Re: [Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4
On Wed, Nov 05, 2008 at 10:58:43PM -0800, Jeremy Allison wrote: > "Jeremy" == Jeremy Allison <[EMAIL PROTECTED]> writes: > "Mike" == Mike Gallamore <[EMAIL PROTECTED]> writes: Eric> Example 4: allow only hosts in NIS netgroup "foonet", but deny Eric> access from one particular host Eric> hosts allow = @foonet Eric> hosts deny = pirate Eric> This doesn't mention that every host but pirate will have Eric> access, not just those in @foonet. Eric> I see this as a bug but I wonder if I am missing something. Jeremy> I agree it's counter intuitive, but it does match the man Jeremy> pages for hosts.allow and hosts.deny, which the original Jeremy> code was based on. [excerpt from host_access manpages deleted] Jeremy>A non-existing access control file is treated as if Jeremy> it were an empty file. Thus, access control Jeremy> can be turned off by providing no access control files. Jeremy> So having a "hosts allow" but no "hosts deny" means the Jeremy> "hosts deny" is treated as an empty file (default deny I Jeremy> think). Once you define a "hosts deny" then the default Jeremy> changes to "allow", if you only want to restrict access to Jeremy> a specific hosts list then don't define a "hosts deny", Jeremy> just a "hosts allow". I guess the issue is you really Jeremy> don't need to have both defined (maybe we should log a Jeremy> warning in this case that the results may not be what you Jeremy> would expect). In a later message: Mike> I think something like a sudoers file would make since, ie Mike> no one gets access unless they are on the list. Suggestion: Mike> Perhaps host allow should be the only option. If access Mike> controls are enabled, people only get access if the host Mike> allow field is defined and if their name is on the list. Jeremy> Trouble is that would break existing setups. Nope, best Jeremy> thing we can do is add a warning (IMHO). I agree that changing behavior of hosts deny and host access would break too many existing setups. However, I would like to suggest the following: 1. Eliminate or correct Example 4 from the documentation. Perhaps add an example using EXCEPT. That's what I determined I needed because I wanted to exclude hosts that were in the 'hosts allow' netgroup I think what Example 4 should be Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host hosts allow = @foonet EXCEPT pirate 2. Add a warning or note that defining both 'hosts allow' and 'hosts deny' will lead to allowing everyone not in 'hosts deny'. That is, more hosts than those in 'hosts allow' will be allowed. -- Eric M. Boehm /"\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4
Well hard to argue with the creator, though I'm sure many try ;) On Nov 6, 2008, at 3:22 PM, Jeremy Allison wrote: On Thu, Nov 06, 2008 at 10:01:45AM +0100, Mike Gallamore wrote: I think something like a sudoers file would make since, ie no one gets access unless they are on the list. Suggestion: Perhaps host allow should be the only option. If access controls are enabled, people only get access if the host allow field is defined and if their name is on the list. Trouble is that would break existing setups. Nope, best thing we can do is add a warning (IMHO). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4
On Thu, Nov 06, 2008 at 10:01:45AM +0100, Mike Gallamore wrote: > I think something like a sudoers file would make since, ie no one gets > access unless they are on the list. Suggestion: > > Perhaps host allow should be the only option. If access controls are > enabled, people only get access if the host allow field is defined and > if their name is on the list. Trouble is that would break existing setups. Nope, best thing we can do is add a warning (IMHO). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4
I think something like a sudoers file would make since, ie no one gets access unless they are on the list. Suggestion: Perhaps host allow should be the only option. If access controls are enabled, people only get access if the host allow field is defined and if their name is on the list. On Nov 6, 2008, at 7:58 AM, Jeremy Allison wrote: On Tue, Nov 04, 2008 at 10:43:35AM -0500, Eric Boehm wrote: I saw some unexpected behavior in the interaction of hosts allow and hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it wasn't something that had been fixed. I saw the same behavior. I'm not sure if it is a bug or a failure on my part to understand the documentation or misleading documentation. If I have a share defined as [export] comment = exported storage path= /export # admin users = boehm hosts allow = boehm-1 hosts deny = boehm-3 oplocks = no level2 oplocks = no guest ok= no create mask = 0775 directory mask = 0775 map archive = no writeable = yes Then host boehm-1 has access and boehm-3 is