[Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4

Jeremy Allison jra at samba.org
Thu Nov 6 06:58:43 GMT 2008

On Tue, Nov 04, 2008 at 10:43:35AM -0500, Eric Boehm wrote:
> I saw some unexpected behavior in the interaction of hosts allow and
> hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it
> wasn't something that had been fixed. I saw the same behavior.
> I'm not sure if it is a bug or a failure on my part to
> understand the documentation or misleading documentation.
> If I have a share defined as
> [export]
>         comment         = exported storage
>         path            = /export
>         # admin users   = boehm
>         hosts allow     = boehm-1
>         hosts deny      = boehm-3
>         oplocks         = no
>         level2 oplocks  = no
>         guest ok        = no
>         create mask     = 0775
>         directory mask  = 0775
>         map archive     = no
>         writeable       = yes
> Then host boehm-1 has access and boehm-3 is denied access. The odd
> part is that every other host now has access as well (e.g., boehm-2)
> Now, if I had only hosts allow and no hosts deny, only host boehm-1
> would have access.
>          hosts allow    = boehm-1
>          # hosts deny   = boehm-3
> The confusing part, to me, was that adding hosts deny for a single
> host suddenly opened up the share to every host that wasn't in
> hosts deny, regardless as to whether they were in hosts allow.
> The man page for smb.conf has an example for both hosts allows and
> hosts deny
>          Example 4: allow only hosts in NIS netgroup "foonet",
>          but deny access from one particular host
>          hosts allow = @foonet
>          hosts deny = pirate
>          Note Note that access still requires suitable user-level
>          passwords.
>          See testparm(1) for a way of testing your host access to
>          see if it does what you expect.
> This doesn't mention that every host but pirate will have access, not
> just those in @foonet.
> I see this as a bug but I wonder if I am missing something.

I agree it's counter intuitive, but it does match the man
pages for hosts.allow and hosts.deny, which the original
code was based on.

>From those man pages :

       The access control software consults two files. The search stops at the first match:

       ·      Access  will  be  granted  when  a  (daemon,client)  pair  matches  an  entry  in  the
              /etc/hosts.allow file.

       ·      Otherwise, access will be denied when a (daemon,client) pair matches an entry  in  the
              /etc/hosts.deny file.

       ·      Otherwise, access will be granted.

       A  non-existing access control file is treated as if it were an empty file. Thus, access con‐
       trol can be turned off by providing no access control files.

So having a "hosts allow" but no "hosts deny" means the "hosts deny"
is treated as an empty file (default deny I think). Once you define
a "hosts deny" then the default changes to "allow", if you only want
to restrict access to a specific hosts list then don't define a
"hosts deny", just a "hosts allow". I guess the issue is you
really don't need to have both defined (maybe we should log
a warning in this case that the results may not be what you
would expect).


More information about the samba mailing list