Luke Kenneth Casson Leighton
1999-Dec-20 21:25 UTC
URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
dear redhat, i examined a friend's system today, to help him configure it. assuming that he just "installed" from scratch the samba package, it appears that you have provided a default smb.conf file for redhat 6.1 that puts samba private configuration files in /etc. the suggested options, for example show "smbpasswd file = /etc/smbpasswd". this is REALLY bad. 1) you CANNOT put smbpasswd in /etc. 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc. i know that these require root access, however if your users start to assume that just because these files are in /etc, they are equivalent to /etc/passwd, they may decide to make these world-readable, and as a result they will compromise the security of the box, and potentially the security of remote nt-compatible boxes too (including other samba servers) because these files contain CLEAR_TEXT EQUIVALENT PASSWORDS. for example, private .mac files can contain information sufficient to compromise a remote server by obtaining all remote clear-text equivalent passwords: the .mac file is used to store the "Backup Domain Controller" trust account password. i know that there are people out there who are using samba configured in the way your installation suggests, because i have received debug log files from people on the samba lists showing that trust accounts are being read from /etc/DOMAIN.SERVER_NAME.mac. please respond urgently to confirm that you have received this message and that you are taking steps to correct this. thank you. luke (samba team, iss x-force research).
Luke Kenneth Casson Leighton
1999-Dec-20 22:00 UTC
URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
i acknowledge that there is not a security hole in redhat 6.1 default installation: it requires modification. it is the modification or deliberate exploitation that scares me. demonstration script on its way. this is why i am scared of .mac files. not that rpcclient is run twice, with the second time being anonymous user connection: Script started on Sun Dec 19 20:27:15 1999 [root@steeleye source]# bin/rpcclient -S emery -U administrator%test -W ROCKNROLL -l log [ROCKNROLL\administrator@EMERY]$ lsaq lsaq LSA Query Info Policy Domain Member - Domain: ROCKNROLL SID: S-1-5-21-639959114-323303692-99485923 Domain Controller - Domain: ROCKNROLL SID: S-1-5-21-639959114-323303692-99485923 [ROCKNROLL\administrator@EMERY]$ createuser steeleye$ -s -j createuser steeleye$ -s -j SAM Create Domain User Domain: ROCKNROLL Name: steeleye$ ACB: [S ] Create Domain User: OK Script started on Tue Dec 14 13:26:34 1999 [lkcl@steeleye source]$ bin/rpcclient -S emery -U test%password -l log [test@EMERY]$ ntpass ntpass SAM NT Password Change New Password (ONCE ONLY - get it right :-) NT Password changed OK [test@EMERY]$ exit exit [lkcl@steeleye source]$ exit Script done on Tue Dec 14 13:26:54 1999 Join STEELEYE to Domain ROCKNROLL: OK [ROCKNROLL\administrator@EMERY]$ quit quit [root@steeleye source]# bin/rpcclient -S emery -U% -W ROCKNROLL -l log [ROCKNROLL\@EMERY]$ samsync samsync SAM Database Sync ----------------- Domain: ROCKNROLL Account: Administrator { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: Guest { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: test { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: lkcl { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: VUSR_EMERY { 0x78, 0x31, 0x01, 0xDB, 0x58, 0x01, 0x46, 0x30, 0x67, 0x2F, 0x32, 0xB0, 0x06, 0x20, 0x3E, 0xAE }; { 0x3E, 0x77, 0x31, 0x59, 0x2E, 0xED, 0x08, 0x05, 0x47, 0x6E, 0x39, 0xF3, 0xD9, 0x8E, 0xAD, 0x87 }; Account: test1 { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: test2 { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: test3 { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: test5 { 0xE5, 0x2C, 0xAC, 0x67, 0x41, 0x9A, 0x9A, 0x22, 0x4A, 0x3B, 0x10, 0x8F, 0x3F, 0xA6, 0xCB, 0x6D }; { 0x88, 0x46, 0xF7, 0xEA, 0xEE, 0x8F, 0xB1, 0x17, 0xAD, 0x06, 0xBD, 0xD8, 0x30, 0xB7, 0x58, 0x6C }; Account: test6 { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: test7 { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: test8 { 0x2A, 0x35, 0xCE, 0xE0, 0xB0, 0xDC, 0xC3, 0x4B, 0xD3, 0xB0, 0xBB, 0x90, 0xAE, 0x0D, 0xD7, 0x76 }; { 0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31, 0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0 }; Account: BROOKFIELDS$ { 0x13, 0x97, 0xA1, 0xB9, 0x20, 0xCA, 0xAC, 0xF9, 0xE8, 0x59, 0x18, 0xE5, 0x40, 0xC7, 0x03, 0xAE }; { 0x90, 0x38, 0x31, 0x95, 0xF3, 0xD4, 0x7D, 0x3E, 0xA9, 0xB5, 0x68, 0xED, 0x6A, 0x23, 0x04, 0x82 }; Account: Adm!n { 0x77, 0x36, 0xD4, 0xC4, 0xAD, 0xBE, 0xB3, 0xA5, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0xE6, 0x49, 0x13, 0x62, 0x11, 0x7E, 0xA8, 0x5A, 0x0E, 0x22, 0xB8, 0xD6, 0x44, 0x49, 0xCF, 0x27 }; Account: REGENT$ { 0xB1, 0x9D, 0x2B, 0x5D, 0xAB, 0x70, 0x35, 0xCC, 0x19, 0xC9, 0x86, 0x1E, 0xEE, 0xDD, 0x18, 0xE5 }; { 0x2A, 0xA7, 0x3C, 0x3F, 0xFA, 0x81, 0x72, 0x84, 0x1D, 0xFD, 0x57, 0x81, 0xB3, 0xDE, 0x62, 0x67 }; Account: ?? { 0x74, 0x31, 0xB2, 0xAA, 0x60, 0x48, 0xF1, 0x54, 0xA3, 0x06, 0xA5, 0xB8, 0xFA, 0xE2, 0x0E, 0x0E }; { 0x74, 0x31, 0xB2, 0xAA, 0x60, 0x48, 0xF1, 0x54, 0xA3, 0x06, 0xA5, 0xB8, 0xFA, 0xE2, 0x0E, 0x0E }; Account: TEST$ { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: TESTWKS1$ { 0xDE, 0xA0, 0xAA, 0x89, 0xD1, 0x02, 0x61, 0x48, 0xC2, 0x26, 0x5B, 0x23, 0x73, 0x4E, 0x0D, 0xAC }; { 0x06, 0x32, 0x99, 0x40, 0x8E, 0x50, 0xD4, 0x11, 0x64, 0x1C, 0x76, 0xD8, 0xE1, 0x6A, 0x6E, 0x05 }; Account: TESTWKS$ { 0x01, 0xFC, 0x5A, 0x6B, 0xE7, 0xBC, 0x69, 0x29, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0xB6, 0x94, 0x88, 0x05, 0xF7, 0x97, 0xBF, 0x2A, 0x82, 0x80, 0x79, 0x73, 0xB8, 0x95, 0x37 }; Account: new_user { 0xB4, 0x48, 0x07, 0x28, 0xC5, 0xE5, 0xB5, 0xD4, 0x8F, 0x90, 0x0A, 0xBF, 0x62, 0x62, 0x47, 0x51 }; { 0xBA, 0xC5, 0x2B, 0x80, 0xB2, 0xEC, 0x25, 0xF3, 0x9E, 0xC5, 0x3B, 0x7E, 0xD8, 0xC1, 0x3C, 0x54 }; Account: WORKSTATION$ { 0x55, 0xC0, 0x99, 0x03, 0x6B, 0x4A, 0x8D, 0xBF, 0x1A, 0xD1, 0x2E, 0xDD, 0xA1, 0x3A, 0x11, 0xFC }; { 0x2F, 0x22, 0xF2, 0xE1, 0xCC, 0xF7, 0x13, 0xAF, 0xDB, 0x68, 0x7B, 0xDA, 0xEE, 0xB9, 0x3A, 0xA5 }; Account: DUMMSRV$ { 0x3D, 0x66, 0x01, 0x1A, 0xE9, 0x62, 0xD5, 0xCD, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0xF9, 0xD8, 0xD3, 0xCE, 0x6F, 0xF6, 0x68, 0xC4, 0x17, 0xBA, 0x07, 0xBB, 0x9D, 0x8B, 0xBD, 0x39 }; Account: NT5-1$ { 0xFE, 0x0B, 0x21, 0x9D, 0x21, 0x9A, 0x0A, 0x6B, 0xAA, 0xD3, 0xB4, 0x35, 0xB5, 0x14, 0x04, 0xEE }; { 0x0C, 0x9E, 0xA7, 0x5F, 0x7C, 0x9F, 0x41, 0x57, 0x50, 0x6B, 0x21, 