samba - Jul 2004 - Security question for newbie

Hi,
 
I am using Samba version 3.051 in an Active Directory setting with Windows 2000
server.
Everything is working rather well with regards to file-sharing and
authentication.
However, the one thing that I noticed that I haven't been able to fix
quickly with SWAT is the prevention of browsing the Linux file-system with users
such as 'nobody' or 'bin'.
For example...
I have a user in Active Directory named John. John is part of the group
'students', and has restricted access through Group Policy and Samba
Shares. Now John should only have three browseable Shares in this example, Home,
Public, and Software.
Samba and Windows drive mapping take care of this correctly. But say John is a
Linux fan, notices that were are using Linux, and decides to play around abit.
John now enters \\(linux machine)\nobody ( more appropriate \\%N\nobody\), and
TADA.... he now can see the root file-system for the Linux machine.
Now John can browse through /etc/samba, find my samba.conf file, and see all the
shares I may have hidden. I know I can chmod that file but that's not
what's scaring me.
John shouldn't be able to see /. I know that user 'nobody' home
directory is /. John shouldn't have access to nobody's home directory.
 
HOW DO I STOP THIS?
Changing the properties of 'Other' on the folders in the root filesytem
won't help because it just starts to break things.
So I need a quick fix before I start buying books and reading months of old
threads to resolve this issue.
Thanks Ladies and Gents,
Guille
 
p.s. Sorry if this question is answered already in a thread I haven't found.
I just joined the Mailing list and I am currently searching.

O.k.
I decided to start from scratch with a separate box running the same linux
distro (Fedora 2).
This time the linux box is a standalone server, Security=User, and I created a
user *nix/smb Student, and all the other settings are
defaults.
>From the WinXP box I type \\fedora\ so that I can login with Student and
verify access to the home directory.
I also browse the Network Neighborhood and only see the Home directory. So that
works fine too.  But then I type \\fedora\nobody and I can see the file-system
once again.
What can I be doing wrong in such a simple setup. 

Guille
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2004/07/01 19:39:32

# Global parameters
[global]
	workgroup = WORKGROUP
	realm = 
	netbios name = FEDORA
	netbios aliases = 
	netbios scope = 
	server string = Samba Server
	log file = /var/log/samba/log.smbd
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
----- Original Message ----- 
  From: tms3 
  To: Guille Williams 
  Sent: Thursday, July 01, 2004 7:17 PM
  Subject: Re: [Samba] Security question for newbie


  Don't know much about the intracacies of System V/Linux, but there's
got to be something odd in your smb.conf file to cause this.  After reading your
initiall email I thought:

  Shit, I better look into this!

  I did, and I can't replicate it.  On my Samba ads joined machine, no ADS
account, no mapping.  I don't use SWAT for security reasons.  Is SWAT adding
things to smb.conf you don't want (again,  I've never used it)?  Maybe
some miscofiguration in ldap?  I wish I could be of more help.

  TMS III

  Guille Williams wrote:

Good idea.
The only problem is I am going to have to do this for all the UID -500
(except root).
The solution is tedious but works.
Thanks for you help,
Guille

----- Original Message ----- 
From: "tms3" <tms3@fskklaw.com>
To: "Guille Williams" <guillemw@sbcglobal.net>
Sent: Thursday, July 01, 2004 5:04 PM
Subject: Re: [Samba] Security question for newbie


  Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server.

Anyway since the authentication is through AD, then create a user called
nobody in AD, give it a password (big long ugly thing), and really
deprive it's privaleges in AD.  Should put a kibosh on it until you find
out why this is happening.

