[Samba] How to tell Samba not to use the passwd file
Dwight Tovey
dtovey at emergecore.com
Tue Jan 3 17:19:50 GMT 2006
Jerry said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dwight Tovey wrote:
>
>> The problem is that one of our testers has discovered that if he is
>> logged in as somebody who is a member of the Domain Admin
>> group, he can access all user's home directories by using
>> Window's "Network Neighborhood" explorer and typing the direct
>> path in the location bar (\\netbiosname\user). Unfortunatly,
>> this extends beyond the users that are defined in LDAP. Because
>> nsswitch.conf has 'passwd: files ldap', Domain Admins can also
>> access the "home" directories of users in the
>> passwd file. This includes users like 'bin' (home of /bin), 'daemon'
>> (/sbin), 'admin' (/var/log), and the big one: 'mail' (home of /). I
>> feel that this is a bit of a security hole.
>
> set an invalid users line in [global]
>
> invalid users = daemon bin lpd mail .....
>
Well, not quite. As I understand the smb.conf man page, using this line
means that these users can't log in to the system. That's not really the
issue. The problem is that once a user who is in the Domain Admins group
has logged in, he can then access the "home" directories of these users
without having to log in again.
I did find that by adding:
valid users = %S
to the [homes] definition I can keep Domain Admins out of those "home"
directories, but it also keeps them out of the home directories of users
that they should be able to access (those defined in the LDAP database).
This is better than being wide open and I can live with it (easier to
implement and document than a chroot jail), but it doesn't seem quite
correct to me.
> Note that this is not a security hole but a misconfiguration and is the
> intended design.
>
That's not a bug, it's a feature. :-)
I don't disagree that I had it misconfigured. But I wonder how many other
people with PDCs running have this same misconfiguration. Given that this
could potentially leave the Unix system completely open, I wonder if
section 17.5.2 of the Samba 3 Howto should stress more about the dangers
of allowing access to other users home directories, especially these
"system" users.
/dwight
--
Dwight N. Tovey
email: dtovey at emergecore.com
---------
Work to Live : Live to Ride : Ride to Work
More information about the samba
mailing list