0x71, 0xED, 0xB6, 0x1A, 0xB1 }; Account: steeleye$ { 0x55, 0xC0, 0x99, 0x03, 0x6B, 0x4A, 0x8D, 0xBF, 0x1A, 0xD1, 0x2E, 0xDD, 0xA1, 0x3A, 0x11, 0xFC }; { 0xFF, 0x12, 0xE5, 0xB9, 0x79, 0xEB, 0xE8, 0x7A, 0xC5, 0x62, 0x37, 0xF5, 0x46, 0xBB, 0xC1, 0xAD }; [ROCKNROLL\@EMERY]$ quit quit [root@steeleye source]# exit exit Script done on Sun Dec 19 20:28:09 1999 On Mon, 20 Dec 1999, Jeremy Allison wrote:> Luke Kenneth Casson Leighton wrote: > > > > sum(0..n)(security)t tends to zero, as number of idiots tends to infinity. > > Yes I know. > > > jeremy, the pam writers created an /etc/security directory for these sorts > > of things. the /etc/security directory is there to make it really, really > > obvious that these files are not to be messed with. > > > > we create a private/ directory for the same reasons. > > > > we modify the permissions not only on the file but also on the directory > > to be root-access only. > > > > readhat thinks otherwise, it seems. > > I agree, that what we do is more paranoid than what they > do, but you must understand that what they do is *NOT* > a security hole. > > You must be *very* careful about screaming "security hole" > when no such problem exists. People get *very* twitchy, > and with good reason, when you publically accuse them > of such things. > > Remember the boy who cried wolf.... > > NOTE for the clueless :-). > RedHat 6.x does *NOT* have a security hole here !!! > > Regards, > > Jeremy Allison, > Samba Team. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > -------------------------------------------------------- >
Jeremy Allison
1999-Dec-20 22:37 UTC
URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
Luke Kenneth Casson Leighton wrote:> > dear redhat, > > i examined a friend's system today, to help him configure it. assuming > that he just "installed" from scratch the samba package, it appears that > you have provided a default smb.conf file for redhat 6.1 that puts samba > private configuration files in /etc. the suggested options, for example > show "smbpasswd file = /etc/smbpasswd". > > this is REALLY bad. > > 1) you CANNOT put smbpasswd in /etc. > > 2) you CANNOT put private files DOMAIN.TRUST_ACCOUNT.mac in /etc. > > i know that these require root access, however if your users start to > assume that just because these files are in /etc, they are equivalent to > /etc/passwd, they may decide to make these world-readable, and as a result > they will compromise the security of the box, and potentially the security > of remote nt-compatible boxes too (including other samba servers) because > these files contain CLEAR_TEXT EQUIVALENT PASSWORDS.Hang on a sec. Luke. They can do this so long as these files are read only by root. Only stupid people will change these files to world readable. Stupid people shouldn't be admining systems :-). I agree it would be safer to have a /etc/samba-private directory set root only, but they do not ship the system as insecure by default (ie. they *can* put root read only files in /etc, and it *is* safe to do so). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
Jeremy Allison
1999-Dec-20 22:48 UTC
URGENT: REDHAT 6.1 STORES SAMBA PRIVATE FILES IN /etc
