Re: possible samba security problem

To: debian-security@lists.debian.org
Subject: Re: possible samba security problem
From: Michael Stone <mstone@debian.org>
Date: Thu, 27 Jan 2005 15:06:43 -0500
Message-id: <[🔎] 20050127200643.GH26791@mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 1106842312.26102.1.camel@scn-lan37.snowcn.snow.nl>
References: <[🔎] 200501271528.57151.t.giese@anw.de> <[🔎] 1106842312.26102.1.camel@scn-lan37.snowcn.snow.nl>

On Thu, Jan 27, 2005 at 05:11:51PM +0100, Daniel van Eeden wrote:

Use setfacl to set/remove rights to smbstatus.
Example:
chmod 700 /usr/bin/smbstatus
setfacl -m u:adminuser:r-x /usr/bin/smbstatus
setfacl -m u:baduser:--- /usr/bin/smbstatus

Use groups instead of users when posible.
setfacl is part of the acl package.


This is the kind of security that makes no sense. The smbstatus program
isn't suid and isn't sgid. It has no particular special privilages. It
gets its list of locked files from /var/run/samba/locking.tdb. If you
put an acl on smbstatus you have done nothing but prevent people from
running that particular copy of smbstatus. If they compile their own,
copy one from another system, or even run strings on
/var/run/samba/locking.tdb they will have circumvented this "security
measure".

Mike Stone

Reply to:

Follow-Ups:
- Re: possible samba security problem
  - From: Thorsten Giese <t.giese@anw.de>

References:
- possible samba security problem
  - From: Thorsten Giese <t.giese@anw.de>
- Re: possible samba security problem
  - From: Daniel van Eeden <daniel_e@dds.nl>

Prev by Date: Re: auth log
Next by Date: Debian Archive Automatic Signing Key 2005
Previous by thread: Re: possible samba security problem
Next by thread: Re: possible samba security problem
Index(es):
- Date
- Thread