Jerry said: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dwight Tovey wrote: > >> The problem is that one of our testers has discovered that if he is >> logged in as somebody who is a member of the Domain Admin >> group, he can access all user's home directories by using >> Window's "Network Neighborhood" explorer and typing the direct >> path in the location bar (\\netbiosname\user). Unfortunatly, >> this extends beyond the users that are defined in LDAP. Because >> nsswitch.conf has 'passwd: files ldap', Domain Admins can also >> access the "home" directories of users in the >> passwd file. This includes users like 'bin' (home of /bin), 'daemon' >> (/sbin), 'admin' (/var/log), and the big one: 'mail' (home of /). I >> feel that this is a bit of a security hole. > > set an invalid users line in [global] > > invalid users = daemon bin lpd mail ..... >
Well, not quite. As I understand the smb.conf man page, using this line means that these users can't log in to the system. That's not really the issue. The problem is that once a user who is in the Domain Admins group has logged in, he can then access the "home" directories of these users without having to log in again. I did find that by adding: valid users = %S to the [homes] definition I can keep Domain Admins out of those "home" directories, but it also keeps them out of the home directories of users that they should be able to access (those defined in the LDAP database). This is better than being wide open and I can live with it (easier to implement and document than a chroot jail), but it doesn't seem quite correct to me. > Note that this is not a security hole but a misconfiguration and is the > intended design. > That's not a bug, it's a feature. :-) I don't disagree that I had it misconfigured. But I wonder how many other people with PDCs running have this same misconfiguration. Given that this could potentially leave the Unix system completely open, I wonder if section 17.5.2 of the Samba 3 Howto should stress more about the dangers of allowing access to other users home directories, especially these "system" users. /dwight -- Dwight N. Tovey email: [EMAIL PROTECTED] --------- Work to Live : Live to Ride : Ride to Work -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba