Re: possible samba security problem
On Fri, 28 Jan 2005 20:43:30 +0100, Nils Juergens wrote:
>On Fri, 28.01.05, Thorsten Giese <email@example.com> wrote:
>I think it is considered good practice not to have users on important
>systems in the first place, so maybe you should be thinking about how to get
>your users off of your server.
Disagree disagree disagree ..
Leaving aside personal workstations, and resource-server-type systems,
there's a huge category of systems that will potentially (and quite
normally) have unprivileged users (that's what computing services are
all about). In the corporate world anyway.
And good practice in such circumstances dictates that we only allow
ordinary users to see what they need to see.
The best solution to this issue would be to have smbstatus enhanced to
only show status information relating to the calling (unprivileged)
user. But in lieu of that (a task for the Samba team) I think it
should be okay to simply change the permissions on
/var/run/samba/locking.tdb so only root can access it. There's no
real need for ordinary users to use smbstatus anyway. IMHO.
Expert, n.: Someone who comes from out of town and shows slides