Jerry said:
> Hash: SHA1
> Dwight Tovey wrote:
>>>set an invalid users line in [global]
>>>     invalid users = daemon bin lpd mail .....
>> Well, not quite.  As I understand the smb.conf man page,
> Did you actually test it?  Or just read the man page.  This use to be
> enough to prevent system account home directories.

I tested it.  I tried several permutations, using "invalid users" and
"valid users" in both the [global] and [homes] sections.  With the
"invalid users" line that you had (in either section), once I login as a
Domain Admin I can then get at all these system account directories.

>> I don't disagree that I had it misconfigured.  But I wonder
>> how many other people with PDCs running have this same
>> misconfiguration.  Given that this could potentially leave
>> the Unix system completely open, I wonder if section 17.5.2
>> of the Samba 3 Howto should stress more about the dangers
>> of allowing access to other users home directories,
>> especially these "system" users.
> It doesn't leave the Unix system wide open.  You only get the access
> that you would have at a shell prompt.  Now something like
> 'admin users = +users' would be a serious misconfiguration but that type
> of thing is mentioned in the smb.conf(5) man page.

Well, "wide open" may have been a bit strong.  Definately more open than I
would like.  They may not be able to read my /etc/shadow file, but they
can browse around areas where I don't want them, especially since I don't
allow shell access to the system.

Dwight N. Tovey
Work to Live : Live to Ride : Ride to Work

To unsubscribe from this list go to the following URL and read the

Reply via email to