Luke Kenneth Casson Leighton wrote:> > sum(0..n)(security)t tends to zero, as number of idiots tends to infinity.Yes I know.> jeremy, the pam writers created an /etc/security directory for these sorts > of things. the /etc/security directory is there to make it really, really > obvious that these files are not to be messed with. > > we create a private/ directory for the same reasons. > > we modify the permissions not only on the file but also on the directory > to be root-access only. > > readhat thinks otherwise, it seems.I agree, that what we do is more paranoid than what they do, but you must understand that what they do is *NOT* a security hole. You must be *very* careful about screaming "security hole" when no such problem exists. People get *very* twitchy, and with good reason, when you publically accuse them of such things. Remember the boy who cried wolf.... NOTE for the clueless :-). RedHat 6.x does *NOT* have a security hole here !!! Regards, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
Hi everyone there, I use SGI O2 machine with IRIX 6.3 and I have SAMBA 2.06 installed on it. Now I want to print from my unix box to a HP Laser Jet 6MP printer attached to a Windows 95 PC. Does anybody know how to set it up. My unix comes with a GUI to set up printers and has Drivers for HP LJ 6MP ( though I do not know where exactly the drivers are). Any help in this regard will be appreciated. Thanks ********************************** Ramesh Babu National Chemical Laboratory Pune 411 008 INDIA **********************************
*- On 21 Dec, Ramesh Babu wrote about "How to print from Unix to Windows"> > Hi everyone there, > > I use SGI O2 machine with IRIX 6.3 and I have SAMBA 2.06 installed > on it. Now I want to print from my unix box to a HP Laser Jet 6MP printer > attached to a Windows 95 PC. Does anybody know how to set it up. My unix > comes with a GUI to set up printers and has Drivers for HP LJ 6MP ( though > I do not know where exactly the drivers are). Any help in this regard will > be appreciated. >Look at the smbprint script that comes with the source in the ..../examples/printing directory. It is self documented in the comments. You basically set up a print filter on you local machine that sends the data via smbclient to the shared printer on the Win machine. -- Brian Servis -- ------------------------------------------------------------------------ Mechanical Engineering | Never criticize anybody until you Purdue University | have walked a mile in their shoes, servis@purdue.edu | because by that time you will be a http://www.ecn.purdue.edu/~servis | mile away and have their shoes.
>>>>>>>>>>>>>>>>>> Urspr?ngliche Nachricht <<<<<<<<<<<<<<<<<<Am 20.12.99, 23:31:01, schrieb samba@samba.org zum Thema SAMBA digest 2349:> Date: Mon, 20 Dec 1999 11:35:11 -0500 > From: "Reid, Rowan (GSP)" <ReidR@gspinc.com> > To: "Samba (E-mail)" <samba@samba.org> > Subject: Few questions 2.0.6 is there a network neighborhood like appfor> linux(KDE) and tweaking more speed on moving files.[cut] Have you tried LinNeighborhood? http://www.bnro.de/~schmidjo/ Cheers Axel
Reasonably Related Threads
- [LLVMdev] Very slow performance of lli on x86
- murmurhash3 test failures on big-endian systems
- Dmesg log for 2.6.31-rc8 kernel been built on F12 (rawhide) vs log for same kernel been built on F11 and installed on F12
- [PATCH v1] ACPI: Switch to use generic UUID API
- AVM Fritz crash