samba - Dec 1999 - URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc

dear redhat,

i examined a friend's system today, to help him configure it.  assuming
that he just "installed" from scratch the samba package, it appears
that
you have provided a default smb.conf file for redhat 6.1 that puts samba
private configuration files in /etc.  the suggested options, for example
show "smbpasswd file = /etc/smbpasswd".

this is REALLY bad.

1) you CANNOT put smbpasswd in /etc.

2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.

i know that these require root access, however if your users start to
assume that just because these files are in /etc, they are equivalent to
/etc/passwd, they may decide to make these world-readable, and as a result
they will compromise the security of the box, and potentially the security
of remote nt-compatible boxes too (including other samba servers) because
these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.

for example, private .mac files can contain information sufficient to
compromise a remote server by obtaining all remote clear-text equivalent
passwords: the .mac file is used to store the "Backup Domain
Controller"
trust account password.

i know that there are people out there who are using samba configured in
the way your installation suggests, because i have received debug log
files from people on the samba lists showing that trust accounts are being
read from /etc/DOMAIN.SERVER_NAME.mac.

please respond urgently to confirm that you have received this message and
that you are taking steps to correct this.

thank you.

luke (samba team, iss x-force research).

i acknowledge that there is not a security hole in redhat 6.1 
default installation: it requires modification.  it is the
modification or deliberate exploitation that scares me.

demonstration script on its way. this is why i am scared of .mac files.
not that rpcclient is run twice, with the second time being anonymous user
connection:

Script started on Sun Dec 19 20:27:15 1999
[root@steeleye source]# bin/rpcclient -S emery -U administrator%test -W
ROCKNROLL -l log
[ROCKNROLL\administrator@EMERY]$ lsaq
lsaq
LSA Query Info Policy
Domain Member     - Domain: ROCKNROLL SID: S-1-5-21-639959114-323303692-99485923
Domain Controller - Domain: ROCKNROLL SID: S-1-5-21-639959114-323303692-99485923
[ROCKNROLL\administrator@EMERY]$ createuser steeleye$ -s -j
createuser steeleye$ -s -j
SAM Create Domain User
Domain: ROCKNROLL Name: steeleye$ ACB: [S          ]
Create Domain User: OK
Script started on Tue Dec 14 13:26:34 1999
[lkcl@steeleye source]$ bin/rpcclient -S emery -U test%password -l log

[test@EMERY]$ ntpass
ntpass
SAM NT Password Change
New Password (ONCE ONLY - get it right :-)
NT Password changed OK

