Hello all -
I'm having a bit of a problem that I'm sure is being caused by my
missing
some trivial detail. But I haven't been able to find it, and I'm not
even
sure how I would construct the search to find relevant info in the
archives.
Here is the setup. I have Samba 3.0.20a running as a PDC against a LDAP
back end. For the most part everything works fine. Users that are
members of the "Domain Administrators" group can add machines to the
domain, normal users can access their home directories and are blocked
from accessing other user's homes, while members of the Domain Admin group
can access everybody's home directories.
The problem is that one of our testers has discovered that if he is logged
in as somebody who is a member of the Domain Admin group, he can access
all user's home directories by using Window's "Network
Neighborhood"
explorer and typing the direct path in the location bar
(\\netbiosname\user). Unfortunatly, this extends beyond the users that
are defined in LDAP. Because nsswitch.conf has 'passwd: files ldap',
Domain Admins can also access the "home" directories of users in the
passwd file. This includes users like 'bin' (home of /bin),
'daemon'
(/sbin), 'admin' (/var/log), and the big one: 'mail' (home of
/). I feel
that this is a bit of a security hole.
Since there is no shell access for users on the Samba host, we could go
through the passwd file and make sure that all home directories are set to
something harmless. However, since the box is also used for other
services, I'm concerned that this could cause problems with those other
services.
The other solution that seems to work is to configure Samba with the "root
directory" option to put it into a chroot jail with a minimal passwd file.
It's a bit of a pain to set up the chroot, but unless I have missed some
other option (highly likely), this seems like the best way to tighten up
the system again.
So, what obvious configuration option did I completely miss?
/dwight
--
Dwight N. Tovey
email: dtovey@emergecore.com
---------
Work to Live : Live to Ride : Ride to Work
Gerald (Jerry) Carter
2006-Jan-03 15:33 UTC
[Samba] How to tell Samba not to use the passwd file
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dwight Tovey wrote:> The problem is that one of our testers has discovered that if he > is logged in as somebody who is a member of the Domain Admin > group, he can access all user's home directories by using > Window's "Network Neighborhood" explorer and typing the direct > path in the location bar (\\netbiosname\user). Unfortunatly, > this extends beyond the users that are defined in LDAP. Because > nsswitch.conf has 'passwd: files ldap', Domain Admins can also > access the "home" directories of users in the > passwd file. This includes users like 'bin' (home of /bin), 'daemon' > (/sbin), 'admin' (/var/log), and the big one: 'mail' (home of /). > I feel that this is a bit of a security hole.set an invalid users line in [global] invalid users = daemon bin lpd mail ..... Note that this is not a security hole but a misconfiguration and is the intended design. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org Centeris ----------- http://www.centeris.com "There's an anonymous coward in all of us." --anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDupkpIR7qMdg1EfYRAnoXAJ48SLjSDHOH5uc3dsA67o+mtzjJfQCgwDQV lmQ8FxygtKQtFE+pfhEdfKM=cylE -----END PGP SIGNATURE-----