[Samba] Confusing behavior of hosts allow/hosts deny in Samba
3.0.28/3.2.4
Jeremy Allison
jra at samba.org
Thu Nov 6 06:58:43 GMT 2008
On Tue, Nov 04, 2008 at 10:43:35AM -0500, Eric Boehm wrote:
> I saw some unexpected behavior in the interaction of hosts allow and
> hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it
> wasn't something that had been fixed. I saw the same behavior.
>
> I'm not sure if it is a bug or a failure on my part to
> understand the documentation or misleading documentation.
>
> If I have a share defined as
>
> [export]
> comment = exported storage
> path = /export
> # admin users = boehm
> hosts allow = boehm-1
> hosts deny = boehm-3
> oplocks = no
> level2 oplocks = no
> guest ok = no
> create mask = 0775
> directory mask = 0775
> map archive = no
> writeable = yes
>
> Then host boehm-1 has access and boehm-3 is denied access. The odd
> part is that every other host now has access as well (e.g., boehm-2)
>
> Now, if I had only hosts allow and no hosts deny, only host boehm-1
> would have access.
>
> hosts allow = boehm-1
> # hosts deny = boehm-3
>
> The confusing part, to me, was that adding hosts deny for a single
> host suddenly opened up the share to every host that wasn't in
> hosts deny, regardless as to whether they were in hosts allow.
>
> The man page for smb.conf has an example for both hosts allows and
> hosts deny
>
> Example 4: allow only hosts in NIS netgroup "foonet",
> but deny access from one particular host
>
> hosts allow = @foonet
>
> hosts deny = pirate
>
> Note Note that access still requires suitable user-level
> passwords.
>
> See testparm(1) for a way of testing your host access to
> see if it does what you expect.
>
> This doesn't mention that every host but pirate will have access, not
> just those in @foonet.
>
> I see this as a bug but I wonder if I am missing something.
I agree it's counter intuitive, but it does match the man
pages for hosts.allow and hosts.deny, which the original
code was based on.
>From those man pages :
-----------------------------------------------------------
ACCESS CONTROL FILES
The access control software consults two files. The search stops at the first match:
· Access will be granted when a (daemon,client) pair matches an entry in the
/etc/hosts.allow file.
· Otherwise, access will be denied when a (daemon,client) pair matches an entry in the
/etc/hosts.deny file.
· Otherwise, access will be granted.
A non-existing access control file is treated as if it were an empty file. Thus, access con‐
trol can be turned off by providing no access control files.
-----------------------------------------------------------
So having a "hosts allow" but no "hosts deny" means the "hosts deny"
is treated as an empty file (default deny I think). Once you define
a "hosts deny" then the default changes to "allow", if you only want
to restrict access to a specific hosts list then don't define a
"hosts deny", just a "hosts allow". I guess the issue is you
really don't need to have both defined (maybe we should log
a warning in this case that the results may not be what you
would expect).
Jeremy.
More information about the samba
mailing list