[Samba] Security question for newbie

Guille Williams guillemw at sbcglobal.net
Fri Jul 2 03:23:22 GMT 2004 

Tried this: guest account = pcguest  and I still get the same result
Thanks though,
Guille
----- Original Message ----- 
From: "tms3" <tms3 at fskklaw.com>
To: "Guille Williams" <guillemw at sbcglobal.net>
Sent: Thursday, July 01, 2004 8:09 PM
Subject: Re: [Samba] Security question for newbie


> I found it.  I think.  Try this.  Add a line
>
> guest account = pcguest .
>
> The smb.conf.sample file says this:
>
> # Uncomment this if you want a guest account, you must add this to
> /etc/passwd
> # otherwise the user "nobody" is used
>   guest account = pcguest
>
> Since no accout pcguest exists...and now it ignores "nobody".... I'm
> guessing here.
>
> Guille Williams wrote:
>
> >O.k.
> >I decided to start from scratch with a separate box running the same
linux distro (Fedora 2).
> >This time the linux box is a standalone server, Security=User, and I
created a user *nix/smb Student, and all the other settings are defaults.
> >>From the WinXP box I type \\fedora\ so that I can login with Student and
verify access to the home directory.
> >I also browse the Network Neighborhood and only see the Home directory.
So that works fine too.  But then I type \\fedora\nobody and I can see the
file-system once again.
> >What can I be doing wrong in such a simple setup.
> >
> >Guille
> ># Samba config file created using SWAT
> ># from 0.0.0.0 (0.0.0.0)
> ># Date: 2004/07/01 19:39:32
> >
> ># Global parameters
> >[global]
> > workgroup = WORKGROUP
> > realm =
> > netbios name = FEDORA
> > netbios aliases =
> > netbios scope =
> > server string = Samba Server
> > log file = /var/log/samba/log.smbd
> > max log size = 50
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > dns proxy = No
> > ldap ssl = no
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> >[homes]
> > comment = Home Directories
> > read only = No
> > browseable = No
> >
> >[printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > browseable = No
> >----- Original Message ----- 
> >  From: tms3
> >  To: Guille Williams
> >  Sent: Thursday, July 01, 2004 7:17 PM
> >  Subject: Re: [Samba] Security question for newbie
> >
> >
> >  Don't know much about the intracacies of System V/Linux, but there's
got to be something odd in your smb.conf file to cause this.  After reading
your initiall email I thought:
> >
> >  Shit, I better look into this!
> >
> >  I did, and I can't replicate it.  On my Samba ads joined machine, no
ADS account, no mapping.  I don't use SWAT for security reasons.  Is SWAT
adding things to smb.conf you don't want (again,  I've never used it)?
Maybe some miscofiguration in ldap?  I wish I could be of more help.
> >
> >  TMS III
> >
> >  Guille Williams wrote:
> >
> >Good idea.
> >The only problem is I am going to have to do this for all the UID -500
> >(except root).
> >The solution is tedious but works.
> >Thanks for you help,
> >Guille
> >
> >----- Original Message ----- 
> >From: "tms3" <tms3 at fskklaw.com>
> >To: "Guille Williams" <guillemw at sbcglobal.net>
> >Sent: Thursday, July 01, 2004 5:04 PM
> >Subject: Re: [Samba] Security question for newbie
> >
> >
> >  Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server.
> >
> >Anyway since the authentication is through AD, then create a user called
> >nobody in AD, give it a password (big long ugly thing), and really
> >deprive it's privaleges in AD.  Should put a kibosh on it until you find
> >out why this is happening.
> >
> >TMS III
> >Guille Williams wrote:
> >
> >    Hi,
> >
> >I am using Samba version 3.051 in an Active Directory setting with
> >      Windows 2000 server.
> >  Everything is working rather well with regards to file-sharing and
> >      authentication.
> >  However, the one thing that I noticed that I haven't been able to fix
> >      quickly with SWAT is the prevention of browsing the Linux
file-system with
> >users such as 'nobody' or 'bin'.
> >  For example...
> >I have a user in Active Directory named John. John is part of the group
> >      'students', and has restricted access through Group Policy and
Samba Shares.
> >Now John should only have three browseable Shares in this example, Home,
> >Public, and Software.
> >  Samba and Windows drive mapping take care of this correctly. But say
John
> >      is a Linux fan, notices that were are using Linux, and decides to
play
> >around abit.
> >  John now enters \\(linux machine)\nobody ( more appropriate
> >      \\%N\nobody\), and TADA.... he now can see the root file-system for
the
> >Linux machine.
> >  Now John can browse through /etc/samba, find my samba.conf file, and
see
> >      all the shares I may have hidden. I know I can chmod that file but
that's
> >not what's scaring me.
> >  John shouldn't be able to see /. I know that user 'nobody' home
directory
> >      is /. John shouldn't have access to nobody's home directory.
> >  HOW DO I STOP THIS?
> >Changing the properties of 'Other' on the folders in the root filesytem
> >      won't help because it just starts to break things.
> >  So I need a quick fix before I start buying books and reading months of
> >      old threads to resolve this issue.
> >  Thanks Ladies and Gents,
> >Guille
> >
> >p.s. Sorry if this question is answered already in a thread I haven't
> >      found. I just joined the Mailing list and I am currently searching.
> >
> >
> >
> >
> >
> >
> >
>
>
>

More information about the samba mailing list