[Samba] Security question for newbie

Tim Tait t.tait at comcast.net
Fri Jul 2 03:51:26 GMT 2004


Guille Williams wrote:

>Hi,
> 
>I am using Samba version 3.051 in an Active Directory setting with Windows 2000 server.
>Everything is working rather well with regards to file-sharing and authentication.
>However, the one thing that I noticed that I haven't been able to fix quickly with SWAT is the prevention of browsing the Linux file-system with users such as 'nobody' or 'bin'.
>For example...
>I have a user in Active Directory named John. John is part of the group 'students', and has restricted access through Group Policy and Samba Shares. Now John should only have three browseable Shares in this example, Home, Public, and Software. 
>Samba and Windows drive mapping take care of this correctly. But say John is a Linux fan, notices that were are using Linux, and decides to play around abit. 
>John now enters \\(linux machine)\nobody ( more appropriate \\%N\nobody\), and TADA.... he now can see the root file-system for the Linux machine. 
>Now John can browse through /etc/samba, find my samba.conf file, and see all the shares I may have hidden. I know I can chmod that file but that's not what's scaring me.
>John shouldn't be able to see /. I know that user 'nobody' home directory is /. John shouldn't have access to nobody's home directory. 
> 
>HOW DO I STOP THIS?
>Changing the properties of 'Other' on the folders in the root filesytem won't help because it just starts to break things.
>So I need a quick fix before I start buying books and reading months of old threads to resolve this issue.
>Thanks Ladies and Gents,
>Guille
> 
>p.s. Sorry if this question is answered already in a thread I haven't found. I just joined the Mailing list and I am currently searching.
>  
>
OK, it's not you!

I just checked my Knoppix-HD install as well as my Devil-Linux box, and 
both exhibit similar behaviour. On the Knoppix box "nobody" has their 
home dir mapped to a dir that does not exist, so that fails. But 
"\\machine\root" brings up the root home dir!

Once you open that share, it then appears in the shares list Windows 
explorer. The comment next to them all is "Home Directories", which I 
think means they are being automounted by the [homes] share somehow. You 
would think by default it would only allow mounting of a [homes] share 
by the user that owns it. The directories that are listed do have 
permissions set to allow the user in question to list them. Ie it is the 
same as that user could do if they logged in directly. Not sure it is 
proper though.

Tim





More information about the samba mailing list