| Summary: | samba with ldap backend: any authorized ldap user can open the home folder of the system user (passwd) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Andrey <afletdinov> | ||||||
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 5.8 | CC: | gdeschner, prc, sbose | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-03-14 14:48:13 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 569847 [details]
samba logs
added: samba logs (level 9)
also need store ldap password with command smbpasswd -w Hi Andrey, what you are seeing is in fact not a bug. If you want to secure access to shares created via the [homes] mechanism, please follow the instructions from the Samba Howto Collection: "Why Can Users Access Other Users' Home Directories?" (https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html#id2619170). In short: you can restrict access to only the authenticated user by setting "valid users = %S" in the [homes] section. You will also find this setting in our default smb.conf file that we ship with the samba package. I'm sorry.
You do not understand all the charm of this bug.
The system user avahi (and many others) does not have a password.
# grep avahi /etc/passwd
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
Authorized ldap user can open the home folder of the system
user. Without requiring a password!
passdb backend = ldapsam
This parameter indicates that it is necessary to verify users via LDAP.
Why is a check through the /etc/passwd?
LDAP directory includes more than 100 user accounts. Almost all corporate systems use it.
Where is the documentation that indicated the fact that any authorized LDAP user can easily access directly to the entire server's filesystem?
You know that a domain administrator and the server administrator, it is the different roles?
So, using this bug, a domain administrator has full access to the entire server's filesystem.
[homes]
read only = no
browseable = no
invalid users = root,bin,daemon,adm,lp,sync,shutdown,avahi, and more others..
So it's not working!!! Any authorized LDAP user can open \\server\avahi
|
Created attachment 569846 [details] open [avahi] share Description of problem: necessary conditions for this error: 1. configured ldap server 2. /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 3. getent passwd should show a list of users from the passwd and ldap 4. smb.conf security = user passdb backend = ldapsam:ldap://ldap.local [^] ldap suffix = dc=dc,dc=local ldap admin dn = cn=login,dc=dc,dc=local ldap user suffix = ou=users ldap group suffix = ou=group [homes] read only = no browseable = no profile acls = no inherit acls = yes inherit owner = yes csc policy = disable hide dot files = yes hide files = /.*/desktop.ini/ 5. as a result, any authorized ldap user can open the home folder of the system user. example: \\server\avahi see a screenshot. all logs as an attachment. Version-Release number of selected component (if applicable): samba-3.0.33-3.38.el5_8 kernel-2.6.18-308.1.1.el5 glibc-2.5-81 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: