
What can I be doing wrong in such a simple setup. 

Guille
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2004/07/01 19:39:32

# Global parameters
[global]
	workgroup = WORKGROUP
	realm = 
	netbios name = FEDORA
	netbios aliases = 
	netbios scope = 
	server string = Samba Server
	log file = /var/log/samba/log.smbd
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
----- Original Message ----- 
  From: tms3 
  To: Guille Williams 
  Sent: Thursday, July 01, 2004 7:17 PM
  Subject: Re: [Samba] Security question for newbie


  Don't know much about the intracacies of System V/Linux, but there's got to be something odd in your smb.conf file to cause this.  After reading your initiall email I thought:

  Shit, I better look into this!

  I did, and I can't replicate it.  On my Samba ads joined machine, no ADS account, no mapping.  I don't use SWAT for security reasons.  Is SWAT adding things to smb.conf you don't want (again,  I've never used it)?  Maybe some miscofiguration in ldap?  I wish I could be of more help.  

  TMS III

  Guille Williams wrote:

Good idea.
The only problem is I am going to have to do this for all the UID -500
(except root).
The solution is tedious but works.
Thanks for you help,
Guille

----- Original Message ----- 
From: "tms3" <tms3 at fskklaw.com>
To: "Guille Williams" <guillemw at sbcglobal.net>
Sent: Thursday, July 01, 2004 5:04 PM
Subject: Re: [Samba] Security question for newbie


  Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server.

Anyway since the authentication is through AD, then create a user called
nobody in AD, give it a password (big long ugly thing), and really
deprive it's privaleges in AD.  Should put a kibosh on it until you find
out why this is happening.

TMS III
Guille Williams wrote:

    Hi,

I am using Samba version 3.051 in an Active Directory setting with
      Windows 2000 server.
  Everything is working rather well with regards to file-sharing and
      authentication.
  However, the one thing that I noticed that I haven't been able to fix
      quickly with SWAT is the prevention of browsing the Linux file-system with
users such as 'nobody' or 'bin'.
  For example...
I have a user in Active Directory named John. John is part of the group
      'students', and has restricted access through Group Policy and Samba Shares.
Now John should only have three browseable Shares in this example, Home,
Public, and Software.
  Samba and Windows drive mapping take care of this correctly. But say John
      is a Linux fan, notices that were are using Linux, and decides to play
around abit.
  John now enters \\(linux machine)\nobody ( more appropriate
      \\%N\nobody\), and TADA.... he now can see the root file-system for the
Linux machine.
  Now John can browse through /etc/samba, find my samba.conf file, and see
      all the shares I may have hidden. I know I can chmod that file but that's
not what's scaring me.
  John shouldn't be able to see /. I know that user 'nobody' home directory
      is /. John shouldn't have access to nobody's home directory.
  HOW DO I STOP THIS?
Changing the properties of 'Other' on the folders in the root filesytem
      won't help because it just starts to break things.
  So I need a quick fix before I start buying books and reading months of
      old threads to resolve this issue.
  Thanks Ladies and Gents,
Guille

p.s. Sorry if this question is answered already in a thread I haven't
      found. I just joined the Mailing list and I am currently searching.
  
      
    

  


More information about the samba mailing list