[Samba] Security question for newbie
Guille Williams
guillemw at sbcglobal.net
Fri Jul 2 03:23:22 GMT 2004
Tried this: guest account = pcguest and I still get the same result
Thanks though,
Guille
----- Original Message -----
From: "tms3" <tms3 at fskklaw.com>
To: "Guille Williams" <guillemw at sbcglobal.net>
Sent: Thursday, July 01, 2004 8:09 PM
Subject: Re: [Samba] Security question for newbie
> I found it. I think. Try this. Add a line
>
> guest account = pcguest .
>
> The smb.conf.sample file says this:
>
> # Uncomment this if you want a guest account, you must add this to
> /etc/passwd
> # otherwise the user "nobody" is used
> guest account = pcguest
>
> Since no accout pcguest exists...and now it ignores "nobody".... I'm
> guessing here.
>
> Guille Williams wrote:
>
> >O.k.
> >I decided to start from scratch with a separate box running the same
linux distro (Fedora 2).
> >This time the linux box is a standalone server, Security=User, and I
created a user *nix/smb Student, and all the other settings are defaults.
> >>From the WinXP box I type \\fedora\ so that I can login with Student and
verify access to the home directory.
> >I also browse the Network Neighborhood and only see the Home directory.
So that works fine too. But then I type \\fedora\nobody and I can see the
file-system once again.
> >What can I be doing wrong in such a simple setup.
> >
> >Guille
> ># Samba config file created using SWAT
> ># from 0.0.0.0 (0.0.0.0)
> ># Date: 2004/07/01 19:39:32
> >
> ># Global parameters
> >[global]
> > workgroup = WORKGROUP
> > realm =
> > netbios name = FEDORA
> > netbios aliases =
> > netbios scope =
> > server string = Samba Server
> > log file = /var/log/samba/log.smbd
> > max log size = 50
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > dns proxy = No
> > ldap ssl = no
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> >[homes]
> > comment = Home Directories
> > read only = No
> > browseable = No
> >
> >[printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > browseable = No
> >----- Original Message -----
> > From: tms3
> > To: Guille Williams
> > Sent: Thursday, July 01, 2004 7:17 PM
> > Subject: Re: [Samba] Security question for newbie
> >
> >
> > Don't know much about the intracacies of System V/Linux, but there's
got to be something odd in your smb.conf file to cause this. After reading
your initiall email I thought:
> >
> > Shit, I better look into this!
> >
> > I did, and I can't replicate it. On my Samba ads joined machine, no
ADS account, no mapping. I don't use SWAT for security reasons. Is SWAT
adding things to smb.conf you don't want (again, I've never used it)?
Maybe some miscofiguration in ldap? I wish I could be of more help.
> >
> > TMS III
> >
> > Guille Williams wrote:
> >
> >Good idea.
> >The only problem is I am going to have to do this for all the UID -500
> >(except root).
> >The solution is tedious but works.
> >Thanks for you help,
> >Guille
> >
> >----- Original Message -----
> >From: "tms3" <tms3 at fskklaw.com>
> >To: "Guille Williams" <guillemw at sbcglobal.net>
> >Sent: Thursday, July 01, 2004 5:04 PM
> >Subject: Re: [Samba] Security question for newbie
> >
> >
> > Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server.
> >
> >Anyway since the authentication is through AD, then create a user called
> >nobody in AD, give it a password (big long ugly thing), and really
> >deprive it's privaleges in AD. Should put a kibosh on it until you find
> >out why this is happening.
> >
> >TMS III
> >Guille Williams wrote:
> >
> > Hi,
> >
> >I am using Samba version 3.051 in an Active Directory setting with
> > Windows 2000 server.
> > Everything is working rather well with regards to file-sharing and
> > authentication.
> > However, the one thing that I noticed that I haven't been able to fix
> > quickly with SWAT is the prevention of browsing the Linux
file-system with
> >users such as 'nobody' or 'bin'.
> > For example...
> >I have a user in Active Directory named John. John is part of the group
> > 'students', and has restricted access through Group Policy and
Samba Shares.
> >Now John should only have three browseable Shares in this example, Home,
> >Public, and Software.
> > Samba and Windows drive mapping take care of this correctly. But say
John
> > is a Linux fan, notices that were are using Linux, and decides to
play
> >around abit.
> > John now enters \\(linux machine)\nobody ( more appropriate
> > \\%N\nobody\), and TADA.... he now can see the root file-system for
the
> >Linux machine.
> > Now John can browse through /etc/samba, find my samba.conf file, and
see
> > all the shares I may have hidden. I know I can chmod that file but
that's
> >not what's scaring me.
> > John shouldn't be able to see /. I know that user 'nobody' home
directory
> > is /. John shouldn't have access to nobody's home directory.
> > HOW DO I STOP THIS?
> >Changing the properties of 'Other' on the folders in the root filesytem
> > won't help because it just starts to break things.
> > So I need a quick fix before I start buying books and reading months of
> > old threads to resolve this issue.
> > Thanks Ladies and Gents,
> >Guille
> >
> >p.s. Sorry if this question is answered already in a thread I haven't
> > found. I just joined the Mailing list and I am currently searching.
> >
> >
> >
> >
> >
> >
> >
>
>
>
More information about the samba
mailing list