[Samba] Security question for newbie

Guille Williams guillemw at sbcglobal.net
Fri Jul 2 04:12:33 GMT 2004 

Yeah!!!!

Well I decided to break down and read the help file, which I should have
done all along, and figured out what eliminates the problem.

Thanks to tm3 and Tim Tait for all the support.

I hate when the answer is this easy, but all I had to do was specify path =
/home/%U   and all the users I enter (apache, bin, nobody etc.) now have the
home directory of the current user.



Thanks again,



Guille



----- Original Message ----- 
From: "Tim Tait" <t.tait at comcast.net>
To: <samba at lists.samba.org>
Sent: Thursday, July 01, 2004 8:51 PM
Subject: Re: [Samba] Security question for newbie


>
> Guille Williams wrote:
>
> >Hi,
> >
> >I am using Samba version 3.051 in an Active Directory setting with
Windows 2000 server.
> >Everything is working rather well with regards to file-sharing and
authentication.
> >However, the one thing that I noticed that I haven't been able to fix
quickly with SWAT is the prevention of browsing the Linux file-system with
users such as 'nobody' or 'bin'.
> >For example...
> >I have a user in Active Directory named John. John is part of the group
'students', and has restricted access through Group Policy and Samba Shares.
Now John should only have three browseable Shares in this example, Home,
Public, and Software.
> >Samba and Windows drive mapping take care of this correctly. But say John
is a Linux fan, notices that were are using Linux, and decides to play
around abit.
> >John now enters \\(linux machine)\nobody ( more appropriate
\\%N\nobody\), and TADA.... he now can see the root file-system for the
Linux machine.
> >Now John can browse through /etc/samba, find my samba.conf file, and see
all the shares I may have hidden. I know I can chmod that file but that's
not what's scaring me.
> >John shouldn't be able to see /. I know that user 'nobody' home directory
is /. John shouldn't have access to nobody's home directory.
> >
> >HOW DO I STOP THIS?
> >Changing the properties of 'Other' on the folders in the root filesytem
won't help because it just starts to break things.
> >So I need a quick fix before I start buying books and reading months of
old threads to resolve this issue.
> >Thanks Ladies and Gents,
> >Guille
> >
> >p.s. Sorry if this question is answered already in a thread I haven't
found. I just joined the Mailing list and I am currently searching.
> >
> >
> OK, it's not you!
>
> I just checked my Knoppix-HD install as well as my Devil-Linux box, and
> both exhibit similar behaviour. On the Knoppix box "nobody" has their
> home dir mapped to a dir that does not exist, so that fails. But
> "\\machine\root" brings up the root home dir!
>
> Once you open that share, it then appears in the shares list Windows
> explorer. The comment next to them all is "Home Directories", which I
> think means they are being automounted by the [homes] share somehow. You
> would think by default it would only allow mounting of a [homes] share
> by the user that owns it. The directories that are listed do have
> permissions set to allow the user in question to list them. Ie it is the
> same as that user could do if they logged in directly. Not sure it is
> proper though.
>
> Tim
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list