[Samba] How to tell Samba not to use the passwd file
Gerald (Jerry) Carter
jerry at samba.org
Tue Jan 3 15:32:58 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dwight Tovey wrote:
> The problem is that one of our testers has discovered that if he
> is logged in as somebody who is a member of the Domain Admin
> group, he can access all user's home directories by using
> Window's "Network Neighborhood" explorer and typing the direct
> path in the location bar (\\netbiosname\user). Unfortunatly,
> this extends beyond the users that are defined in LDAP. Because
> nsswitch.conf has 'passwd: files ldap', Domain Admins can also
> access the "home" directories of users in the
> passwd file. This includes users like 'bin' (home of /bin), 'daemon'
> (/sbin), 'admin' (/var/log), and the big one: 'mail' (home of /).
> I feel that this is a bit of a security hole.
set an invalid users line in [global]
invalid users = daemon bin lpd mail .....
Note that this is not a security hole but a misconfiguration and is
the intended design.
cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm) ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"There's an anonymous coward in all of us." --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDupkpIR7qMdg1EfYRAnoXAJ48SLjSDHOH5uc3dsA67o+mtzjJfQCgwDQV
lmQ8FxygtKQtFE+pfhEdfKM=
=cylE
-----END PGP SIGNATURE-----
More information about the samba
mailing list