On Thu, Jan 27, 2005 at 05:11:51PM +0100, Daniel van Eeden wrote:
Use setfacl to set/remove rights to smbstatus.
Example:
chmod 700 /usr/bin/smbstatus
setfacl -m u:adminuser:r-x /usr/bin/smbstatus
setfacl -m u:baduser:--- /usr/bin/smbstatus
Use groups instead of users when posible.
setfacl is part of the acl package.
This is the kind of security that makes no sense. The smbstatus program
isn't suid and isn't sgid. It has no particular special privilages. It
gets its list of locked files from /var/run/samba/locking.tdb. If you
put an acl on smbstatus you have done nothing but prevent people from
running that particular copy of smbstatus. If they compile their own,
copy one from another system, or even run strings on
/var/run/samba/locking.tdb they will have circumvented this "security
measure".
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