[test@EMERY]$ exit
exit

[lkcl@steeleye source]$ exit
Script done on Tue Dec 14 13:26:54 1999
Join STEELEYE to Domain ROCKNROLL: OK
[ROCKNROLL\administrator@EMERY]$ quit
quit
[root@steeleye source]# bin/rpcclient -S emery -U% -W ROCKNROLL -l log
[ROCKNROLL\@EMERY]$ samsync
samsync
	SAM Database Sync
	-----------------
Domain: ROCKNROLL
Account: Administrator
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: Guest
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: test
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: lkcl
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: VUSR_EMERY
{
	0x78, 0x31, 0x01, 0xDB, 0x58, 0x01, 0x46, 0x30, 
	0x67, 0x2F, 0x32, 0xB0, 0x06, 0x20, 0x3E, 0xAE
};
{
	0x3E, 0x77, 0x31, 0x59, 0x2E, 0xED, 0x08, 0x05, 
	0x47, 0x6E, 0x39, 0xF3, 0xD9, 0x8E, 0xAD, 0x87
};
Account: test1
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: test2
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: test3
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: test5
{
	0xE5, 0x2C, 0xAC, 0x67, 0x41, 0x9A, 0x9A, 0x22, 
	0x4A, 0x3B, 0x10, 0x8F, 0x3F, 0xA6, 0xCB, 0x6D
};
{
	0x88, 0x46, 0xF7, 0xEA, 0xEE, 0x8F, 0xB1, 0x17, 
	0xAD, 0x06, 0xBD, 0xD8, 0x30, 0xB7, 0x58, 0x6C
};
Account: test6
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: test7
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: test8
{
	0x2A, 0x35, 0xCE, 0xE0, 0xB0, 0xDC, 0xC3, 0x4B, 
	0xD3, 0xB0, 0xBB, 0x90, 0xAE, 0x0D, 0xD7, 0x76
};
{
	0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31, 
	0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0
};
Account: BROOKFIELDS$
{
	0x13, 0x97, 0xA1, 0xB9, 0x20, 0xCA, 0xAC, 0xF9, 
	0xE8, 0x59, 0x18, 0xE5, 0x40, 0xC7, 0x03, 0xAE
};
{
	0x90, 0x38, 0x31, 0x95, 0xF3, 0xD4, 0x7D, 0x3E, 
	0xA9, 0xB5, 0x68, 0xED, 0x6A, 0x23, 0x04, 0x82
};
Account: Adm!n
{
	0x77, 0x36, 0xD4, 0xC4, 0xAD, 0xBE, 0xB3, 0xA5, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0xE6, 0x49, 0x13, 0x62, 0x11, 0x7E, 0xA8, 0x5A, 
	0x0E, 0x22, 0xB8, 0xD6, 0x44, 0x49, 0xCF, 0x27
};
Account: REGENT$
{
	0xB1, 0x9D, 0x2B, 0x5D, 0xAB, 0x70, 0x35, 0xCC, 
	0x19, 0xC9, 0x86, 0x1E, 0xEE, 0xDD, 0x18, 0xE5
};
{
	0x2A, 0xA7, 0x3C, 0x3F, 0xFA, 0x81, 0x72, 0x84, 
	0x1D, 0xFD, 0x57, 0x81, 0xB3, 0xDE, 0x62, 0x67
};
Account: ??
{
	0x74, 0x31, 0xB2, 0xAA, 0x60, 0x48, 0xF1, 0x54, 
	0xA3, 0x06, 0xA5, 0xB8, 0xFA, 0xE2, 0x0E, 0x0E
};
{
	0x74, 0x31, 0xB2, 0xAA, 0x60, 0x48, 0xF1, 0x54, 
	0xA3, 0x06, 0xA5, 0xB8, 0xFA, 0xE2, 0x0E, 0x0E
};
Account: TEST$
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: TESTWKS1$
{
	0xDE, 0xA0, 0xAA, 0x89, 0xD1, 0x02, 0x61, 0x48, 
	0xC2, 0x26, 0x5B, 0x23, 0x73, 0x4E, 0x0D, 0xAC
};
{
	0x06, 0x32, 0x99, 0x40, 0x8E, 0x50, 0xD4, 0x11, 
	0x64, 0x1C, 0x76, 0xD8, 0xE1, 0x6A, 0x6E, 0x05
};
Account: TESTWKS$
{
	0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 
	0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37
};
Account: new_user
{
	0xB4, 0x48, 0x07, 0x28, 0xC5, 0xE5, 0xB5, 0xD4, 
	0x8F, 0x90, 0x0A, 0xBF, 0x62, 0x62, 0x47, 0x51
};
{
	0xBA, 0xC5, 0x2B, 0x80, 0xB2, 0xEC, 0x25, 0xF3, 
	0x9E, 0xC5, 0x3B, 0x7E, 0xD8, 0xC1, 0x3C, 0x54
};
Account: WORKSTATION$
{
	0x55, 0xC0, 0x99, 0x03, 0x6B, 0x4A, 0x8D, 0xBF, 
	0x1A, 0xD1, 0x2E, 0xDD, 0xA1, 0x3A, 0x11, 0xFC
};
{
	0x2F, 0x22, 0xF2, 0xE1, 0xCC, 0xF7, 0x13, 0xAF, 
	0xDB, 0x68, 0x7B, 0xDA, 0xEE, 0xB9, 0x3A, 0xA5
};
Account: DUMMSRV$
{
	0x3D, 0x66, 0x01, 0x1A, 0xE9, 0x62, 0xD5, 0xCD, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0xF9, 0xD8, 0xD3, 0xCE, 0x6F, 0xF6, 0x68, 0xC4, 
	0x17, 0xBA, 0x07, 0xBB, 0x9D, 0x8B, 0xBD, 0x39
};
Account: NT5-1$
{
	0xFE, 0x0B, 0x21, 0x9D, 0x21, 0x9A, 0x0A, 0x6B, 
	0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE
};
{
	0x0C, 0x9E, 0xA7, 0x5F, 0x7C, 0x9F, 0x41, 0x57, 
	0x50, 0x6B, 0x21, 0x71, 0xED, 0xB6, 0x1A, 0xB1
};
Account: steeleye$
{
	0x55, 0xC0, 0x99, 0x03, 0x6B, 0x4A, 0x8D, 0xBF, 
	0x1A, 0xD1, 0x2E, 0xDD, 0xA1, 0x3A, 0x11, 0xFC
};
{
	0xFF, 0x12, 0xE5, 0xB9, 0x79, 0xEB, 0xE8, 0x7A, 
	0xC5, 0x62, 0x37, 0xF5, 0x46, 0xBB, 0xC1, 0xAD
};

[ROCKNROLL\@EMERY]$ quit
quit
[root@steeleye source]# exit
exit

Script done on Sun Dec 19 20:28:09 1999


On Mon, 20 Dec 1999, Jeremy Allison wrote:
> Luke Kenneth Casson Leighton wrote:
> > 
> > sum(0..n)(security)t tends to zero, as number of idiots tends to
infinity.
> 
> Yes I know.
> 
> > jeremy, the pam writers created an /etc/security directory for these
sorts
> > of things. the /etc/security directory is there to make it really,
really
> > obvious that these files are not to be messed with.
> > 
> > we create a private/ directory for the same reasons.
> > 
> > we modify the permissions not only on the file but also on the
directory
> > to be root-access only.
> > 
> > readhat thinks otherwise, it seems.
> 
> I agree, that what we do is more paranoid than what they
> do, but you must understand that what they do is *NOT*
> a security hole.
> 
> You must be *very* careful about screaming "security hole"
> when no such problem exists. People get *very* twitchy,
> and with good reason, when you publically accuse them
> of such things.
> 
> Remember the boy who cried wolf....
> 
> NOTE for the clueless :-).
> RedHat 6.x does *NOT* have a security hole here !!!
> 
> Regards,
> 
> 	Jeremy Allison,
> 	Samba Team.
> 
> -- 
> --------------------------------------------------------
> Buying an operating system without source is like buying
> a self-assembly Space Shuttle with no instructions.
> --------------------------------------------------------
>

