Bug#349045: Suggestion about commenting out "invalid users" in smb.conf

Sun, 22 Jan 2006 02:03:18 -0800 

On Sat, Jan 21, 2006 at 05:18:15PM +0100, Christian Perrier wrote:
> +# As per the Samba-HOWTO Collection
> +# 
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
> +# Section 'Important Administrative Information'
> +# It is important for correct functioning that the following are left
> +# commented out. Uncomment only if you are sure you know what you are doing!
>  ;   guest account = nobody
> -   invalid users = root
> +;   invalid users = root

> Here, Anand suggested to leave access to root because, in versions of
> samba prior to 3.0.11, several administrative operations could only be
> handled with root privileges. "net rpc rights" introduced in 3.0.11
> removed this requirement, so I think we can safely ignore this
> suggestion.

> I'd however like to see more comments about this. If no mor ecomments
> come, I'll close this bug report soone

I've gone back and forth on this one a number of times.

Pros:
  You need an administrative account to be able to perform certain
  administrative operations from the Windows GUI interface, which many users
  will want to do.

Cons:
  Current versions of samba now support granting administrative privileges
  to non-root users (as you note).

  Using root for administration is probably ok, but you don't really want to
  permit using this account for access to file shares; among other things,
  it means smbd will be running as root in contexts when it usually is not,
  which increases the risk of being hit by a vulnerability in code that was
  considered to be of low security significance.

  If the user is *not* using encrypted passwords, the authentication is (by
  default) done against the Unix password database, so any use of the root
  account equates to sending the system password across the network in
  plaintext.

The third point may be addressable by tying this setting to the "encrypted
passwords" debconf question, but I don't see that this addresses the first
two points.

So I agree that we should not make this change, unless someone else comes up
with a reason why it's necessary.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply via email to