[Samba] Debugging Privilege and Samba 3.0.11
Thierry
Thierry at echotech.ch
Fri Feb 25 19:03:06 GMT 2005
JLB wrote:
>On Fri, 25 Feb 2005, Thierry wrote:
>
>
>
>>Date: Fri, 25 Feb 2005 19:25:14 +0100
>>From: Thierry <Thierry at echotech.ch>
>>To: samba at lists.samba.org
>>Subject: [Samba] Debugging Privilege and Samba 3.0.11
>>
>>Hello,
>>
>>I am striving to give out globally to our developers a way to debug
>>their C++ applications, but I do not want to give them Admin rights on
>>the individual workstations.
>>
>>
>
>You're foolish if you think anyone with local access to a workstation
>can't get into the Admin account on their local machine.
>
>
I don't think so. I know a good security policy does not end at the
bounds of the software.
Nevertheless, this has never been an excuse for not implementing a
little bit of security IMHO...
>Here is a boot disk suitable for changing or blanking the Administrator
>password on any NT box:
>
>http://home.eunet.no/~pnordahl/ntpasswd/
>
>
Oh, you still have floppy disk readers in your computers?
Or CDROM readers that happen to be not on your server as a share, with
server's room access only to the admin?
Ah, maybe your PCs boot from a non-fixed hard drive , or your bootloader
is not protected by a MD5 password?
>Here is a boot disk suitable for mounting Linux partitions and editing
>/etc/passwd and/or /etc/shadow:
>
>http://www.toms.net/rb/
>
>Here is a tool that lets you remove or alter BIOS passwords:
>http://www.cgsecurity.org/index.html?cmospwd.html
>
>
How are you going to run that on my Windows 2000 system without
Administrative rights?
>Here is a provider of screwdrivers. Screwdrivers let you physically reset
>BIOSes, remove or replace drives, install logging devices, etc.:
>
>http://www.homedepot.com/
>
>
>
The nicest thing about screwdriver is that they even allow you to kill
the officer sitting in the room or the guard at the entrance ;-)
I _know_ that giving out these silly "debug" rights is pretty much
giving out the ability to hack the box.
Still, hacking requires a will , while breaking the installation out of
ignorance because an ignorant sysadmin gave the user too many rights
does not.
Now, if you have an answer to my specific request I'd be glad to hear it
, no kidding :-)
Cheers
Thierry
More information about the samba
mailing list