[Samba] How to tell Samba not to use the passwd file
Dwight Tovey
dtovey at emergecore.com
Tue Jan 3 17:49:54 GMT 2006
Jerry said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dwight Tovey wrote:
>
>>>set an invalid users line in [global]
>>>
>>> invalid users = daemon bin lpd mail .....
>>>
>> Well, not quite. As I understand the smb.conf man page,
>
> Did you actually test it? Or just read the man page. This use to be
> enough to prevent system account home directories.
>
I tested it. I tried several permutations, using "invalid users" and
"valid users" in both the [global] and [homes] sections. With the
"invalid users" line that you had (in either section), once I login as a
Domain Admin I can then get at all these system account directories.
>> I don't disagree that I had it misconfigured. But I wonder
>> how many other people with PDCs running have this same
>> misconfiguration. Given that this could potentially leave
>> the Unix system completely open, I wonder if section 17.5.2
>> of the Samba 3 Howto should stress more about the dangers
>> of allowing access to other users home directories,
>> especially these "system" users.
>
> It doesn't leave the Unix system wide open. You only get the access
> that you would have at a shell prompt. Now something like
> 'admin users = +users' would be a serious misconfiguration but that type
> of thing is mentioned in the smb.conf(5) man page.
>
Well, "wide open" may have been a bit strong. Definately more open than I
would like. They may not be able to read my /etc/shadow file, but they
can browse around areas where I don't want them, especially since I don't
allow shell access to the system.
/dwight
--
Dwight N. Tovey
email: dtovey at emergecore.com
---------
Work to Live : Live to Ride : Ride to Work
More information about the samba
mailing list