TMS III
Guille Williams wrote:

    Hi,

I am using Samba version 3.051 in an Active Directory setting with
      Windows 2000 server.
  Everything is working rather well with regards to file-sharing and
      authentication.
  However, the one thing that I noticed that I haven't been able to fix
      quickly with SWAT is the prevention of browsing the Linux file-system with
users such as 'nobody' or 'bin'.
  For example...
I have a user in Active Directory named John. John is part of the group
      'students', and has restricted access through Group Policy and
Samba Shares.
Now John should only have three browseable Shares in this example, Home,
Public, and Software.
  Samba and Windows drive mapping take care of this correctly. But say John
      is a Linux fan, notices that were are using Linux, and decides to play
around abit.
  John now enters \\(linux machine)\nobody ( more appropriate
      \\%N\nobody\), and TADA.... he now can see the root file-system for the
Linux machine.
  Now John can browse through /etc/samba, find my samba.conf file, and see
      all the shares I may have hidden. I know I can chmod that file but
that's
not what's scaring me.
  John shouldn't be able to see /. I know that user 'nobody' home
directory
      is /. John shouldn't have access to nobody's home directory.
  HOW DO I STOP THIS?
Changing the properties of 'Other' on the folders in the root filesytem
      won't help because it just starts to break things.
  So I need a quick fix before I start buying books and reading months of
      old threads to resolve this issue.
  Thanks Ladies and Gents,
Guille

p.s. Sorry if this question is answered already in a thread I haven't
      found. I just joined the Mailing list and I am currently searching.

Tried this: guest account = pcguest  and I still get the same result
Thanks though,
Guille
----- Original Message ----- 
From: "tms3" <tms3@fskklaw.com>
To: "Guille Williams" <guillemw@sbcglobal.net>
Sent: Thursday, July 01, 2004 8:09 PM
Subject: Re: [Samba] Security question for newbie

> I found it.  I think.  Try this.  Add a line
>
> guest account = pcguest .
>
> The smb.conf.sample file says this:
>
> # Uncomment this if you want a guest account, you must add this to
> /etc/passwd
> # otherwise the user "nobody" is used
>   guest account = pcguest
>
> Since no accout pcguest exists...and now it ignores "nobody"....
I'm
> guessing here.
>
> Guille Williams wrote:
>
> >O.k.
> >I decided to start from scratch with a separate box running the same
linux distro (Fedora 2).
> >This time the linux box is a standalone server, Security=User, and I
created a user *nix/smb Student, and all the other settings are
defaults.
> >>From the WinXP box I type \\fedora\ so that I can login with
Student and
verify access to the home directory.
> >I also browse the Network Neighborhood and only see the Home directory.
So that works fine too.  But then I type \\fedora\nobody and I can see the
file-system once again.
> >What can I be doing wrong in such a simple setup.
> >
> >Guille
> ># Samba config file created using SWAT
> ># from 0.0.0.0 (0.0.0.0)
> ># Date: 2004/07/01 19:39:32
> >
> ># Global parameters
> >[global]
> > workgroup = WORKGROUP
> > realm > > netbios name = FEDORA
> > netbios aliases > > netbios scope > > server string =
Samba Server
> > log file = /var/log/samba/log.smbd
> > max log size = 50
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > dns proxy = No
> > ldap ssl = no
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> >[homes]
> > comment = Home Directories
> > read only = No
> > browseable = No
> >
> >[printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > browseable = No
> >----- Original Message ----- 
> >  From: tms3
> >  To: Guille Williams
> >  Sent: Thursday, July 01, 2004 7:17 PM
> >  Subject: Re: [Samba] Security question for newbie
> >
> >
> >  Don't know much about the intracacies of System V/Linux, but
there's
got to be something odd in your smb.conf file to cause this.  After reading
your initiall email I thought:
> >
> >  Shit, I better look into this!
> >
> >  I did, and I can't replicate it.  On my Samba ads joined machine,
no
ADS account, no mapping.  I don't use SWAT for security reasons.  Is SWAT
adding things to smb.conf you don't want (again,  I've never used it)?
Maybe some miscofiguration in ldap?  I wish I could be of more
help.
> >
> >  TMS III
> >
> >  Guille Williams wrote:
> >
> >Good idea.
> >The only problem is I am going to have to do this for all the UID -500
> >(except root).
> >The solution is tedious but works.
> >Thanks for you help,
> >Guille
> >
> >----- Original Message ----- 
> >From: "tms3" <tms3@fskklaw.com>
> >To: "Guille Williams" <guillemw@sbcglobal.net>
> >Sent: Thursday, July 01, 2004 5:04 PM
> >Subject: Re: [Samba] Security question for newbie
> >
> >
> >  Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server.
> >
> >Anyway since the authentication is through AD, then create a user
called
> >nobody in AD, give it a password (big long ugly thing), and really
> >deprive it's privaleges in AD.  Should put a kibosh on it until you
find
> >out why this is happening.
> >
> >TMS III
> >Guille Williams wrote:
> >
> >    Hi,
> >
> >I am using Samba version 3.051 in an Active Directory setting with
> >      Windows 2000 server.
> >  Everything is working rather well with regards to file-sharing and
> >      authentication.
> >  However, the one thing that I noticed that I haven't been able to
fix
> >      quickly with SWAT is the prevention of browsing the Linux
file-system with
> >users such as 'nobody' or 'bin'.
> >  For example...
> >I have a user in Active Directory named John. John is part of the group
> >      'students', and has restricted access through Group
Policy and
Samba Shares.
> >Now John should only have three browseable Shares in this example,
Home,
> >Public, and Software.
> >  Samba and Windows drive mapping take care of this correctly. But say
John
> >      is a Linux fan, notices that were are using Linux, and decides to
play
> >around abit.
> >  John now enters \\(linux machine)\nobody ( more appropriate
> >      \\%N\nobody\), and TADA.... he now can see the root file-system
for
the
> >Linux machine.
> >  Now John can browse through /etc/samba, find my samba.conf file, and
see
> >      all the shares I may have hidden. I know I can chmod that file
but
that's
> >not what's scaring me.
> >  John shouldn't be able to see /. I know that user
'nobody' home
directory
> >      is /. John shouldn't have access to nobody's home
directory.
> >  HOW DO I STOP THIS?
> >Changing the properties of 'Other' on the folders in the root
filesytem
> >      won't help because it just starts to break things.
> >  So I need a quick fix before I start buying books and reading months
of
> >      old threads to resolve this issue.
> >  Thanks Ladies and Gents,
> >Guille
> >
> >p.s. Sorry if this question is answered already in a thread I
haven't
> >      found. I just joined the Mailing list and I am currently
searching.
> >
> >
> >
> >
> >
> >
> >
>
>
>

Guille Williams wrote:
>Hi,
> 
>I am using Samba version 3.051 in an Active Directory setting with Windows
2000 server.
>Everything is working rather well with regards to file-sharing and
authentication.
>However, the one thing that I noticed that I haven't been able to fix
quickly with SWAT is the prevention of browsing the Linux file-system with users
such as 'nobody' or 'bin'.
>For example...
>I have a user in Active Directory named John. John is part of the group
'students', and has restricted access through Group Policy and Samba
Shares. Now John should only have three browseable Shares in this example, Home,
Public, and Software.
>Samba and Windows drive mapping take care of this correctly. But say John is
a Linux fan, notices that were are using Linux, and decides to play around abit.
>John now enters \\(linux machine)\nobody ( more appropriate \\%N\nobody\),
and TADA.... he now can see the root file-system for the Linux machine.
>Now John can browse through /etc/samba, find my samba.conf file, and see all
the shares I may have hidden. I know I can chmod that file but that's not
what's scaring me.
>John shouldn't be able to see /. I know that user 'nobody' home
directory is /. John shouldn't have access to nobody's home directory.
> 
>HOW DO I STOP THIS?
>Changing the properties of 'Other' on the folders in the root
filesytem won't help because it just starts to break things.
>So I need a quick fix before I start buying books and reading months of old
threads to resolve this issue.
>Thanks Ladies and Gents,
>Guille
> 
>p.s. Sorry if this question is answered already in a thread I haven't
found. I just joined the Mailing list and I am currently searching.
>  
>
OK, it's not you!

I just checked my Knoppix-HD install as well as my Devil-Linux box, and 
both exhibit similar behaviour. On the Knoppix box "nobody" has their 
home dir mapped to a dir that does not exist, so that fails. But 
"\\machine\root" brings up the root home dir!

Once you open that share, it then appears in the shares list Windows 
explorer. The comment next to them all is "Home Directories", which I 
think means they are being automounted by the [homes] share somehow. You 
would think by default it would only allow mounting of a [homes] share 
by the user that owns it. The directories that are listed do have 
permissions set to allow the user in question to list them. Ie it is the 
same as that user could do if they logged in directly. Not sure it is 
proper though.

Tim