Re: possible samba security problem
On Sat, 29 Jan 2005 14:50:03 +0100, Ruben van der Leij wrote:
>+++ Nick Boyce [29/01/05 02:56 +0000]:
>
>> I think it
>> should be okay to simply change the permissions on
>> /var/run/samba/locking.tdb so only root can access it. There's no
>> real need for ordinary users to use smbstatus anyway. IMHO.
>
>Have you actually *tried* that 'solution'?
I confess at the time I wrote that I *hadn't* tried it - but I have
now - I just did an experiment on a Woody box running a backport of
Samba 2.2.8a :
==================< cut >==================
W1LWS001:~$ smbstatus
Samba version 2.2.8a-1.woody for Debian
Service uid gid pid machine
----------------------------------------------
No locked files
W1LWS001:~$ smbclient -L \\localhost -N
added interface ip=xxx.yyy.47.40 bcast=xxx.yyy.47.255
nmask=255.255.255.0
Anonymous login successful
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 2.2.8a-1.woody for Debian]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 2.2.8a)
ADMIN$ Disk IPC Service (Samba 2.2.8a)
Server Comment
--------- -------
W1LWS001 Samba 2.2.8a
Workgroup Master
--------- -------
MYDOMAIN
W1LWS001:~$ su -
Password:
W1LWS001:~# ls -l /var/run/samba
total 40
-rw-r--r-- 1 root root 696 Jan 31 00:39 brlock.tdb
-rw-r--r-- 1 root root 8192 Jan 30 19:30
connections.tdb
-rw-r--r-- 1 root root 696 Jan 31 00:39 locking.tdb
-rw------- 1 root root 696 Jan 30 19:30 messages.tdb
-rw-r--r-- 1 root root 3599 Nov 17 06:25 namelist.debug
-rw-r--r-- 1 root root 20 Jan 30 19:30 nmbd.pid
-rw-r--r-- 1 root root 20 Jan 30 19:30 smbd.pid
-rw-r--r-- 1 root root 8192 Jan 30 19:30 unexpected.tdb
W1LWS001:~# chmod 640 /var/run/samba/locking.tdb
W1LWS001:~# ls -l /var/run/samba/locking.tdb
-rw-r----- 1 root root 696 Jan 31 00:39
/var/run/samba/locking.tdb
W1LWS001:~# logout
W1LWS001:~$ smbclient -L \\localhost -N
added interface ip=xxx.yyy.47.40 bcast=xxx.yyy.47.255
nmask=255.255.255.0
Anonymous login successful
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 2.2.8a-1.woody for Debian]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 2.2.8a)
ADMIN$ Disk IPC Service (Samba 2.2.8a)
Server Comment
--------- -------
W1LWS001 Samba 2.2.8a
Workgroup Master
--------- -------
MYDOMAIN
W1LWS001:~$ smbstatus
Samba version 2.2.8a-1.woody for Debian
Service uid gid pid machine
----------------------------------------------
ERROR: Failed to initialise locking database
Can't initialise locking module - exiting
==================< cut >==================
Doesn't seem to cause a problem. Might be different with Samba 3.x.x
though, but I don't have any of those at present.
>Perhaps smbstatus isn't doing anything that it shouldn't.
>It might even be accurately emulating behaviour available
>on windows.
Just because Windows does it doesn't necessarily mean it's a good
thing ;-)
Cheers,
Nick Boyce
Bristol, UK
--
"If you assume that there's no hope, you guarantee there will be no hope.
If you assume that there is an instinct for freedom, there are
opportunities to change things." - Noam Chomsky
Reply to: