Weblog entry #2 for sphaero

See all weblog entries made by sphaero.

XML logo

#2
Samba bug or feature?
Posted by sphaero on Sun 9 Apr 2006 at 10:35
Tags: none.
This week I was phoned by a client saying it could access the homeshare of another user without logging in. I immediatelly sayed that it was not possible but playing around with smbclient command I noticed it was true.

I could access my homedrive with:
smbclient //server/myusername -U myusername
But specifying an other user worked as well.
smbclient //server/otherusername -U myusername

I have read-only access to the users homedrive. The home directory permissions were set to 0755 so it is correct that the home directory of users is readable by others. Changing it to 0700 would give NT_ACCESS_DENIED in samba but then apache user dirs don't work. So 0711 is the final solution.

Still I thought it was weird samba would let me map an other users homedrive.

[ 1 Comment | Add Comment | XML logo ]
<<< Previous

 

Comments on this Entry

#1
Re: Samba bug or feature?
Posted by Anonymous (24.226.xx.xx) on Sun 9 Apr 2006 at 17:42
That makes sense if you think about how the permissions get mapped by samba.

the 5 for everyone, allows home directories to be shared, as everyone would have read access.

This does seem strange, as the homes special share should only map the user who is viewing the share, however it seems to allow you to check the home directory of any user.

You may want to add another restriction to the home's special share where the ACL expands to just the currently accessing user, using possibly the %U macro. (note i have not tried this and it may not work at all)

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search