[Samba] Confusing behavior of hosts allow/hosts deny in Samba
boehm at nortel.com
Thu Nov 6 15:14:38 GMT 2008
On Wed, Nov 05, 2008 at 10:58:43PM -0800, Jeremy Allison wrote:
>>>>> "Jeremy" == Jeremy Allison <jra at samba.org> writes:
>>>>> "Mike" == Mike Gallamore <mike at mpi-cbg.de> writes:
Eric> Example 4: allow only hosts in NIS netgroup "foonet", but deny
Eric> access from one particular host
Eric> hosts allow = @foonet
Eric> hosts deny = pirate
Eric> This doesn't mention that every host but pirate will have
Eric> access, not just those in @foonet.
Eric> I see this as a bug but I wonder if I am missing something.
Jeremy> I agree it's counter intuitive, but it does match the man
Jeremy> pages for hosts.allow and hosts.deny, which the original
Jeremy> code was based on.
[excerpt from host_access manpages deleted]
Jeremy> A non-existing access control file is treated as if
Jeremy> it were an empty file. Thus, access control
Jeremy> can be turned off by providing no access control files.
Jeremy> So having a "hosts allow" but no "hosts deny" means the
Jeremy> "hosts deny" is treated as an empty file (default deny I
Jeremy> think). Once you define a "hosts deny" then the default
Jeremy> changes to "allow", if you only want to restrict access to
Jeremy> a specific hosts list then don't define a "hosts deny",
Jeremy> just a "hosts allow". I guess the issue is you really
Jeremy> don't need to have both defined (maybe we should log a
Jeremy> warning in this case that the results may not be what you
Jeremy> would expect).
In a later message:
Mike> I think something like a sudoers file would make since, ie
Mike> no one gets access unless they are on the list. Suggestion:
Mike> Perhaps host allow should be the only option. If access
Mike> controls are enabled, people only get access if the host
Mike> allow field is defined and if their name is on the list.
Jeremy> Trouble is that would break existing setups. Nope, best
Jeremy> thing we can do is add a warning (IMHO).
I agree that changing behavior of hosts deny and host access would
break too many existing setups.
However, I would like to suggest the following:
1. Eliminate or correct Example 4 from the documentation. Perhaps add
an example using EXCEPT. That's what I determined I needed because
I wanted to exclude hosts that were in the 'hosts allow' netgroup
I think what Example 4 should be
Example 4: allow only hosts in NIS netgroup "foonet", but deny
access from one particular host
hosts allow = @foonet EXCEPT pirate
2. Add a warning or note that defining both 'hosts allow' and 'hosts deny'
will lead to allowing everyone not in 'hosts deny'. That is, more
hosts than those in 'hosts allow' will be allowed.
Eric M. Boehm /"\ ASCII Ribbon Campaign
boehm at nortel.com \ / No HTML or RTF in mail
X No proprietary word-processing
Respect Open Standards / \ files in mail
More information about the samba