Luke Kenneth Casson Leighton wrote:
> 
> dear redhat,
> 
> i examined a friend's system today, to help him configure it.  assuming
> that he just "installed" from scratch the samba package, it
appears that
> you have provided a default smb.conf file for redhat 6.1 that puts samba
> private configuration files in /etc.  the suggested options, for example
> show "smbpasswd file = /etc/smbpasswd".
> 
> this is REALLY bad.
> 
> 1) you CANNOT put smbpasswd in /etc.
> 
> 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc.
> 
> i know that these require root access, however if your users start to
> assume that just because these files are in /etc, they are equivalent to
> /etc/passwd, they may decide to make these world-readable, and as a result
> they will compromise the security of the box, and potentially the security
> of remote nt-compatible boxes too (including other samba servers) because
> these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.
Hang on a sec. Luke. They can do this so long as these
files are read only by root. Only stupid people will
change these files to world readable. Stupid people
shouldn't be admining systems :-).

I agree it would be safer to have a /etc/samba-private
directory set root only, but they do not ship the system
as insecure by default (ie. they *can* put root read
only files in /etc, and it *is* safe to do so).

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

Luke Kenneth Casson Leighton wrote:
> 
> sum(0..n)(security)t tends to zero, as number of idiots tends to infinity.
Yes I know.
> jeremy, the pam writers created an /etc/security directory for these sorts
> of things. the /etc/security directory is there to make it really, really
> obvious that these files are not to be messed with.
> 
> we create a private/ directory for the same reasons.
> 
> we modify the permissions not only on the file but also on the directory
> to be root-access only.
> 
> readhat thinks otherwise, it seems.
I agree, that what we do is more paranoid than what they
do, but you must understand that what they do is *NOT*
a security hole.

You must be *very* careful about screaming "security hole"
when no such problem exists. People get *very* twitchy,
and with good reason, when you publically accuse them
of such things.

Remember the boy who cried wolf....

NOTE for the clueless :-).
RedHat 6.x does *NOT* have a security hole here !!!

Regards,

	Jeremy Allison,
	Samba Team.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

Hi everyone there,

	I use SGI O2 machine with IRIX 6.3 and I have SAMBA 2.06 installed
on it. Now I want to print from my unix box to a HP Laser Jet 6MP printer
attached to a Windows 95 PC. Does anybody know how to set it up. My unix
comes with a GUI to set up printers and has Drivers for HP LJ 6MP ( though
I do not know where exactly the drivers are). Any help in this regard will
be appreciated.

Thanks

**********************************
Ramesh Babu
National Chemical Laboratory
Pune 411 008
INDIA
**********************************

*- On 21 Dec, Ramesh Babu wrote about "How to print from Unix to
Windows"
> 
> Hi everyone there,
> 
> 	I use SGI O2 machine with IRIX 6.3 and I have SAMBA 2.06 installed
> on it. Now I want to print from my unix box to a HP Laser Jet 6MP printer
> attached to a Windows 95 PC. Does anybody know how to set it up. My unix
> comes with a GUI to set up printers and has Drivers for HP LJ 6MP ( though
> I do not know where exactly the drivers are). Any help in this regard will
> be appreciated.
> 
Look at the smbprint script that comes with the source in the
..../examples/printing directory.  It is self documented in the
comments.  You basically set up a print filter on you local machine that
sends the data via smbclient to the shared printer on the Win machine.

-- 
Brian Servis
-- 
------------------------------------------------------------------------
Mechanical Engineering              |  Never criticize anybody until you  
Purdue University                   |  have walked a mile in their shoes,
servis@purdue.edu                   |  because by that time you will be a
http://www.ecn.purdue.edu/~servis   |  mile away and have their shoes.

>>>>>>>>>>>>>>>>>>
Urspr?ngliche Nachricht
<<<<<<<<<<<<<<<<<<
Am 20.12.99, 23:31:01, schrieb samba@samba.org zum Thema SAMBA digest 
2349:

> Date:   Mon, 20 Dec 1999 11:35:11 -0500
> From:   "Reid, Rowan (GSP)" <ReidR@gspinc.com>
> To:     "Samba (E-mail)" <samba@samba.org>
> Subject: Few questions 2.0.6  is there a network neighborhood like app 
for
>        linux(KDE) and tweaking more speed on moving files.
[cut]

Have you tried LinNeighborhood? http://www.bnro.de/~schmidjo/

Cheers
Axel