Hi Bob, I am CC:ing this reply to the general Samba list as I think it may be of interest. This is a report that crops up from time to time as a security hole report, and I'd like to explain in general why this is a misunderstanding. Bob Atkins wrote:> We are unable to keep individual users from mapping to any other user's > home directory once they have supplied a valid password! They only need > to enter their own password. I have not found *any* method that I can > use to configure samba to enforce that only a user may map their own > home directory. > ...... > Problem #1 (with above config): > > User xyzzy can map his home directory. Once mapped user xyzzy can also map > *anyone* elses home directory! > .... > Any help would be greatfully apprectiated. I have tried everything I > can and the above described problems do seem like pretty serious > security flaws.This is not a security flaw, it is by design. Samba allows users to have *exactly* the same access to the UNIX filesystem as they would if they were logged onto the UNIX box, except that it only allows such views onto the file system as are allowed by the defined shares. This means that if your UNIX home directories are set up such that one user can happily cd into another users directory and do an ls, the UNIX security solution is to change the UNIX file permissions on the users home directories such that the cd and ls would be denied. Samba tries very had not to second guess the UNIX administrators security policies, and trusts the UNIX admin to set the policies and permissions he or she desires. Samba does allow the setup you require, and your Problem #2:, when you have set the "only user = yes" option on the share, is that you have not set the valid users list for the share.>From the smb.conf man page on 'only user' :only user (S) This is a boolean option that controls whether connections with usernames not in the user= list will be allowed. By default this option is disabled so a client can supply a username to be used by the server. Note that this also means Samba won't try to deduce user- names from the service name. This can be annoying for the [homes] section. To get around this you could use "user %S" which means your "user" list will be just the service name, which for home directories is the name of the user. Default: only user = False Example: only user = True Note that only user works in conjunction with the users= list, so to get the behavior you require, add the line : user = %S to the definition of the [homes] share, as recommended in the above text. Hope this helps, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
Hi Jeremy, Thank you for your timely reply.> > I am CC:ing this reply to the general Samba list > as I think it may be of interest. This is a report that > crops up from time to time as a security hole report, and > I'd like to explain in general why this is a misunderstanding. >See below...> Bob Atkins wrote: > > > We are unable to keep individual users from mapping to any other user's > > home directory once they have supplied a valid password! They only need > > to enter their own password. I have not found *any* method that I can > > use to configure samba to enforce that only a user may map their own > > home directory. > > ...... > > Problem #1 (with above config): > > > > User xyzzy can map his home directory. Once mapped user xyzzy can also map > > *anyone* elses home directory! > > .... > > Any help would be greatfully apprectiated. I have tried everything I > > can and the above described problems do seem like pretty serious > > security flaws. >I understand and I do appreciate this feature.> This is not a security flaw, it is by design. Samba allows > users to have *exactly* the same access to the UNIX filesystem > as they would if they were logged onto the UNIX box, except > that it only allows such views onto the file system as are > allowed by the defined shares. > > This means that if your UNIX home directories are set up > such that one user can happily cd into another users > directory and do an ls, the UNIX security solution is to > change the UNIX file permissions on the users home directories > such that the cd and ls would be denied. > > Samba tries very had not to second guess the UNIX administrators > security policies, and trusts the UNIX admin to set > the policies and permissions he or she desires. > > Samba does allow the setup you require, and your > Problem #2:, when you have set the "only user = yes" > option on the share, is that you have not set the > valid users list for the share. > > >From the smb.conf man page on 'only user' : > > only user (S) > This is a boolean option that controls whether connections > with usernames not in the user= list will be allowed. By > default this option is disabled so a client can supply a > username to be used by the server. > > Note that this also means Samba won't try to deduce user- > names from the service name. This can be annoying for the > [homes] section. To get around this you could use "user > %S" which means your "user" list will be just the service > name, which for home directories is the name of the user. > > Default: only user = False > > Example: only user = True > > Note that only user works in conjunction with the users= list, > so to get the behavior you require, add the line : > > user = %S > > to the definition of the [homes] share, as recommended in > the above text. >Ahhhh! Thank you for your patience. Deep down I knew that Samba could handle this. I read and re-read the above so many times and it just didn't register :( Too early in the am the last few days. I only wish that this capability was 'exposed' a bit better in the docs. I'm fairly sure that restricting users to their own home directory would be a popular feature from an administrator's standpoint. Currently such a feature is fairly well concealed in the copious and well written docs. I also searched the mail archives and the FAQs and all of the docs in the distribution and found nothing that addressed restricting users to their home directories. Perhaps it would be a good idea to identify the above combination as one of the basic configuration examples in the online docs and in the distribution docs so as to bring this capability out into the open a bit more. Step 3 in the UNIX_INSTALL.txt file and a heading/paragraph in the UNIX-SMB.txt file might be a good places to mention this alternative capability.> Hope this helps, >Very much so! Thank you! --- Bob Atkins