[Samba] Debugging Privilege and Samba 3.0.11

Thierry Thierry at echotech.ch
Fri Feb 25 19:03:06 GMT 2005

JLB wrote:

>On Fri, 25 Feb 2005, Thierry wrote:
>>Date: Fri, 25 Feb 2005 19:25:14 +0100
>>From: Thierry <Thierry at echotech.ch>
>>To: samba at lists.samba.org
>>Subject: [Samba] Debugging Privilege and Samba 3.0.11
>>I am striving to give out globally to our developers a way to debug
>>their C++ applications, but I do not want to give them Admin rights on
>>the individual workstations.
>You're foolish if you think anyone with local access to a workstation
>can't get into the Admin account on their local machine.
I don't think so. I know a good security policy does not end at the 
bounds of the software.
Nevertheless, this has never been an excuse for not implementing a 
little bit of security IMHO...

>Here is a boot disk suitable for changing or blanking the Administrator
>password on any NT box:
Oh, you still have floppy disk readers in your computers?
Or CDROM readers that happen to be not on your server as a share, with 
server's room access only to the admin?
Ah, maybe your PCs boot from a non-fixed hard drive , or your bootloader 
is not protected by a MD5 password?

>Here is a boot disk suitable for mounting Linux partitions and editing
>/etc/passwd and/or /etc/shadow:
>Here is a tool that lets you remove or alter BIOS passwords:
How are you going to run that on my Windows 2000 system without 
Administrative rights?

>Here is a provider of screwdrivers. Screwdrivers let you physically reset
>BIOSes, remove or replace drives, install logging devices, etc.:
The nicest thing about screwdriver is that they even allow you to kill 
the officer sitting in the room or the guard at the entrance ;-)

I _know_ that giving out these silly "debug" rights is pretty much 
giving out the ability to hack the box.
Still, hacking requires a will , while breaking the installation out of 
ignorance because an ignorant sysadmin gave the user too many rights 
does not.

Now, if you have an answer to my specific request I'd be glad to hear it 
, no kidding :-)


More information about the samba mailing list