[Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4

Eric Boehm boehm at nortel.com
Thu Nov 6 15:14:38 GMT 2008

On Wed, Nov 05, 2008 at 10:58:43PM -0800, Jeremy Allison wrote:
>>>>> "Jeremy" == Jeremy Allison <jra at samba.org> writes:
>>>>> "Mike" == Mike Gallamore <mike at mpi-cbg.de> writes:

    Eric> Example 4: allow only hosts in NIS netgroup "foonet", but deny
    Eric> access from one particular host

    Eric> hosts allow = @foonet

    Eric> hosts deny = pirate

    Eric> This doesn't mention that every host but pirate will have
    Eric> access, not just those in @foonet.
    Eric> I see this as a bug but I wonder if I am missing something.

    Jeremy> I agree it's counter intuitive, but it does match the man
    Jeremy> pages for hosts.allow and hosts.deny, which the original
    Jeremy> code was based on.

[excerpt from host_access manpages deleted]

    Jeremy>        A non-existing access control file is treated as if
    Jeremy> it were an empty file. Thus, access control
    Jeremy> can be turned off by providing no access control files.

    Jeremy> So having a "hosts allow" but no "hosts deny" means the
    Jeremy> "hosts deny" is treated as an empty file (default deny I
    Jeremy> think). Once you define a "hosts deny" then the default
    Jeremy> changes to "allow", if you only want to restrict access to
    Jeremy> a specific hosts list then don't define a "hosts deny",
    Jeremy> just a "hosts allow". I guess the issue is you really
    Jeremy> don't need to have both defined (maybe we should log a
    Jeremy> warning in this case that the results may not be what you
    Jeremy> would expect).

In a later message:

    Mike> I think something like a sudoers file would make since, ie
    Mike> no one gets access unless they are on the list. Suggestion:
    Mike> Perhaps host allow should be the only option. If access
    Mike> controls are enabled, people only get access if the host
    Mike> allow field is defined and if their name is on the list.

    Jeremy> Trouble is that would break existing setups. Nope, best
    Jeremy> thing we can do is add a warning (IMHO).

I agree that changing behavior of hosts deny and host access would
break too many existing setups.

However, I would like to suggest the following:

1. Eliminate or correct Example 4 from the documentation. Perhaps add
   an example using EXCEPT. That's what I determined I needed because
   I wanted to exclude hosts that were in the 'hosts allow' netgroup

   I think what Example 4 should be
   Example 4: allow only hosts in NIS netgroup "foonet", but deny
   access from one particular host
   hosts allow = @foonet EXCEPT pirate

2. Add a warning or note that defining both 'hosts allow' and 'hosts deny'
   will lead to allowing everyone not in 'hosts deny'. That is, more
   hosts than those in 'hosts allow' will be allowed.

Eric M. Boehm                  /"\  ASCII Ribbon Campaign
boehm at nortel.com               \ /  No HTML or RTF in mail
                                X   No proprietary word-processing
Respect Open Standards         / \  files in mail

More information about the samba mailing list