denied access. The odd part is that every other host now has access as well (e.g., boehm-2) Now, if I had only hosts allow and no hosts deny, only host boehm-1 would have access. hosts allow= boehm-1 # hosts deny = boehm-3 The confusing part, to me, was that adding hosts deny for a single host suddenly opened up the share to every host that wasn't in hosts deny, regardless as to whether they were in hosts allow. The man page for smb.conf has an example for both hosts allows and hosts deny Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host hosts allow = @foonet hosts deny = pirate Note Note that access still requires suitable user-level passwords. See testparm(1) for a way of testing your host access to see if it does what you expect. This doesn't mention that every host but pirate will have access, not just those in @foonet. I see this as a bug but I wonder if I am missing something. I agree it's counter intuitive, but it does match the man pages for hosts.allow and hosts.deny, which the original code was based on. From those man pages : --- ACCESS CONTROL FILES The access control software consults two files. The search stops at the first match: · Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. · Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file. · Otherwise, access will be granted. A non-existing access control file is treated as if it were an empty file. Thus, access con‐ trol can be turned off by providing no access control files. --- So having a "hosts allow" but no "hosts deny" means the "hosts deny" is treated as an empty file (default deny I think). Once you define a "hosts deny" then the default changes to "allow", if you only want to restrict access to a specific hosts list then don't define a "hosts deny", just a "hosts allow". I guess the issue is you really don't need to have both defined (maybe we should log a warning in this case that the results may not be what you would expect). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4
On Tue, Nov 04, 2008 at 10:43:35AM -0500, Eric Boehm wrote: > I saw some unexpected behavior in the interaction of hosts allow and > hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it > wasn't something that had been fixed. I saw the same behavior. > > I'm not sure if it is a bug or a failure on my part to > understand the documentation or misleading documentation. > > If I have a share defined as > > [export] > comment = exported storage > path= /export > # admin users = boehm > hosts allow = boehm-1 > hosts deny = boehm-3 > oplocks = no > level2 oplocks = no > guest ok= no > create mask = 0775 > directory mask = 0775 > map archive = no > writeable = yes > > Then host boehm-1 has access and boehm-3 is denied access. The odd > part is that every other host now has access as well (e.g., boehm-2) > > Now, if I had only hosts allow and no hosts deny, only host boehm-1 > would have access. > > hosts allow= boehm-1 > # hosts deny = boehm-3 > > The confusing part, to me, was that adding hosts deny for a single > host suddenly opened up the share to every host that wasn't in > hosts deny, regardless as to whether they were in hosts allow. > > The man page for smb.conf has an example for both hosts allows and > hosts deny > > Example 4: allow only hosts in NIS netgroup "foonet", > but deny access from one particular host > > hosts allow = @foonet > > hosts deny = pirate > > Note Note that access still requires suitable user-level > passwords. > > See testparm(1) for a way of testing your host access to > see if it does what you expect. > > This doesn't mention that every host but pirate will have access, not > just those in @foonet. > > I see this as a bug but I wonder if I am missing something. I agree it's counter intuitive, but it does match the man pages for hosts.allow and hosts.deny, which the original code was based on. >From those man pages : --- ACCESS CONTROL FILES The access control software consults two files. The search stops at the first match: · Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. · Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file. · Otherwise, access will be granted. A non-existing access control file is treated as if it were an empty file. Thus, access con‐ trol can be turned off by providing no access control files. --- So having a "hosts allow" but no "hosts deny" means the "hosts deny" is treated as an empty file (default deny I think). Once you define a "hosts deny" then the default changes to "allow", if you only want to restrict access to a specific hosts list then don't define a "hosts deny", just a "hosts allow". I guess the issue is you really don't need to have both defined (maybe we should log a warning in this case that the results may not be what you would expect). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
