[Samba] How to tell Samba not to use the passwd file
Dwight Tovey
dtovey at emergecore.com
Fri Dec 30 15:09:36 GMT 2005
Hello all -
I'm having a bit of a problem that I'm sure is being caused by my missing
some trivial detail. But I haven't been able to find it, and I'm not even
sure how I would construct the search to find relevant info in the
archives.
Here is the setup. I have Samba 3.0.20a running as a PDC against a LDAP
back end. For the most part everything works fine. Users that are
members of the "Domain Administrators" group can add machines to the
domain, normal users can access their home directories and are blocked
from accessing other user's homes, while members of the Domain Admin group
can access everybody's home directories.
The problem is that one of our testers has discovered that if he is logged
in as somebody who is a member of the Domain Admin group, he can access
all user's home directories by using Window's "Network Neighborhood"
explorer and typing the direct path in the location bar
(\\netbiosname\user). Unfortunatly, this extends beyond the users that
are defined in LDAP. Because nsswitch.conf has 'passwd: files ldap',
Domain Admins can also access the "home" directories of users in the
passwd file. This includes users like 'bin' (home of /bin), 'daemon'
(/sbin), 'admin' (/var/log), and the big one: 'mail' (home of /). I feel
that this is a bit of a security hole.
Since there is no shell access for users on the Samba host, we could go
through the passwd file and make sure that all home directories are set to
something harmless. However, since the box is also used for other
services, I'm concerned that this could cause problems with those other
services.
The other solution that seems to work is to configure Samba with the "root
directory" option to put it into a chroot jail with a minimal passwd file.
It's a bit of a pain to set up the chroot, but unless I have missed some
other option (highly likely), this seems like the best way to tighten up
the system again.
So, what obvious configuration option did I completely miss?
/dwight
--
Dwight N. Tovey
email: dtovey at emergecore.com
---------
Work to Live : Live to Ride : Ride to Work
More information about the samba
mailing list