samba - Jan 2004 - Winbind local idmap/cache database security concerns

I am currently working on implementing unified logons between linux and win
computers on an NT4 domain.  I have a samba test server with winbind working
properly.  All is going well, except that I am concerned about the winbind
idmap database stored on the local linux workstations.  My current
understanding of winbind is that it must be on every machine, unless an
winbind samba ldap backend/pam_smb combination is used.  However, with the
latter, all the features that winbind supports are lost since winbind is not
running on the local machine (such as changing ones password) so I currently
see no other way of implementing winbind.

What will keep a user from reading /var/cache/samba/winbind_cache.tdb and
winbind_idmap.tdb?  I know that the owner is root and that the each has the
permissions 0600 (idmap had 0644, but I changed it to 0600).  Despite that,
isn't it easy enough for a user to crack the filesystem and gain access to
these databases if so he/she wished?   I am especially concerned about this
because the cache and idmap contain information on what users and groups
exist on the network and who belongs to what group.  Is this not a potential
security concern?  For example, if a user gained access to these databases,
they could identify all domain administrator accounts, correct?

Perhaps there is a way to implement winbind so as to not have the cache and
idmaps stored locally and still retain winbind's functionality.  If anyone
knows how I would be very interested.

Shawn Iverson
Technology Associate
New Castle Community School Corporation
765-593-6691
shawn@nccsc.k12.in.us

On Wed, 2004-01-21 at 02:24, Shawn Iverson wrote:
> I am currently working on implementing unified logons between linux and win
> computers on an NT4 domain.  I have a samba test server with winbind
working
> properly.  All is going well, except that I am concerned about the winbind
> idmap database stored on the local linux workstations.  My current
> understanding of winbind is that it must be on every machine, unless an
> winbind samba ldap backend/pam_smb combination is used.  
You should never use pam_smb.  You should always use pam_winbind,
particularly as you are already using winbindd :-)

The idmap ldap backend is about ensuring a consistant UID mapping on
each machine, so things like NFS do not break.
> However, with the
> latter, all the features that winbind supports are lost since winbind is
not
> running on the local machine (such as changing ones password) so I
currently
> see no other way of implementing winbind.
Why are you not running winbind on each machine?  I'm a bit confused -
the idea is that you run winbindd on each client, so that they can
participate in the domain.
> What will keep a user from reading /var/cache/samba/winbind_cache.tdb and
> winbind_idmap.tdb?  I know that the owner is root and that the each has the
> permissions 0600 (idmap had 0644, but I changed it to 0600).  Despite that,
> isn't it easy enough for a user to crack the filesystem and gain access
to
> these databases if so he/she wished?   
Indeed - but they could also run 'getent group' and 'getent
passwd' -
it's much faster ;-).  This information is available to any user who is
in the domain.
> I am especially concerned about this
> because the cache and idmap contain information on what users and groups
> exist on the network and who belongs to what group.  Is this not a
potential
> security concern?  For example, if a user gained access to these databases,
> they could identify all domain administrator accounts, correct?
> 
> Perhaps there is a way to implement winbind so as to not have the cache and
> idmaps stored locally and still retain winbind's functionality.  If
anyone
> knows how I would be very interested.
I think you are looking for problems that don't exist.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040121/7c378d31/attachment.bin

(Apologies to the list for the double posting...I was having email issues
and wan't sure that my emails were even leaving my domain.)
> From: Andrew Bartlett [mailto:abartlet@samba.org]
> Sent: Tuesday, January 20, 2004 9:51 PM
> You should never use pam_smb.  You should always use pam_winbind,
> particularly as you are already using winbindd :-)
Are there security problems with pam_smb?  I know that its only apparent
function is to validate passwords on a Samba/NT server.  It lacks much of
the functionality for which I am looking.
 
> The idmap ldap backend is about ensuring a consistant UID mapping on
> each machine, so things like NFS do not break.
> 
> > However, with the
> > latter, all the features that winbind supports are lost 
> since winbind is not
> > running on the local machine (such as changing ones 
> password) so I currently
> > see no other way of implementing winbind.
> 
> Why are you not running winbind on each machine?  I'm a bit confused -
> the idea is that you run winbindd on each client, so that they can
> participate in the domain.
Believe me, I have been quite confused myself!  I was originally led to
believe that winbind belonged only on a server and that clients did not need
it at all, that somehow they accessed the server for winbind support.  I
have learned since that this is definitely not the case.
 
> > What will keep a user from reading 
> /var/cache/samba/winbind_cache.tdb and
> > winbind_idmap.tdb?  I know that the owner is root and that 
> the each has the
> > permissions 0600 (idmap had 0644, but I changed it to 
> 0600).  Despite that,
> > isn't it easy enough for a user to crack the filesystem and 
> gain access to
> > these databases if so he/she wished?   
> 
> Indeed - but they could also run 'getent group' and 'getent
passwd' -
> it's much faster ;-).  This information is available to any 
> user who is
> in the domain.
I found out that setting winbind enum users=no and winbind enum groups=no
prevents getent from displaying domain information.  I am unsure of the
potential consequences of turning off enumeration, though.

> From: Andrew Bartlett [mailto:abartlet@samba.org]
> Sent: Wednesday, January 21, 2004 5:33 PM
> 
> Secondly, you will notice that /usr/sbin is accessible by all 
> users, it
> is just not in the default path for all users, as most users 
> don't have
> the *need* to access those programs.  That said, a 'normal user'
can
> (and often will) run /sbin/ifconfig, or similar tools for perfectly
> legitimate reasons.
> 
> Finally, by removing these basic system programs, shell 
> scripts that use
> them for the designed purpose will break.
> 
> Andrew Bartlett
> 
Thanks to everyone who responded to my post.  I found the information very
beneficial.  I can't wait to deploy linux workstations in our domain and
finally start breaking away from the grip of Microsoft!